Anchor Cyber Security · anchorcybersecurity.com

SOC 2 Readiness Checklist

Trust Services Criteria — Common Criteria + Availability + Confidentiality

How to use:Work through each section with your team. Check items you have fully implemented. For partial items, note what's missing — those are your audit prep priorities.

CC1 — Control Environment

Information security policy is documented, approved by management, and reviewed in the last 12 months
Security roles and responsibilities are formally defined and communicated
Employee background checks are performed for roles with access to sensitive systems
All employees complete security awareness training at least annually
An acceptable use policy (AUP) is in place and acknowledged by employees

CC2 — Communication & Information

Security policies are communicated to all employees at hire and on updates
A process exists for employees to report security incidents and concerns
Customer-facing security commitments are documented (contracts, privacy policy, or trust page)

CC3 — Risk Assessment

A formal risk assessment is completed at least annually
A risk register is maintained and reviewed by management
Significant changes to systems or operations trigger a risk re-assessment
Risk treatment decisions (accept, mitigate, transfer, avoid) are documented

CC6 — Logical and Physical Access Controls

All users have unique accounts — no shared credentials
Multi-factor authentication (MFA) is enforced on all critical systems and remote access
Privileged (admin) access is restricted to personnel who require it for their role
User access is reviewed at least quarterly to verify appropriateness
User accounts are revoked within 24 hours of employee termination or role change
Production system access is restricted to authorized personnel only
Remote access is secured via VPN or zero-trust network access (ZTNA)
Physical access to servers and data centers is restricted and logged
Passwords meet complexity requirements and are stored using a password manager

CC7 — System Operations

Security events and access logs are collected and monitored
Endpoint detection and response (EDR) or antivirus is deployed on all endpoints
Vulnerability scans are performed at least quarterly
Critical security patches are applied within 30 days of release
An intrusion detection or alerting capability is in place
System capacity is monitored to support availability commitments

CC8 — Change Management

A formal change management process governs modifications to production systems
Changes are tested in a non-production environment before deployment
An emergency change process exists for critical security patches
Code review is performed before deployment (for software companies)

CC9 — Risk Mitigation / Vendor Risk

A vendor risk management program identifies and assesses third-party vendors
Business Associate Agreements (BAAs) or Data Processing Agreements (DPAs) are in place with all vendors handling sensitive data
Cyber liability insurance is carried and limits are reviewed annually
A business continuity plan (BCP) exists and has been tested
A disaster recovery plan (DRP) exists with documented RTOs and RPOs

Availability (A1) — If Applicable

System availability/uptime commitments are documented and communicated to customers
Redundancy or failover capability exists for critical systems
Disaster recovery testing is performed at least annually

Confidentiality (C1) — If Applicable

Confidential data is classified, labeled, and inventoried
Confidential data is encrypted at rest and in transit
A data retention and disposal policy is documented and followed

This checklist is provided for educational purposes. It covers the SOC 2 Trust Services Criteria common criteria most frequently reviewed in Type I and Type II audits. Requirements vary by auditor and organization scope.