Mark an item complete only when the control is operating and current evidence supports it. “Planned” work is not implemented work. Assign an owner and review date to every gap.
1. Scope and business context
- Document the product, services, legal entities, locations, and infrastructure in scope.
- Identify the customer or contract requirement driving SOC 2.
- Confirm which Trust Services Criteria are expected.
- Inventory systems, data flows, subprocessors, and critical vendors.
- Document material exclusions and assumptions.
2. Governance and ownership
- Name an executive sponsor and program owner.
- Assign owners for access, change management, incidents, vendors, availability, HR, and evidence.
- Approve a risk assessment and treatment plan.
- Establish policy approval, exception, and review processes.
- Create a recurring readiness meeting and decision log.
3. Technical control baseline
Identity and access
MFA, least privilege, joiner-mover-leaver workflow, privileged access, and recurring reviews.
Cloud and infrastructure
Secure configuration, vulnerability management, logging, backups, encryption, and monitoring.
Software development
Change approval, code review, secrets protection, dependency management, and deployment controls.
Incident and resilience
Response plan, escalation, testing, recovery objectives, restoration tests, and lessons learned.
4. People and vendor operations
- Document screening, onboarding, training, role changes, and termination procedures.
- Maintain confidentiality and acceptable-use requirements.
- Classify vendors by risk and document security due diligence.
- Track contracts, data handling, subprocessors, and vendor review dates.
- Document security awareness and role-based training evidence.
5. Evidence readiness
- Define the evidence required for each control and its source system.
- Record who collected it, when it was collected, and who approved it.
- Separate screenshots, exports, policies, logs, tickets, approvals, and meeting records.
- Test sample periods before the independent examination begins.
- Track stale, missing, conflicting, or manually generated evidence.
6. Before starting the examination
- Confirm controls are operating consistently.
- Resolve high-risk gaps and document accepted exceptions.
- Review the system description for accuracy.
- Validate the evidence package and owner availability.
- Confirm scope, timing, sampling approach, and communications with the CPA firm.
Frequently asked questions
Does completing this checklist prove readiness?
No. It is a planning aid. Readiness requires evidence that controls are designed appropriately and operating as described.
Should every SaaS company use every Trust Services Criterion?
No. Criteria should align with buyer requirements, business objectives, risk, and the planned examination scope.
Can evidence collection be automated?
Many technical tests can be automated. Human approvals, operational records, exceptions, and evidence outside integrations still require controlled workflows.
What should happen after the first report?
Continue operating controls, collecting evidence, reviewing vendors and access, testing incidents, and managing change.
Turn the checklist into an accountable plan
Identify the gaps, owners, evidence, and sequence before selecting an examination window.
Book a Compliance Clarity CallReview the readiness serviceEditorial note
This checklist is educational and does not constitute an independent assessment, legal advice, or a guarantee of compliance.
