SOC2 Checklist

Created by Venkat Pothamsetty, Modified on Thu, 15 May at 2:51 AM by Venkat Pothamsetty

1. Policies & Procedures

Acceptable Use Policy
Information Security Policy
Access Control Policy
Data Protection / Privacy Policy
Vulnerability Management Policy
Incident Response Plan
Business Continuity & Disaster Recovery (BC/DR) Plan
Risk Management Policy
Change Management Policy
Vendor Management Policy

2. Infrastructure Documentation

Current Network Diagrams (with labeled zones, firewalls, VPCs, etc.)
System Architecture / Application Flow Diagrams
Inventory of Systems and Software
Data Flow Diagrams (highlighting customer data handling)

3. Corporate Governance

Third-party / MSP Contracts
Security-related Board Meeting Minutes
Security Training Records for All Employees
Background Checks (for personnel with data access)

4. Periodic Reviews

Quarterly User Access Reviews
Firewall Rule Reviews
Vulnerability Scan Reports and Patching Logs
Vendor Risk Assessments
Log and Event Monitoring Reports
Administrative Access Logs Review
Risk Register Updates

5. Annual Activities

Penetration Test Results & Remediation Evidence
Annual Risk Assessments
Policy and Procedure Annual Review Evidence
Business Continuity & DR Test Results
Security Awareness Training Completion

6. Change Management

Production Infrastructure Change Tickets
- Peer Reviewed
- Tested (with logs or test cases)
- Approved via Change Board or System
Application Deployment Change Records
Customer Data Deletion Requests & Confirmations

7. User Lifecycle Management

User Onboarding Checklist (with role-based access controls)
Offboarding Checklist (access revocation, equipment return)
Access Requests & Approvals

8. Security Incidents

Incident Tickets with Root Cause Analysis
Post-Incident Reviews
Communication Logs (internal + customer, if applicable)
Lessons Learned and Preventive Actions

9. Configuration & Security Controls

Database Encryption (at rest & in transit)
DB Snapshot Retention Policies
Network Segmentation Evidence (VPCs, Subnets, Security Groups)
List of Open Ports and Justifications
Ingress & Egress Firewall Rules
Endpoint Protection & Monitoring
MFA Enabled for All Privileged Access
Secure Configuration Baselines (for servers, DBs, etc.)

10. Monitoring & Logging

SIEM / Log Aggregator Configurations
Log Retention Policy & Samples
Alerting Rules & Thresholds
Daily/Weekly Security Monitoring Checklists