SOC 2 Requirements Checklist: Complete Guide for 2025

TL;DR: Quick Takeaways

•SOC 2 requires implementation of controls across 5 Trust Service Criteria, with Security being mandatory
•Most audits require 60-93 controls depending on which criteria you pursue
•40-50% of requirements can be automated through integrations and compliance platforms
•Documentation and evidence collection are the most time-consuming aspects of compliance

Getting SOC 2 certified requires satisfying a comprehensive set of controls across security, availability, confidentiality, privacy, and processing integrity. But what exactly do auditors look for? What evidence do you need to provide? And how can you systematically prepare for your audit?

This complete SOC 2 requirements checklist breaks down every control, the evidence needed, and practical implementation guidance. Whether you're preparing for your first audit or optimizing your compliance program, this guide will help you understand exactly what's required.

Security Criteria (Mandatory)

The Security criteria is mandatory for all SOC 2 audits and forms the foundation of your compliance program. It focuses on protecting your systems against unauthorized access, both physical and logical.

🔐 CC6.1: Logical and Physical Access Controls

Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users.

Requirements:

✓ Documented access request and approval process
✓ Role-based access control (RBAC) implementation
✓ Access reviews conducted quarterly
✓ Offboarding procedures that revoke access immediately
✓ Multi-factor authentication (MFA) on all systems

Evidence Needed:

• Access request tickets from ticketing system
• Screenshots of user permissions in critical systems
• Access review documentation with sign-offs
• Offboarding checklist for departed employees
• MFA configuration screenshots

🔒 CC6.6: Encryption

The entity encrypts data at rest and in transit to meet its objectives.

Requirements:

✓ TLS 1.2+ for all data in transit
✓ AES-256 or equivalent for data at rest
✓ Database encryption enabled
✓ Encrypted backups
✓ Key management procedures documented

Evidence Needed:

• SSL/TLS certificate configurations
• Database encryption settings screenshots
• Backup encryption verification
• Key management policy and procedures

📊 CC7.2: System Monitoring

The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts.

Requirements:

✓ Centralized logging (SIEM or equivalent)
✓ Log retention for minimum 90 days
✓ Automated alerts for security events
✓ Regular log review procedures
✓ Intrusion detection/prevention system

Evidence Needed:

• SIEM configuration screenshots
• Log retention policy documentation
• Sample of security alerts and responses
• Log review meeting notes

🔄 CC8.1: Change Management

The entity authorizes, designs, develops, tests, approves, and implements changes to infrastructure, data, software, and procedures.

Requirements:

✓ Documented change management policy
✓ Change approval process with stakeholder sign-off
✓ Testing procedures for all changes
✓ Rollback procedures documented
✓ Change log maintained for all production changes

Evidence Needed:

• Change management policy document
• Sample of change requests with approvals
• Testing results and sign-offs
• Change log from ticketing system (Jira, etc.)

Automate Your SOC 2 Requirements

LowerPlane automatically collects evidence for 40-50% of SOC 2 requirements through integrations with your existing tools. Focus on building your business, not gathering screenshots.

See How It Works Download Checklist PDF

Availability Criteria (Optional)

The Availability criteria addresses system accessibility and uptime. Most SaaS companies include this in their SOC 2 scope.

⏱️ A1.2: Environmental Protections

The entity has environmental protections, software, backup, and recovery infrastructure in place.

Requirements:

✓ Infrastructure monitoring (uptime, performance)
✓ Automated backups with regular testing
✓ Disaster recovery plan documented and tested
✓ Business continuity plan
✓ Redundancy for critical systems

Evidence Needed:

• Uptime monitoring reports (99.9%+ target)
• Backup logs and test restoration results
• DR plan with test results
• Infrastructure diagrams showing redundancy

Confidentiality Criteria (Optional)

Confidentiality focuses on protecting information designated as confidential beyond standard security controls.

🤐 C1.1: Confidential Information

The entity identifies and maintains confidential information to meet objectives.

Requirements:

✓ Data classification policy
✓ Confidential data inventory
✓ NDAs with employees and contractors
✓ Data handling procedures
✓ Secure disposal procedures

Evidence Needed:

• Data classification policy document
• Sample NDAs signed by employees
• Data handling training materials
• Secure deletion logs

Privacy Criteria (Optional)

Privacy criteria addresses personal information collection, use, retention, disclosure, and disposal in accordance with the entity's privacy notice.

🔏 P1.1: Privacy Notice

The entity provides notice to data subjects about privacy practices.

Requirements:

✓ Privacy policy publicly available
✓ Data subject rights documented (access, deletion, etc.)
✓ Cookie consent mechanism
✓ Data processing agreements with vendors
✓ Privacy request handling procedures

Evidence Needed:

• Privacy policy with version history
• Sample of data subject requests and responses
• Cookie consent implementation
• DPAs with third-party vendors

Processing Integrity Criteria (Optional)

Processing Integrity ensures that system processing is complete, valid, accurate, timely, and authorized.

⚙️ PI1.1: Processing Integrity

The entity obtains or generates, uses, and communicates relevant, quality information regarding processing.

Requirements:

✓ Input validation on all forms/APIs
✓ Error handling and logging
✓ Transaction monitoring for anomalies
✓ Data integrity checks
✓ Reconciliation procedures

Evidence Needed:

• Code samples showing input validation
• Error logs with remediation actions
• Transaction monitoring reports
• Data integrity test results

Complete Your SOC 2 Checklist in 30 Days

Our compliance advisors help you prioritize requirements, gather evidence efficiently, and pass your audit on the first try.

✓Step-by-step implementation guidance
✓Automated evidence collection
✓Pre-audit readiness review
✓98.7% first-time pass rate

Book Free Assessment

Required Documentation for All Audits

Regardless of which Trust Service Criteria you pursue, these foundational documents are required:

📋 Policies & Procedures

• Information Security Policy
• Access Control Policy
• Incident Response Plan
• Business Continuity Plan
• Vendor Management Policy
• Acceptable Use Policy
• Data Retention Policy
• Change Management Policy

🎓 Training & Awareness

• Security awareness training program
• Training completion records
• Phishing simulation results
• Policy acknowledgment forms
• Onboarding checklist
• Annual refresher training

🔍 Testing & Reviews

• Annual penetration test report
• Quarterly vulnerability scans
• Access reviews (quarterly)
• Backup restoration tests
• DR/BC test results
• Policy review meeting notes

🤝 Third-Party Management

• Vendor inventory
• Vendor risk assessments
• BAAs/DPAs with vendors
• Vendor SOC 2 reports
• SLA agreements
• Annual vendor reviews

Key Takeaways

1
Security criteria is mandatory for all SOC 2 audits, while Availability, Confidentiality, Privacy, and Processing Integrity are optional based on your service offering.
2
Most audits require 60-93 controls depending on scope. Focus on implementing controls that provide the most value to your security posture.
3
Documentation is critical—policies, procedures, and evidence must be maintained consistently throughout your audit observation period.
4
Automation can handle 40-50% of evidence collection, significantly reducing manual effort and human error in compliance programs.
5
Start with the Security criteria, ensure you have strong foundational controls, then add additional criteria based on customer requirements.

Frequently Asked Questions

How many controls do I need for SOC 2?

The number of controls depends on which Trust Service Criteria you pursue. Security alone requires approximately 35-50 controls. If you add all five criteria (Security, Availability, Confidentiality, Privacy, Processing Integrity), you'll need to implement 60-93 controls. Your auditor will work with you to determine the exact scope based on your business model and risk assessment.

Can I use templates for SOC 2 policies?

Yes, using templates is a great starting point. However, you must customize them to reflect your actual practices. Auditors will verify that your documented policies match your implementation. Simply copying generic templates without customization will result in audit findings. LowerPlane provides customizable policy templates that you can tailor to your organization.

How often do I need to collect evidence?

For Type 2 audits, evidence must be collected throughout your observation period (typically 3-12 months). Most controls require monthly or quarterly evidence. For example, access reviews should be quarterly, backup tests monthly, and logs should be retained continuously. Automated platforms like LowerPlane collect evidence daily, ensuring you never miss a compliance requirement.

What happens if I don't meet a requirement?

If you don't meet a requirement, your auditor will issue an exception or qualified opinion in your SOC 2 report. This doesn't mean you fail—it means the report will note the deficiency. Minor exceptions may be acceptable to some customers, but major control failures can make your report unusable. It's critical to address gaps during readiness before the official audit begins.