Search
Updated on January 22, 2024

SOC 2 Type 2 Checklist

Estimated reading: 4 minutes 1644 views

SOC 2 Type 2 Checklist

When preparing for a SOC 2 Type 2, be aware that the evidence needed from the auditors is a lot more extensive than a SOC 2 Type 1. A list of commonly requested evidence for type 2 is created for each of the Security criteria as guidance. Use this list for preparation and the expectation of evidence requests from your auditors.

This checklist is tailored to the SOC 2 controls available in Trust Ops.

CC1 Generate a list of all new employees during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each new employee, do you have each of the below? (TrustCloud controls)

  • HR- 3 Background Checks
  • HR-16 Job descriptions
  • HR-17 Hiring process
  • HR-1 Security awareness training
  • HR-15 Confidentiality agreement
  • HR-14 Policy Acknowledgment
CC1 Generate a list of all current employees during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each current employee, do you have each of the below? (TrustCloud controls)

  • HR-1 Security awareness training
  • HR-18 Employee performance review
CC1

CC2

CC3

 Generate a list of all vendors during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each vendor, do you have each of the below? (TrustCloud control)

  • VNDR-5 Vendor agreement
CC2 Generate a list of all customers during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each customer, do you have each of the below? (TrustCloud controls)

  • CUST-17 Master service agreement
  • CUST-11 Release notification
CC3 Generate a list of the systems in scope during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each system in scope, have you included them in each of the below? (TrustCloud controls)

  • BIZOPS-11 Risk register
  • IT-12 IT inventory
CC3 Generate a list of the Assets in scope during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each asset in scope, have you included them in each of the below? (TrustCloud controls)

  • IT-1 Inventory
  • IT-1 Asset type
CC4

CC5

 N/A – Address the mapped TrustCloud controls as usual in your TrustOps program
CC6 Generate a list of all new employees during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each new employee, do you have each of the below? (TrustCloud controls)

  • AUTH-8 Request and approve access
CC6 Generate a list of all current employees during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each current employee, do you have each of the below? (TrustCloud controls)

  • AUTH-8 Request and approve access
CC6 Generate a list of all terminated employees during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each terminated employee, do you have each of the below? (TrustCloud controls)

  • HR-6 Termination Process
CC6 Generate a list of the infrastructure (OS, DB, APP) during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each OS, DB, APP, can you demonstrate each of the below?(TrustCloud controls)

  • AUTH-1 SSO
  • AUTH-2 MFA
  • AUTH-11 Password Configuration
  • AUTH-4 Least privilege
  • AUTH-5 Access review
  • AUTH-6 Role based access
  • AUTH-7 Administrative access
CC7 Generate a list of all incidents during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each incident, do you have each of the below? (TrustCloud controls)

  • BIZOPS-8 Security incident testing
  • BIZOPS-19 Security incident tracking
  • BIZOPS-20 Security incident -change management
CC8 Generate a list of all application changes during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each application change, do you have each of the below? (TrustCloud controls)

  • PDP-8 Change Management Approval
  • PDP-9 Change Management Tracking
CC8 Generate a list of all infrastructure changes during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each infrastructure change, do you have each of the below? (TrustCloud controls)

  • PDP-8 Change Management Approval
  • PDP-9 Change Management Tracking
CC8 Generate a list of all emergency changes during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each emergency change, do you have each of the below? (TrustCloud controls)

  • PDP-8 Change Management Approval
  • PDP-9 Change Management Tracking

Join the conversation

ON THIS PAGE
SHARE THIS PAGE

SUBSCRIBE
FlightSchool
Trusty

Want to see how to turn GRC into a profit center?

Ready to save time and money on audits, pass security reviews faster, and manage enterprise-wide risk? Let’s talk! 

Learn More
TrustCommunity

The #1 Community for Security, Privacy, and GRC Professionals.

© 2024 TrustCloud Corporation. All rights reserved.
TrustCloud® and TrustOps® are registered trademarks of TrustCloud Corporation.

Facebook Linkedin Youtube Rss

Resources

Platform

TOPICS

ABOUT US

AICPA
Monitored by TrustCloud

💛 Joyfully Crafted to Elevate GRC Leaders into Trust Champions.

OR