SOC 2 Compliance Checklist
151 controls mapped to AICPA Trust Services Criteria with evidence collection guidance.
About This Template
SOC 2 audits are intimidating if you've never done one. This kit gives you a complete readiness checklist — 151 controls mapped to all 5 Trust Services Criteria categories (Security, Availability, Processing Integrity, Confidentiality, Privacy), with evidence collection guidance, an observation period tracker, and a gap assessment framework. Comes with a 36-page guide covering the SOC 2 process, what auditors actually look for, and a 90-day readiness plan for teams doing this for the first time.
The evidence collection guidance is the part that saves you the most time — for each control, it tells you exactly what artifact the auditor will want to see, where to find it, and what "good" looks like vs. what will get flagged. The gap assessment framework lets you score your current state against each TSC category so you know where to focus your 90 days. Built for engineering and compliance teams working together on their first SOC 2 engagement.
🎉 First-Time Buyer?
Enter your email to get 20% off this purchase.
Who Is This For?
- → You're doing your first SOC 2 audit and don't know what evidence the auditor will actually ask for
- → Your engineering team needs to know exactly what to collect from AWS/GCP/Azure to satisfy each control
- → You need a 90-day readiness plan to prepare for Type 1 without turning it into a 6-month project
- → A customer enterprise deal is contingent on SOC 2 and you need to know where your gaps are before engaging an auditor
- → You want to scope for Security only in your first report and need help deciding whether to include additional TSC categories
Preview
5 SOC 2 Trust Service Criteria — Security, Availability, Processing Integrity, Confidentiality, Privacy
Type 1 vs Type 2 comparison — timeline, cost, and readiness differences for each
12-month SOC 2 preparation roadmap — Month-by-month phases from gap assessment through audit
Cloud infrastructure security controls — SIEM, MFA, endpoint protection, and evidence collection requirements
Excel template — Master SOC 2 Checklist with all Trust Service Criteria mapped to controls and evidence
Evidence Tracker — document collection status, screenshot requirements, and audit-ready evidence inventory
What's Included
- 151 controls across all 5 TSC categories
- Evidence collection guidance
- Observation period tracker
- Gap assessment framework
- SOC 2 audit process guide
- 90-day readiness plan
30-Day Money-Back Guarantee
If this template doesn't meet your expectations, email us within 30 days for a full refund. No questions asked.
Frequently Asked Questions
How are the 151 controls distributed across the 5 Trust Services Criteria?
The distribution follows AICPA weighting: Security (CC-series) has the largest block (~80 controls) covering logical access, change management, risk assessment, and monitoring. Availability covers system performance and redundancy. Processing Integrity covers accuracy and completeness. Confidentiality covers data classification and protection. Privacy covers personal information handling and GDPR/CCPA alignment. You can filter by TSC category in the Excel template.
What does the evidence collection guidance tell me for each control?
For every one of the 151 controls, the guidance specifies: the exact artifact type an auditor will request (screenshot, policy document, log export, configuration file), where to find it in common tech stacks (AWS, GCP, Azure, Okta, GitHub), what "good" evidence looks like vs. what gets flagged as insufficient, and the retention period for each evidence type. This is the part that saves you the most time in audit prep.
What's in the 90-day readiness plan?
The 90-day plan divides readiness into 3 phases: Month 1 — complete the gap assessment and score each TSC category; Month 2 — remediate high-gap areas, implement missing controls, and begin evidence collection; Month 3 — conduct internal readiness review, finalize evidence package, and engage auditor for Type 1. The plan includes weekly milestones and a responsibility matrix.
What's the difference between Type 1 and Type 2, and which does this kit support?
Type 1 is a point-in-time assessment of whether controls are designed correctly. Type 2 covers a 6–12 month observation period testing whether controls operated effectively. This kit supports both — the gap assessment and 90-day readiness plan prepare you for Type 1, while the observation period tracker and evidence collection templates support the Type 2 observation period.
Do I need to scope for all 5 Trust Services Criteria?
No — Security (CC-series) is the only required category. Availability, Processing Integrity, Confidentiality, and Privacy are optional add-ons. The gap assessment framework includes a scoping section that helps you decide which optional categories to include based on your customer contracts and business requirements. Most first-time SOC 2 reports cover Security only.
Can engineering teams use this without compliance support?
Yes — the kit is specifically designed for engineering and compliance teams working together on their first engagement. The evidence collection guidance is written in technical language where appropriate, with specific instructions for collecting evidence from AWS, GCP, Azure, and common SaaS tools. Engineering leads can own the technical controls collection while compliance owns the policy and governance controls.
Not ready to buy?
Try our free Risk Register first — no payment required.
Download Free Risk Register →Related Products
Business Continuity & Disaster Recovery (BCP/DR) Kit
BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
Ready to Get Started?
Get the SOC 2 Compliance Checklist and start building a defensible risk program today.