SOC 2 Compliance Checklist for 2026

What SOC 2 Actually Requires

SOC 2 is not a checklist you pass or fail. It is an attestation that your controls operate effectively over a review period, evaluated against the Trust Service Criteria (TSC) defined by the AICPA:

1. Security (Common Criteria) -- Required for every SOC 2 engagement
2. Availability -- Uptime commitments and incident recovery
3. Processing Integrity -- Accurate, timely, authorized data processing
4. Confidentiality -- Protection of information designated as confidential
5. Privacy -- Personal information lifecycle management

Most organizations start with Security only (Type I), then expand to include Availability and Confidentiality for Type II.

Pre-Audit Checklist

Security (Common Criteria)

• CC1: Control Environment. Document your security org chart, roles, and reporting lines. Your auditor will ask who owns risk decisions.
• CC2: Communication and Information. Maintain an up-to-date information security policy. Distribute it to all employees with acknowledgment tracking.
• CC3: Risk Assessment. Conduct a formal risk assessment at least annually. Map identified risks to specific controls. This is where FAIR quantification pays dividends -- dollar-denominated risk assessments demonstrate mature risk management.
• CC4: Monitoring Activities. Implement continuous monitoring for your critical systems. Log aggregation, alerting thresholds, and regular review cadences.
• CC5: Control Activities. Document and test your technical controls: access management, encryption, network segmentation, vulnerability management.
• CC6: Logical and Physical Access. Enforce least-privilege access, MFA on all production systems, and quarterly access reviews. This is the most frequently cited control deficiency.
• CC7: System Operations. Maintain incident response procedures. Test them with tabletop exercises. Document every production incident and its resolution.
• CC8: Change Management. Require peer review for all production changes. Maintain a change log with approvals, rollback procedures, and post-deployment verification.
• CC9: Risk Mitigation. Document your vendor management program. Third-party risk assessments for any vendor that touches customer data.

Availability

• Define and publish SLAs for customer-facing services
• Implement automated failover and disaster recovery
• Test backup restoration quarterly and document results
• Maintain a business continuity plan with defined RTOs and RPOs

Confidentiality

• Classify data by sensitivity level (public, internal, confidential, restricted)
• Encrypt data at rest and in transit
• Implement DLP controls for confidential data egress
• Enforce retention and disposal policies with audit trails

Common Audit Pitfalls

1. Evidence gaps in the review period. Your controls need to be operating continuously, not just at the point-in-time snapshot. If you enabled MFA in month 8 of a 12-month review, you have a 7-month gap.

2. Incomplete access reviews. Auditors will sample terminated employees and verify access was revoked promptly. A single missed offboarding from six months ago becomes a finding.

3. Missing change approvals. Every production deploy needs documented approval. Hotfix at 2 AM with no approval? That is a control exception that needs a compensating narrative.

4. Vendor risk management theater. Collecting SOC 2 reports from vendors is not enough. You need to demonstrate that you reviewed them, identified relevant complementary user entity controls, and implemented them.

5. Policy-procedure misalignment. Your policy says quarterly vulnerability scans. Your scan logs show scans in January, March, and November. That is a control failure regardless of intent.

Automating Evidence Collection

The most painful part of SOC 2 is not the audit itself -- it is the months of evidence gathering that precede it. Theodolite automates this in three ways:

• Cloud configuration scans continuously evaluate your AWS, Azure, and GCP environments against SOC 2 control objectives. Findings map directly to specific Common Criteria.
• Assessment auto-answering pre-populates compliance questionnaires using your actual scan data. Instead of manually writing narratives for 486 questions, you review and approve auto-generated responses.
• Evidence export packages scan results, configuration snapshots, and compliance scores into auditor-ready ZIP archives organized by Trust Service Criteria.

The goal is not to eliminate auditor interaction. It is to arrive at the audit with organized, timestamped evidence that demonstrates continuous control operation -- rather than scrambling to reconstruct six months of activity from memory.

Timeline Recommendation

| Months Before Audit | Action | |---|---| | 6 months | Run initial gap assessment against TSC. Identify control deficiencies. | | 5 months | Remediate critical gaps. Implement missing controls. | | 4 months | Begin continuous monitoring. Start evidence collection. | | 3 months | Conduct internal audit or readiness assessment. | | 2 months | Address readiness findings. Prepare evidence packages. | | 1 month | Final evidence review. Brief stakeholders on audit process. | | Audit | Provide organized evidence. Respond to auditor inquiries promptly. |

Starting the SOC 2 journey with automated evidence collection and continuous monitoring transforms the engagement from a scramble into a routine business process.