SOC 2 Compliance Checklist: The 10-Step Guide for 2026

A practical, auditor-aligned SOC 2 compliance checklist — define your scope, pick your Trust Services Criteria, write policies, implement controls across CC1–CC9, collect evidence, and pass your audit. Built for SaaS teams without a security hire.

SOC 2 Compliance Checklist: The 10-Step Guide for 2026 - Cybersecurity guide for SaaS

A SOC 2 compliance checklist is the ordered list of work that takes a company from “we want SOC 2” to a signed report from a licensed CPA firm. The ten steps are: (1) decide why you need it and pick Type 1 or Type 2, (2) define your audit scope, (3) select your Trust Services Criteria, (4) run a gap assessment, (5) write your security policies, (6) implement controls across the Common Criteria CC1–CC9, (7) deploy continuous monitoring, (8) collect and organize evidence, (9) complete a readiness assessment, and (10) engage a CPA firm for the audit. Security is the only mandatory criteria, the audit must be performed by a licensed CPA under the AICPA’s SSAE 18 standard, and a Type 2 requires controls to operate across a 3–12 month observation window. Here’s the full checklist.


What is a SOC 2 compliance checklist?

A SOC 2 compliance checklist is a structured plan that maps every requirement of a SOC 2 audit to the concrete tasks you must complete before an auditor will sign off. SOC 2 (System and Organization Controls 2) is an attestation framework from the AICPA (American Institute of Certified Public Accountants) that measures how well a service organization protects customer data against the five Trust Services Criteria. There is no single “SOC 2 certificate” you buy — you build controls, operate them, evidence them, and a licensed CPA firm examines them under the SSAE 18 standard. The checklist below turns that abstract framework into an order of operations.

If you’re still deciding whether SOC 2 is even the right report — versus SOC 1 — read SOC 1 vs SOC 2: What’s the Difference and Which One Do You Need? first.


The SOC 2 compliance checklist (10 steps)

The fastest path to SOC 2 is to do the work in order: scope first, controls second, evidence third, audit last. Skipping ahead — for example, booking an auditor before controls are in place — is the most common reason timelines slip. Here is the full checklist at a glance:

#StepWhat “done” looks like
1Decide why + pick the typeClear business reason; Type 1 or Type 2 chosen
2Define audit scopeSystems, data, and infrastructure boundaries documented
3Select Trust Services CriteriaSecurity + any of Availability, Processing Integrity, Confidentiality, Privacy
4Run a gap assessmentEvery CC1–CC9 control marked present, partial, or missing
5Write security policiesInformation security, access, change, incident, risk, vendor policies
6Implement controls (CC1–CC9)MFA, encryption, logging, change management, vuln management live
7Deploy continuous monitoringScans + monitoring running across the observation window
8Collect & organize evidenceDated scan reports, access reviews, tickets, logs
9Readiness assessmentInternal/third-party review confirms audit-readiness
10Engage a CPA firmLicensed CPA performs the examination and issues the report

Step 1 — Decide why you need SOC 2 and pick Type 1 or Type 2

Confirm the business reason (almost always an enterprise prospect or a market you want to sell into) before spending a dollar. Then choose your report type: Type 1 attests your controls are designed properly on a single date; Type 2 attests they operated effectively over a period, typically 3–12 months. Many teams do a Type 1 first to unblock a deal, then a Type 2; others go straight to Type 2 because it’s what enterprises ultimately want.

Step 2 — Define your audit scope

Write down exactly what is being audited: which product, which systems, which data stores, which cloud infrastructure, and which team. Scope is the single biggest cost and effort lever — a tight, well-defined boundary keeps the audit affordable; a vague one balloons it. Document what’s in and what’s explicitly out.

Step 3 — Select your Trust Services Criteria

Security is mandatory in every SOC 2; the other four are optional and chosen based on your service. Add Availability if you make uptime commitments, Confidentiality if customers share sensitive data, Processing Integrity if you process transactions, and Privacy if you handle personal information. Don’t add criteria you don’t need — each one expands the evidence you must produce.

Step 4 — Run a gap assessment

Compare your current controls against the nine Common Criteria (CC1–CC9, detailed below) and mark each as present, partial, or missing. This gap assessment is your real to-do list — everything marked partial or missing becomes a remediation task before the audit.

Step 5 — Write your security policies

SOC 2 expects documented policies, not just informal practice. At minimum: information security, acceptable use, access control, change management, incident response, risk assessment, business continuity/disaster recovery, and vendor management. Policies must reflect what you actually do — auditors test the real behavior against the written word.

Step 6 — Implement controls across CC1–CC9

Put the technical and administrative controls in place: multi-factor authentication, role-based access control, encryption in transit and at rest, centralized logging, formal change management, employee security training, and vulnerability management. This is where most of the engineering work lives.

Step 7 — Deploy continuous monitoring

For a Type 2, controls must be operating — and generating evidence — across the entire observation window, not just on audit day. Continuous vulnerability scanning and security monitoring close the gap that quarterly scans leave open. (More on why continuous beats point-in-time below.)

Step 8 — Collect and organize evidence

Gather dated artifacts that prove each control ran: scan reports, access reviews, onboarding/offboarding records, change tickets, incident logs, and training completions. The audit is won or lost on evidence — a control with no artifact is, to an auditor, a control that didn’t happen.

Step 9 — Complete a readiness assessment

Before the real audit, have an internal owner or a third party verify every control has supporting evidence and there are no obvious gaps. A readiness assessment catches the failures cheaply — fixing them after the auditor flags them costs far more time.

Step 10 — Engage a licensed CPA firm for the audit

Only a licensed CPA firm can perform a SOC 2 examination and issue the report. They’ll review your description of the system, test your controls, and issue an opinion. Choose an auditor experienced with companies your size.


What are the SOC 2 Common Criteria (CC1–CC9)?

The SOC 2 Security category is organized into nine Common Criteria, CC1 through CC9, and every SOC 2 audit is tested against all of them. They map closely to the COSO internal-control framework. Use this as the backbone of your Step 4 gap assessment:

CriterionFocusWhat it covers
CC1Control EnvironmentGovernance, org structure, ethics, roles, board oversight
CC2Communication & InformationInternal and external communication of security responsibilities
CC3Risk AssessmentIdentifying, analyzing, and tracking risk as the business changes
CC4Monitoring ActivitiesEvaluating and reporting on whether controls are working
CC5Control ActivitiesSelecting and deploying the controls that mitigate risk
CC6Logical & Physical AccessAccess control, MFA, encryption, physical security
CC7System OperationsMonitoring, detection, incident response, and vulnerability management
CC8Change ManagementTesting and approving changes before they ship
CC9Risk MitigationBusiness processes and vendor/third-party risk management

Vulnerability management lives primarily under CC7 (System Operations) — and it’s one of the controls auditors probe hardest. For the exact evidence expected there, see How to Prove Vulnerability Management for SOC 2 (Evidence Guide).


Which Trust Services Criteria should you include in scope?

Include Security (always required), then add only the criteria that match what you promise customers and the data you hold. Adding everything “to be safe” is a common, expensive mistake — each extra category multiplies the controls and evidence you must maintain.

CriteriaAdd it if…
Security (required)Always — this is the Common Criteria, CC1–CC9
AvailabilityYou make uptime/SLA commitments
ConfidentialityCustomers entrust you with sensitive (non-personal) data
Processing IntegrityYou process transactions where accuracy matters
PrivacyYou collect and process personal information (PII)

Most early-stage SaaS companies scope Security only, sometimes adding Availability and Confidentiality. Privacy is the heaviest and is often deferred.


SOC 2 Type 1 vs Type 2: which should you start with?

Type 1 proves your controls are designed correctly on a single date; Type 2 proves they actually operated over a period of 3–12 months. Type 2 is what enterprises ultimately want, but Type 1 is a faster first proof. If you have a deal on the line, a Type 1 can unblock it in weeks while your Type 2 observation window runs in the background. The trade-off:

Type 1Type 2
TestsControl design at a point in timeControl operating effectiveness over a period
TimeWeeks of readinessReadiness + 3–12 month window
AssuranceA snapshotProof controls run continuously
Best forUnblocking a deal fastThe report enterprises trust

The “operated over a period” requirement is exactly why continuous monitoring matters — see Security Monitoring vs. Security Audits: What’s the Difference?.


How long does SOC 2 compliance take?

A SOC 2 Type 1 typically takes about 6–12 weeks of readiness work; a Type 2 takes that readiness time plus a 3–12 month observation window (commonly 6 months) that cannot be shortened. The fixed cost is time: an auditor must see controls operating across the whole window. The variable cost is how much remediation your Step 4 gap assessment uncovers. Teams that deploy continuous monitoring early shorten the evidence-gathering burden dramatically, because the artifacts accumulate automatically across the window instead of being reconstructed at the end.


How much does SOC 2 cost?

A SOC 2 audit for a small SaaS company typically runs from roughly $10,000 to $40,000+ for a Type 2, plus optional compliance-automation tooling. Realistic ranges:

ItemTypical rangeNotes
Audit fee (Type 1)~$5,000–$15,000Point-in-time; faster
Audit fee (Type 2)~$10,000–$40,000+Scales with scope and number of criteria
Compliance automation~$2,000–$15,000/yrVanta, Drata, Secureframe (optional)
Security toolingVariesScanning/monitoring evidence (e.g., Warin from $49/mo)

For a founder-focused breakdown of cost, timeline, and how to respond to that first enterprise ask, read An Enterprise Customer Asked for SOC 2. What Should You Do?.

Figures are typical market ranges at time of publication and vary by auditor, scope, and region. Get quotes from a licensed CPA firm for your situation.


Common reasons companies fail or stall a SOC 2 audit

Most SOC 2 failures aren’t about missing controls — they’re about missing evidence that controls operated across the observation window. The recurring culprits:

  • Gaps in the observation window — a scan ran in month 1 and month 6, but nothing in between, so the auditor can’t see continuous operation.
  • Scope that doesn’t match reality — the asset inventory doesn’t reconcile with what you actually run, so the auditor questions whether everything in scope was covered. (See How to Discover All Your Internet-Facing Assets.)
  • Policies that don’t match practice — the written policy says one thing; the evidence shows another.
  • No remediation trail — vulnerabilities were found but there’s no record of triage, prioritization, and fix within the stated SLA.
  • Last-minute evidence scramble — reconstructing artifacts at the end of the window instead of collecting them continuously.

How Warin helps you check off the security controls

Warin doesn’t issue SOC 2 reports — only a licensed CPA firm can. What Warin does is automate the security evidence behind the Common Criteria, especially CC6 (Access), CC7 (System Operations), and CC9 (Risk Mitigation), without a security hire:


FAQs

What is the SOC 2 compliance checklist? The SOC 2 compliance checklist is the ordered set of tasks needed to pass a SOC 2 audit: decide why you need it and pick Type 1 or Type 2, define your scope, select your Trust Services Criteria, run a gap assessment, write policies, implement controls across the Common Criteria CC1–CC9, deploy continuous monitoring, collect evidence, complete a readiness assessment, and engage a licensed CPA firm for the audit.

How many Common Criteria are in SOC 2? There are nine Common Criteria in the SOC 2 Security category: CC1 (Control Environment), CC2 (Communication & Information), CC3 (Risk Assessment), CC4 (Monitoring Activities), CC5 (Control Activities), CC6 (Logical & Physical Access Controls), CC7 (System Operations), CC8 (Change Management), and CC9 (Risk Mitigation). Every SOC 2 audit is tested against all nine.

Is SOC 2 a certification? No. SOC 2 is an attestation report issued by a licensed CPA firm under the AICPA’s SSAE 18 standard, not a certification. There is no SOC 2 certificate to purchase — you implement and operate controls, and the auditor issues an opinion on them.

Can you do SOC 2 yourself without a consultant? Yes, small teams can self-manage readiness using a checklist, written policies, and tooling for evidence — but the audit itself must be performed by an independent licensed CPA firm. Compliance-automation platforms and continuous monitoring tools reduce how much manual work readiness requires.

How long is a SOC 2 report valid? A SOC 2 report is generally considered current for 12 months from the end of the observation period. Most companies renew annually with a fresh Type 2 covering the next period to maintain continuous coverage for customers.

Do I need continuous monitoring for SOC 2? For a SOC 2 Type 2, yes in practice — the auditor must see that controls operated across the entire observation window. Continuous vulnerability scanning and security monitoring generate the dated evidence that proves operation, where point-in-time scans leave gaps.

What’s the difference between SOC 2 Type 1 and Type 2? Type 1 tests whether controls are suitably designed at a single point in time; Type 2 tests whether they operated effectively over a period, typically 3–12 months. Type 2 provides stronger assurance and is what most enterprise customers ultimately require.


Final Thoughts

A SOC 2 compliance checklist works because it forces the right order: scope before controls, controls before evidence, evidence before the auditor. Define what’s in scope, pick only the Trust Services Criteria you need (Security is the one you can’t skip), close your CC1–CC9 gaps, and — most importantly for a Type 2 — make sure your controls are generating dated evidence continuously across the whole observation window. The teams that pass smoothly aren’t the ones with the most controls; they’re the ones whose evidence was already there when the auditor asked.

The security half of that checklist is exactly what Warin automates.

Working through your SOC 2 checklist without a security team? Warin runs continuous external attack surface monitoring — web app scanning, network scanning, subdomain discovery, SSL/TLS checks, and breach monitoring — producing the dated, auditor-ready evidence your Type 2 window needs. Start your 14-day free trial.