SOC 2 Type 2 Checklist

Estimated reading: 4 minutes 1835 views

SOC 2 Type 2 Checklist

When preparing for a SOC 2 Type 2, be aware that the evidence needed from the auditors is a lot more extensive than a SOC 2 Type 1. A list of commonly requested evidence for type 2 is created for each of the Security criteria as guidance. Use this list for preparation and the expectation of evidence requests from your auditors.

This checklist is tailored to the SOC 2 controls available in Trust Ops.

CC1 Generate a list of all new employees during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each new employee, do you have each of the below? (TrustCloud controls)

  • HR- 3 Background Checks
  • HR-16 Job descriptions
  • HR-17 Hiring process
  • HR-1 Security awareness training
  • HR-15 Confidentiality agreement
  • HR-14 Policy Acknowledgment
CC1 Generate a list of all current employees during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each current employee, do you have each of the below? (TrustCloud controls)

  • HR-1 Security awareness training
  • HR-18 Employee performance review
CC1

CC2

CC3

Generate a list of all vendors during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each vendor, do you have each of the below? (TrustCloud control)

  • VNDR-5 Vendor agreement
CC2 Generate a list of all customers during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each customer, do you have each of the below? (TrustCloud controls)

  • CUST-17 Master service agreement
  • CUST-11 Release notification
CC3 Generate a list of the systems in scope during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each system in scope, have you included them in each of the below? (TrustCloud controls)

  • BIZOPS-11 Risk register
  • IT-12 IT inventory
CC3 Generate a list of the Assets in scope during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each asset in scope, have you included them in each of the below? (TrustCloud controls)

  • IT-1 Inventory
  • IT-1 Asset type
CC4

CC5

N/A – Address the mapped TrustCloud controls as usual in your TrustOps program
CC6 Generate a list of all new employees during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each new employee, do you have each of the below? (TrustCloud controls)

  • AUTH-8 Request and approve access
CC6 Generate a list of all current employees during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each current employee, do you have each of the below? (TrustCloud controls)

  • AUTH-8 Request and approve access
CC6 Generate a list of all terminated employees during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each terminated employee, do you have each of the below? (TrustCloud controls)

  • HR-6 Termination Process
CC6 Generate a list of the infrastructure (OS, DB, APP) during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each OS, DB, APP, can you demonstrate each of the below?(TrustCloud controls)

  • AUTH-1 SSO
  • AUTH-2 MFA
  • AUTH-11 Password Configuration
  • AUTH-4 Least privilege
  • AUTH-5 Access review
  • AUTH-6 Role based access
  • AUTH-7 Administrative access
CC7 Generate a list of all incidents during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each incident, do you have each of the below? (TrustCloud controls)

  • BIZOPS-8 Security incident testing
  • BIZOPS-19 Security incident tracking
  • BIZOPS-20 Security incident -change management
CC8 Generate a list of all application changes during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each application change, do you have each of the below? (TrustCloud controls)

  • PDP-8 Change Management Approval
  • PDP-9 Change Management Tracking
CC8 Generate a list of all infrastructure changes during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each infrastructure change, do you have each of the below? (TrustCloud controls)

  • PDP-8 Change Management Approval
  • PDP-9 Change Management Tracking
CC8 Generate a list of all emergency changes during your observation period (i.e Jan 31, 2021 -December 31, 2022)
For each emergency change, do you have each of the below? (TrustCloud controls)

  • PDP-8 Change Management Approval
  • PDP-9 Change Management Tracking

Join the conversation

You might also be interested in

Documentation Templates

Documentation Templates are documents that provide a content outline to meet certain documentation needs....

Backup policy template – Download for free

The Data Backup Plan template helps you document in detail the data backup needs...

HR-13 Employee Handbook/Code of Conduct

HR-13 Employee Handbook or Code of Conduct communicates the organization’s values and ethics. It...

AUTH-1 Single Sign On (SSO)

Single Sign On (SSO) Control is a best practice recommendation for critical systems....

Security Incident Report Template

The Security Incident Report template helps you document the steps used to assess and...

BIZOPS-6 Disaster Recovery Testing

BIZOPS-6 Disaster Recovery Testing control refers to the exercise of identifying the critical systems...

PDP-10 SDLC – Separation of environments

PDP-10 SDLC Separation of Environments is important to maintain separate environments to develop, test,...

Privacy Committee Charter Template

Privacy Committee Charter serves as a foundational document, establishing the framework for the committee's...
ON THIS PAGE
SHARE THIS PAGE

SUBSCRIBE
FlightSchool
OR