A practical SOC 2 pre-audit readiness checklist
Most SOC 2 delays trace back to avoidable gaps. This checklist walks through the scoping, policy, access, monitoring, vendor, and evidence work to do before an auditor shows up.
Start with scope and a readiness assessment
Scope is the most consequential decision because it drives cost, timeline, and complexity. Security (the Common Criteria) is mandatory; the other categories are optional and included only where they match customer commitments. Decide early between Type I and Type II, and run a readiness assessment to surface deficiencies while you still have time to fix them.
Document the policies auditors expect
SOC 2 leans on written, approved, version-controlled policies — access control, incident response, data classification, change management, risk assessment, and vendor management at minimum. They need to reflect how you actually operate, because auditors compare policy language against real evidence.
Tighten access control and identity
Access control is heavily scrutinized. Implement role-based access, enforce MFA, and maintain a repeatable grant/revoke process tied to onboarding and offboarding. Periodic, documented user access reviews prove entitlements are revisited rather than accumulating.
Make monitoring continuous, not reactive
Auditors want consistent, visible monitoring on a defined cadence. Automating repeating tasks — access reviews, offboarding, log retention, vulnerability scanning — reduces effort and missed controls, and pulling evidence directly from systems like AWS, Okta, and GitHub keeps the picture current.
Bring vendors into scope
Third-party vendors with access to your systems or data fall in scope. Maintain a vendor inventory, classify by risk, and collect evidence that you assess and monitor them (their SOC 2 reports, questionnaires). Reassess on a schedule, not just at onboarding.
Organize evidence before the audit window
The readiness effort should culminate in a well-organized body of proof: approved policies, onboarding/offboarding and deployment procedures, plus operational records like logs, change logs, and access-review results. For Type II, evidence must show controls operated throughout the period — and mapping each item to its criterion ahead of time shortens fieldwork.