SOC 2 (Trust Services Criteria) Controls Checklist

Logical access to systems, data, and resources is restricted to authorized users.

Evidence: Access-control policy, MFA configuration export, role-to-permission matrix.

New internal and external users are registered and authorized before being granted access.

Evidence: Sample of approved access-request tickets for recent new hires.

Access is removed timely when a user is terminated or no longer requires it.

Evidence: Termination list reconciled against access-removal timestamps.

Physical access to facilities and infrastructure is restricted to authorized personnel.

Evidence: Badge-access list and visitor logs for in-scope facilities.

The system protects against threats from sources outside its logical boundaries.

Evidence: Firewall / security-group rule export and the most recent review.

Information in transit is encrypted to protect confidentiality and integrity.

Evidence: TLS configuration scan results and cipher policy.

Controls prevent or detect the introduction of unauthorized or malicious software.

Evidence: EDR coverage report and recent detection/response samples.

Vulnerabilities are identified, evaluated, and remediated on a defined cadence.

Evidence: Vulnerability-scan reports with remediation tickets and dates.

The system is monitored to detect anomalies and potential security events.

Evidence: SIEM alert configuration and a sample of triaged alerts.

Identified security incidents are evaluated and responded to per a defined process.

Evidence: Incident-response plan and post-incident reviews / tabletop results.

The entity recovers from identified security incidents and restores operations.

Evidence: Recovery runbooks and a recent incident recovery record.

Changes to infrastructure, data, software, and procedures are authorized, tested, and approved.

Evidence: Sample of change tickets showing test evidence and approvals.

The entity identifies, selects, and develops risk-mitigation activities.

Evidence: Current risk register and evidence of periodic review.

The entity assesses and manages risks associated with vendors and business partners.

Evidence: Vendor inventory with risk tier and most recent SOC report review.

The entity demonstrates a commitment to integrity and ethical values.

Evidence: Code of conduct and acknowledgment completion report.

The entity obtains and uses relevant, quality information to support controls.

Evidence: Control documentation describing information flows and ownership.

The entity identifies risks to objectives and analyzes them to determine management.

Evidence: Risk-assessment methodology and the latest assessment output.

The entity evaluates whether components of internal control are present and functioning.

Evidence: Internal control monitoring / self-assessment results.

The entity selects and develops general control activities over technology.

Evidence: ITGC control matrix mapped to in-scope systems.

Backups and recovery capabilities support availability commitments.

Evidence: Backup success reports and the most recent restore test.