SOC 2 Checklist: The Complete 2026 Readiness Guide for Type 1 & Type 2

✨ Phase 1 — Scoping & Engagement (Weeks 1-4)

Before any controls work begins.

Scope decisions

• [ ] Pick Trust Services Criteria. Security is mandatory. Add Availability / Confidentiality / Processing Integrity / Privacy if your buyer profile requires them. (Most SaaS = Security only.) See SOC 2 Trust Services Criteria.
• [ ] Pick Type 1 or Type 2. Type 2 expected at mid-market and enterprise. See SOC 2 Type 2 for the dependency tree.
• [ ] Define the system boundary. Which products, environments (prod/staging), business units, locations are in scope. Narrower = cheaper and faster.
• [ ] Identify in-scope sub-services. AWS, GCP, Azure regions; subprocessors. The sub-service organizations need their own SOC 2 reports (carve-out method) or get folded into yours (inclusive method).

Auditor selection

• [ ] Get quotes from 3 CPA firms. Confirm they're licensed for SOC 2 and have audited orgs at your stage.
• [ ] Confirm SOC 2 + ISO 27001 + HIPAA experience if you'll renew with broader scope later.
• [ ] Review sample reports. Ask for an anonymized prior client report. Read for tone and depth.
• [ ] Sign the engagement letter with the observation window start date locked in.

Platform & infrastructure

• [ ] Deploy a compliance automation platform. Strac Comply or alternative. See SOC 2 compliance software.
• [ ] Deploy DLP across SaaS, cloud, endpoint. This is the data-evidence backbone of CC6.6 / CC6.7.
• [ ] Confirm logging retention covers the observation window + audit period (typically 13+ months).

✨ Phase 2 — Gap Remediation (Weeks 5-12)

Where the engineering and policy work happens.

CC1 — Control environment

• [ ] Code of conduct with employee acknowledgment records.
• [ ] Org chart documenting reporting lines and security responsibilities.
• [ ] Board / executive oversight of security topics — meeting minutes or memos.

CC2 — Communication

• [ ] Internal security communication — how policy changes reach employees.
• [ ] External communication — how you tell customers about security material changes.

CC3 — Risk assessment

• [ ] Annual risk assessment completed and signed off.
• [ ] Risk register with treatment plans for top risks.
• [ ] Fraud risk consideration — documented review.

CC4 — Monitoring activities

• [ ] Internal audit or continuous monitoring evidence.
• [ ] Control-deficiency tracking with remediation timeline.

CC5 — Control activities (policies)

Required policies (at minimum):

• [ ] Information Security Policy
• [ ] Acceptable Use Policy
• [ ] Access Control Policy
• [ ] Change Management Policy
• [ ] Incident Response Policy
• [ ] Business Continuity / Disaster Recovery Policy
• [ ] Vendor Management Policy
• [ ] Data Classification Policy
• [ ] Cryptography / Encryption Policy
• [ ] Password Policy / MFA Policy
• [ ] Vulnerability Management Policy
• [ ] Physical Security Policy (if applicable)

Each must be:

• [ ] Written down, version-controlled.
• [ ] Reviewed and approved by appropriate management.
• [ ] Acknowledged by employees with retention records.

Strac Comply auto-drafts every one of these policies from a 10-minute questionnaire, tailored to your tech stack.

CC6 — Logical & physical access controls (the largest section)

• [ ] MFA enforced on every privileged account: cloud (AWS, GCP, Azure), code (GitHub, GitLab), data warehouse (Snowflake, BigQuery), production (kubectl, SSH), payment infra (Stripe), critical SaaS admin consoles.
• [ ] SSO deployed across all production SaaS where supported.
• [ ] Role-based access control (RBAC) with documented role-to-permission mapping.
• [ ] New-hire access provisioning triggered by HRIS with approval workflow.
• [ ] Termination deprovisioning same-day on departure with retention of evidence.
• [ ] Quarterly access reviews on all production-critical systems.
• [ ] Encryption at rest on all cloud storage and databases.
• [ ] Encryption in transit — TLS 1.2+ everywhere; no plaintext over the network.
• [ ] DLP coverage across SaaS messages and files (Slack, Gmail, Drive, M365), cloud data stores, endpoint files, browser-side GenAI, and AI agent / MCP tool calls. See the SOC 2 controls reference for what auditors look for here.
• [ ] Data classification labels applied to sensitive datasets and inherited by DLP policies.
• [ ] Physical access controls for offices and data centers if applicable.
• [ ] Endpoint protection (EDR, anti-malware) on every employee device.
• [ ] Mobile device management (MDM) with disk encryption + remote wipe.

CC7 — System operations

• [ ] Vulnerability scanning running on a documented cadence.
• [ ] SLAs by severity (e.g., critical = 7 days, high = 30 days) with tracked remediation.
• [ ] Anomaly / event monitoring — SIEM, security alerting, on-call rotation.
• [ ] Incident response plan documented with playbooks for top scenarios.
• [ ] At least one tabletop exercise during the observation window, with notes.
• [ ] Post-incident review template ready for any real incident.

CC8 — Change management

• [ ] Pull-request review required for all production code (no direct main pushes).
• [ ] Production deploy logs captured with rollback evidence.
• [ ] Infrastructure-as-code with approval gates for production environments.
• [ ] Database migrations controlled (no direct DDL on production).

CC9 — Risk mitigation

• [ ] Business continuity plan with annual review.
• [ ] Disaster recovery plan with at least one DR exercise per year.
• [ ] Vendor security review completed for every critical third party.
• [ ] Vendor risk register with each vendor's SOC 2 / ISO 27001 / DPA documents.

Optional TSC items

• [ ] Availability: Capacity planning + uptime monitoring + DR testing.
• [ ] Confidentiality: Confidential-data inventory + NDA enforcement + disposal process.
• [ ] Processing Integrity: Input validation + output verification + error handling.
• [ ] Privacy: Privacy notice + consent management + DSAR process + retention enforcement.

✨ Phase 3 — Observation Window (3-12 months)

Continuous operation. Evidence collection. No control lapses.

• [ ] Continuous evidence collection running. Every control generating evidence into the compliance automation platform.
• [ ] Drift alerts active. Notifications when a control fails (MFA disabled, encryption lapsed, scan missed).
• [ ] Quarterly access reviews completed with reviewer evidence retained.
• [ ] Monthly vulnerability scans completed and remediated within SLA.
• [ ] Tabletop exercise run at least once during the window.
• [ ] Vendor reviews completed for all critical vendors within the window.
• [ ] All policies reviewed and re-approved (if applicable annual cycle).
• [ ] Security awareness training completed by all employees during the window.
• [ ] DLP events triaged and remediated with documented disposition.
• [ ] Any incidents handled per IR plan with post-incident review on file.

This is where manual evidence collection breaks down. By month 6 of the observation window, manual screenshots and spreadsheets become unsustainable. Strac Comply\'s continuous evidence collection (cloud config, SaaS events, DLP findings, endpoint posture, MCP tool calls) makes this phase low-effort.

✨ Phase 4 — Auditor Fieldwork (4-6 weeks)

The audit itself.

• [ ] Kickoff with auditor — align on evidence portal access and key personnel availability.
• [ ] Evidence samples delivered for each control the auditor requests.
• [ ] Walkthrough sessions with control owners (engineering, security, IT, HR, legal).
• [ ] Auditor questions answered within 24-48 hours — bottlenecks here extend fieldwork.
• [ ] Findings (if any) addressed with documented corrective action.
• [ ] Draft report reviewed for factual accuracy and tone.
• [ ] Final report received — archived for future customer requests.
• [ ] Trust center updated with the new report. (Strac Comply ships with a trust center built in.)

✨ Phase 5 — Post-Audit Hygiene

After the report is in hand.

• [ ] Distribute the report to existing customers who'd previously requested it.
• [ ] Update sales collateral referencing the new SOC 2 attestation.
• [ ] Schedule the next observation window (most teams renew annually).
• [ ] Plan scope changes (add Confidentiality? Add HIPAA? Add ISO 27001?).
• [ ] Capture lessons learned from the audit into your runbook.

✨ How Strac Comply Automates This Checklist

Strac Comply is the AI-native compliance automation platform built for security-led teams. From this checklist, the platform automates or evidences:

• Phase 1 (Scoping): Pre-built scope templates per industry. Auditor portal integrations for evidence sharing.
• Phase 2 (Gap Remediation):
• Policies: AI-drafted from a 10-minute questionnaire, tailored to your tech stack.
• Access reviews: scheduled automation, reviewer assignment, evidence capture.
• DLP evidence: built in via Strac DLP product — no separate integration needed.
• Vendor management: workflow + tracking for every critical vendor.
• Cloud config evidence: AWS / GCP / Azure pulled directly.
• Phase 3 (Observation Window): continuous evidence collection across every integration. Drift alerts. Control-failure detection inside hours, not weeks.
• Phase 4 (Fieldwork): one-click evidence export per control. Auditor portal access for direct download.
• Phase 5 (Post-Audit): trust center for sharing the report. Auto-rollover to next observation window.

Start at comply.strac.io →

🌶️ Spicy FAQs for SOC 2 Checklist

What's the single most-missed item on a first SOC 2?

MFA on service accounts and privileged break-glass accounts. Companies often have MFA on user accounts but skip it on the AWS root account, the production deploy service account, or the database admin account. Auditors find it quickly.

How long does the checklist take end-to-end?

For a first-time Type 2: 6-18 months end-to-end. The observation window itself is 3-12 months; gap remediation is 1-3 months; auditor fieldwork is 4-6 weeks. See SOC 2 compliance for the full timeline.

Can a small startup skip some items?

You can't skip controls, but you can scope tightly. A 10-person startup with one product can scope down to that product + dev/prod environments + the core SaaS apps in use. The control set stays the same; the surface area shrinks.

What about policies — can I use templates?

Yes, with one caveat. Templates need to be customized to your actual practices, otherwise auditors will spot the mismatch between the policy and the evidence. Strac Comply\'s AI-drafted policies are tailored to your tech stack and operational reality rather than generic.

How does Strac Comply differ from Drata, Secureframe, or Sprinto on this checklist?

The unique angle: Strac Comply ships with Strac DLP and Strac DSPM as part of the same platform. For Phase 2 items under CC6.6 and CC6.7 (data classification and protection), other platforms send you to integrate a separate DLP. Strac Comply gives you the DLP product directly — same vendor, same bill, full coverage.

Do I need every item on this list?

The list is exhaustive on purpose. Required items are mandatory; optional items depend on your TSC scope. Use the list as a gap-detection scan, not a "you must do all 80 items" mandate.

How do auditors actually use evidence?

They sample. For most controls, the auditor samples 5-10 instances across the observation window. Your job is to ensure (a) the control existed continuously, (b) evidence was captured continuously, and (c) any failure was detected and remediated within reasonable time.

What if a control fails during the observation window?

Failure isn't fatal. Detection + response + correction is. A control that failed, was detected within hours by your monitoring, was fixed within days, and was documented in a post-incident note is still an effective control in the auditor's evaluation. Strac Comply\'s drift alerts cut detection time from weeks to hours.

How does AI / MCP factor into the checklist?

If your service uses AI — LLM-powered features, AI agents reading your SaaS via MCP, copilots inside your product — auditors increasingly probe AI controls under CC6 and CC7. Add MCP DLP to your scope. Strac Comply maps MCP tool-call audit logs to the right SOC 2 controls automatically.

When should I start the checklist relative to my audit date?

Backwards-plan from the audit. If you want a Type 2 report by Q4, start Phase 1 in Q1, Phase 2 in Q2, Phase 3 (observation window) Q2-Q4, Phase 4 in Q4. Most companies underestimate Phase 2 time; budget 8-12 weeks for first-time gap remediation.

The Bottom Line

This checklist is the full SOC 2 readiness program in one document. Strac Comply automates 60-70% of it and ships with the underlying data security product, so CC6.6 / CC6.7 evidence comes from the same platform that's protecting your data.

Start your SOC 2 with Strac Comply →