A SOC 2 compliance checklist is the ordered list of work that takes a company from “we want SOC 2” to a signed report from a licensed CPA firm. The ten steps are: (1) decide why you need it and pick Type 1 or Type 2, (2) define your audit scope, (3) select your Trust Services Criteria, (4) run a gap assessment, (5) write your security policies, (6) implement controls across the Common Criteria CC1–CC9, (7) deploy continuous monitoring, (8) collect and organize evidence, (9) complete a readiness assessment, and (10) engage a CPA firm for the audit. Security is the only mandatory criteria, the audit must be performed by a licensed CPA under the AICPA’s SSAE 18 standard, and a Type 2 requires controls to operate across a 3–12 month observation window. Here’s the full checklist.
What is a SOC 2 compliance checklist?
A SOC 2 compliance checklist is a structured plan that maps every requirement of a SOC 2 audit to the concrete tasks you must complete before an auditor will sign off. SOC 2 (System and Organization Controls 2) is an attestation framework from the AICPA (American Institute of Certified Public Accountants) that measures how well a service organization protects customer data against the five Trust Services Criteria. There is no single “SOC 2 certificate” you buy — you build controls, operate them, evidence them, and a licensed CPA firm examines them under the SSAE 18 standard. The checklist below turns that abstract framework into an order of operations.
If you’re still deciding whether SOC 2 is even the right report — versus SOC 1 — read SOC 1 vs SOC 2: What’s the Difference and Which One Do You Need? first.
The SOC 2 compliance checklist (10 steps)
The fastest path to SOC 2 is to do the work in order: scope first, controls second, evidence third, audit last. Skipping ahead — for example, booking an auditor before controls are in place — is the most common reason timelines slip. Here is the full checklist at a glance:
| # | Step | What “done” looks like |
|---|---|---|
| 1 | Decide why + pick the type | Clear business reason; Type 1 or Type 2 chosen |
| 2 | Define audit scope | Systems, data, and infrastructure boundaries documented |
| 3 | Select Trust Services Criteria | Security + any of Availability, Processing Integrity, Confidentiality, Privacy |
| 4 | Run a gap assessment | Every CC1–CC9 control marked present, partial, or missing |
| 5 | Write security policies | Information security, access, change, incident, risk, vendor policies |
| 6 | Implement controls (CC1–CC9) | MFA, encryption, logging, change management, vuln management live |
| 7 | Deploy continuous monitoring | Scans + monitoring running across the observation window |
| 8 | Collect & organize evidence | Dated scan reports, access reviews, tickets, logs |
| 9 | Readiness assessment | Internal/third-party review confirms audit-readiness |
| 10 | Engage a CPA firm | Licensed CPA performs the examination and issues the report |
Step 1 — Decide why you need SOC 2 and pick Type 1 or Type 2
Confirm the business reason (almost always an enterprise prospect or a market you want to sell into) before spending a dollar. Then choose your report type: Type 1 attests your controls are designed properly on a single date; Type 2 attests they operated effectively over a period, typically 3–12 months. Many teams do a Type 1 first to unblock a deal, then a Type 2; others go straight to Type 2 because it’s what enterprises ultimately want.
Step 2 — Define your audit scope
Write down exactly what is being audited: which product, which systems, which data stores, which cloud infrastructure, and which team. Scope is the single biggest cost and effort lever — a tight, well-defined boundary keeps the audit affordable; a vague one balloons it. Document what’s in and what’s explicitly out.
Step 3 — Select your Trust Services Criteria
Security is mandatory in every SOC 2; the other four are optional and chosen based on your service. Add Availability if you make uptime commitments, Confidentiality if customers share sensitive data, Processing Integrity if you process transactions, and Privacy if you handle personal information. Don’t add criteria you don’t need — each one expands the evidence you must produce.
Step 4 — Run a gap assessment
Compare your current controls against the nine Common Criteria (CC1–CC9, detailed below) and mark each as present, partial, or missing. This gap assessment is your real to-do list — everything marked partial or missing becomes a remediation task before the audit.
Step 5 — Write your security policies
SOC 2 expects documented policies, not just informal practice. At minimum: information security, acceptable use, access control, change management, incident response, risk assessment, business continuity/disaster recovery, and vendor management. Policies must reflect what you actually do — auditors test the real behavior against the written word.
Step 6 — Implement controls across CC1–CC9
Put the technical and administrative controls in place: multi-factor authentication, role-based access control, encryption in transit and at rest, centralized logging, formal change management, employee security training, and vulnerability management. This is where most of the engineering work lives.
Step 7 — Deploy continuous monitoring
For a Type 2, controls must be operating — and generating evidence — across the entire observation window, not just on audit day. Continuous vulnerability scanning and security monitoring close the gap that quarterly scans leave open. (More on why continuous beats point-in-time below.)
Step 8 — Collect and organize evidence
Gather dated artifacts that prove each control ran: scan reports, access reviews, onboarding/offboarding records, change tickets, incident logs, and training completions. The audit is won or lost on evidence — a control with no artifact is, to an auditor, a control that didn’t happen.
Step 9 — Complete a readiness assessment
Before the real audit, have an internal owner or a third party verify every control has supporting evidence and there are no obvious gaps. A readiness assessment catches the failures cheaply — fixing them after the auditor flags them costs far more time.
Step 10 — Engage a licensed CPA firm for the audit
Only a licensed CPA firm can perform a SOC 2 examination and issue the report. They’ll review your description of the system, test your controls, and issue an opinion. Choose an auditor experienced with companies your size.
What are the SOC 2 Common Criteria (CC1–CC9)?
The SOC 2 Security category is organized into nine Common Criteria, CC1 through CC9, and every SOC 2 audit is tested against all of them. They map closely to the COSO internal-control framework. Use this as the backbone of your Step 4 gap assessment:
| Criterion | Focus | What it covers |
|---|---|---|
| CC1 | Control Environment | Governance, org structure, ethics, roles, board oversight |
| CC2 | Communication & Information | Internal and external communication of security responsibilities |
| CC3 | Risk Assessment | Identifying, analyzing, and tracking risk as the business changes |
| CC4 | Monitoring Activities | Evaluating and reporting on whether controls are working |
| CC5 | Control Activities | Selecting and deploying the controls that mitigate risk |
| CC6 | Logical & Physical Access | Access control, MFA, encryption, physical security |
| CC7 | System Operations | Monitoring, detection, incident response, and vulnerability management |
| CC8 | Change Management | Testing and approving changes before they ship |
| CC9 | Risk Mitigation | Business processes and vendor/third-party risk management |
Vulnerability management lives primarily under CC7 (System Operations) — and it’s one of the controls auditors probe hardest. For the exact evidence expected there, see How to Prove Vulnerability Management for SOC 2 (Evidence Guide).
Which Trust Services Criteria should you include in scope?
Include Security (always required), then add only the criteria that match what you promise customers and the data you hold. Adding everything “to be safe” is a common, expensive mistake — each extra category multiplies the controls and evidence you must maintain.
| Criteria | Add it if… |
|---|---|
| Security (required) | Always — this is the Common Criteria, CC1–CC9 |
| Availability | You make uptime/SLA commitments |
| Confidentiality | Customers entrust you with sensitive (non-personal) data |
| Processing Integrity | You process transactions where accuracy matters |
| Privacy | You collect and process personal information (PII) |
Most early-stage SaaS companies scope Security only, sometimes adding Availability and Confidentiality. Privacy is the heaviest and is often deferred.
SOC 2 Type 1 vs Type 2: which should you start with?
Type 1 proves your controls are designed correctly on a single date; Type 2 proves they actually operated over a period of 3–12 months. Type 2 is what enterprises ultimately want, but Type 1 is a faster first proof. If you have a deal on the line, a Type 1 can unblock it in weeks while your Type 2 observation window runs in the background. The trade-off:
| Type 1 | Type 2 | |
|---|---|---|
| Tests | Control design at a point in time | Control operating effectiveness over a period |
| Time | Weeks of readiness | Readiness + 3–12 month window |
| Assurance | A snapshot | Proof controls run continuously |
| Best for | Unblocking a deal fast | The report enterprises trust |
The “operated over a period” requirement is exactly why continuous monitoring matters — see Security Monitoring vs. Security Audits: What’s the Difference?.
How long does SOC 2 compliance take?
A SOC 2 Type 1 typically takes about 6–12 weeks of readiness work; a Type 2 takes that readiness time plus a 3–12 month observation window (commonly 6 months) that cannot be shortened. The fixed cost is time: an auditor must see controls operating across the whole window. The variable cost is how much remediation your Step 4 gap assessment uncovers. Teams that deploy continuous monitoring early shorten the evidence-gathering burden dramatically, because the artifacts accumulate automatically across the window instead of being reconstructed at the end.
How much does SOC 2 cost?
A SOC 2 audit for a small SaaS company typically runs from roughly $10,000 to $40,000+ for a Type 2, plus optional compliance-automation tooling. Realistic ranges:
| Item | Typical range | Notes |
|---|---|---|
| Audit fee (Type 1) | ~$5,000–$15,000 | Point-in-time; faster |
| Audit fee (Type 2) | ~$10,000–$40,000+ | Scales with scope and number of criteria |
| Compliance automation | ~$2,000–$15,000/yr | Vanta, Drata, Secureframe (optional) |
| Security tooling | Varies | Scanning/monitoring evidence (e.g., Warin from $49/mo) |
For a founder-focused breakdown of cost, timeline, and how to respond to that first enterprise ask, read An Enterprise Customer Asked for SOC 2. What Should You Do?.
Figures are typical market ranges at time of publication and vary by auditor, scope, and region. Get quotes from a licensed CPA firm for your situation.
Common reasons companies fail or stall a SOC 2 audit
Most SOC 2 failures aren’t about missing controls — they’re about missing evidence that controls operated across the observation window. The recurring culprits:
- Gaps in the observation window — a scan ran in month 1 and month 6, but nothing in between, so the auditor can’t see continuous operation.
- Scope that doesn’t match reality — the asset inventory doesn’t reconcile with what you actually run, so the auditor questions whether everything in scope was covered. (See How to Discover All Your Internet-Facing Assets.)
- Policies that don’t match practice — the written policy says one thing; the evidence shows another.
- No remediation trail — vulnerabilities were found but there’s no record of triage, prioritization, and fix within the stated SLA.
- Last-minute evidence scramble — reconstructing artifacts at the end of the window instead of collecting them continuously.
How Warin helps you check off the security controls
Warin doesn’t issue SOC 2 reports — only a licensed CPA firm can. What Warin does is automate the security evidence behind the Common Criteria, especially CC6 (Access), CC7 (System Operations), and CC9 (Risk Mitigation), without a security hire:
- Continuous monitoring so your Type 2 observation window has unbroken coverage — no gaps for an auditor to flag.
- Web application scanning and network scanning that produce dated, exportable vulnerability-management evidence (CC7).
- Subdomain discovery and asset inventory so your scanned scope reconciles with what you run — the reconciliation auditors always ask for.
- Risk prioritization and fix guides that map findings to remediation SLAs and close the finding-to-fix loop on the record.
FAQs
What is the SOC 2 compliance checklist? The SOC 2 compliance checklist is the ordered set of tasks needed to pass a SOC 2 audit: decide why you need it and pick Type 1 or Type 2, define your scope, select your Trust Services Criteria, run a gap assessment, write policies, implement controls across the Common Criteria CC1–CC9, deploy continuous monitoring, collect evidence, complete a readiness assessment, and engage a licensed CPA firm for the audit.
How many Common Criteria are in SOC 2? There are nine Common Criteria in the SOC 2 Security category: CC1 (Control Environment), CC2 (Communication & Information), CC3 (Risk Assessment), CC4 (Monitoring Activities), CC5 (Control Activities), CC6 (Logical & Physical Access Controls), CC7 (System Operations), CC8 (Change Management), and CC9 (Risk Mitigation). Every SOC 2 audit is tested against all nine.
Is SOC 2 a certification? No. SOC 2 is an attestation report issued by a licensed CPA firm under the AICPA’s SSAE 18 standard, not a certification. There is no SOC 2 certificate to purchase — you implement and operate controls, and the auditor issues an opinion on them.
Can you do SOC 2 yourself without a consultant? Yes, small teams can self-manage readiness using a checklist, written policies, and tooling for evidence — but the audit itself must be performed by an independent licensed CPA firm. Compliance-automation platforms and continuous monitoring tools reduce how much manual work readiness requires.
How long is a SOC 2 report valid? A SOC 2 report is generally considered current for 12 months from the end of the observation period. Most companies renew annually with a fresh Type 2 covering the next period to maintain continuous coverage for customers.
Do I need continuous monitoring for SOC 2? For a SOC 2 Type 2, yes in practice — the auditor must see that controls operated across the entire observation window. Continuous vulnerability scanning and security monitoring generate the dated evidence that proves operation, where point-in-time scans leave gaps.
What’s the difference between SOC 2 Type 1 and Type 2? Type 1 tests whether controls are suitably designed at a single point in time; Type 2 tests whether they operated effectively over a period, typically 3–12 months. Type 2 provides stronger assurance and is what most enterprise customers ultimately require.
Final Thoughts
A SOC 2 compliance checklist works because it forces the right order: scope before controls, controls before evidence, evidence before the auditor. Define what’s in scope, pick only the Trust Services Criteria you need (Security is the one you can’t skip), close your CC1–CC9 gaps, and — most importantly for a Type 2 — make sure your controls are generating dated evidence continuously across the whole observation window. The teams that pass smoothly aren’t the ones with the most controls; they’re the ones whose evidence was already there when the auditor asked.
The security half of that checklist is exactly what Warin automates.
Working through your SOC 2 checklist without a security team? Warin runs continuous external attack surface monitoring — web app scanning, network scanning, subdomain discovery, SSL/TLS checks, and breach monitoring — producing the dated, auditor-ready evidence your Type 2 window needs. Start your 14-day free trial.