Verizon’s 2025 Data Breach Investigations Report found that third-party involvement in data breaches doubled to 30% last year, up from roughly 15% the year before. This statistic is one of the reasons your biggest client just sent an email asking for a copy of your SOC 2 report. If you don’t have one yet, you’re far from alone. Vanta reports that customers, investors, and suppliers are increasingly requiring proof of compliance before signing or renewing contracts. Adelia Risk helps small and midsized businesses work through their first SOC 2 compliance checklist, and one of the first questions we hear is where to start.
This article walks through the key sections of our SOC 2 compliance checklist, based on the AICPA’s Trust Services Criteria, and explains the reasoning behind each requirement. You’ll get practical context that a SOC 2 requirements checklist alone can’t provide, including the kinds of gaps auditors tend to flag and a phased timeline so you are not trying to do everything at once. The checklist itself covers 53 items across 7 categories, organized in the order you should tackle them.
Start with Scope Before You Write Policies
The biggest mistake Adelia Risk sees with first-time SOC 2 projects is jumping straight into policy writing before defining what the audit will actually cover. The first decision in any SOC 2 project is scope. It drives your budget, your timeline, and how many departments need to be involved.
CHECKLIST EXTRACT
Start with Scope and Planning
❏ Decide between SOC 2 Type 1 and Type 2: Type 1 looks at whether your controls are designed appropriately at a point in time. Type 2 looks at whether those controls are operating effectively over a review period.
❏ Choose your Trust Services Criteria: Security is the only required criterion. The related controls are often referred to as the Common Criteria. Availability, Processing Integrity, Confidentiality, and Privacy are optional. Pick only the criteria your clients and contracts actually require.
❏ Define what’s in scope: List the specific products, services, systems, locations, and people that the audit will cover. Everything in scope needs documented controls and evidence, so be precise about what you include.
❏ Set a realistic timeline: First-time preparation takes 6 to 12 months. Plan accordingly and make sure leadership understands the work involved.
Type 1 vs Type 2
Most first-timers should start with a Type 1 audit. A Type 1 evaluates whether your controls are properly designed at a single point in time. A Type 2 goes further, testing whether those controls worked consistently over a 3-to-12-month observation period.
If a client specifically requires a SOC 2 Type 2 report (meaning you’ll eventually need a SOC 2 Type 2 checklist rather than a one-time assessment), ask about timing. Showing that you’ve started the SOC 2 process and have a Type 1 underway is often enough to keep the deal moving while you work toward Type 2\.
Many customers will eventually want to see a Type 2, but some may accept a Type 1 if this is their first time going through the process.
Why Scope Mistakes Set You Back
SOC 1 covers financial reporting controls; SOC 2 covers security and operational controls. If your clients are asking about data security, SOC 2 is what they want.
Security (Common Criteria) is the only mandatory Trust Services Criteria. The other four are optional. Adding all five when your contracts only require Security and Availability doubles your preparation work for no business benefit.
We work with clients who initially want to include all five criteria just to be thorough. After reviewing their actual client agreements, many find that Security and Availability already cover what they need. That conversation often saves a lot of unnecessary work.
The Documentation Auditors Actually Need
This section of the SOC 2 compliance checklist is where first-timers get sticker shock. A SOC 2 audit reaches well beyond IT. Auditors want to see how your organization handles sensitive data across the business, from hiring and access changes through to device retirement.
In this checklist, we’re deliberately skipping most of the formal control language here and focusing on the documents auditors usually ask for first.
CHECKLIST EXTRACT
Gather Company and Governance Documents
❏ Write a company overview: A 1 to 2 page summary of your organization, its history, mission, and the products or services it provides. Auditors use this to understand what they’re evaluating.
❏ Build a vendor and subcontractor inventory: List every vendor that handles your data or connects to your systems, along with their contracts, SLAs, and any security certifications they hold.
❏ Compile board and management meeting minutes: Especially any meetings where risk, security, or compliance were discussed. These help show that leadership is actively engaged in security governance.
Governance documentation helps show that security decisions are being made at the leadership level rather than treated as an IT-only issue. If your leadership meetings don’t currently include security as a recurring agenda item, start adding it now. Even brief quarterly discussions about security spending, risk posture, and compliance progress will give you something concrete to show the auditor.
HR Documentation Catches First-Timers Off Guard
CHECKLIST EXTRACT
Prepare HR Documents and Processes
❏ Assemble your HR policies, employee manual, and code of conduct: Auditors want to see that you’ve set clear expectations for employee behavior around handling sensitive information.
❏ Create or update your hiring and termination checklist: Cover background screening for new hires and revoking all access on the last day. Keep proof that you follow it.
❏ Document all job descriptions: Each role should include security responsibilities. This helps show that security duties are clearly assigned.
❏ Gather evidence for all recent hires and terminations: For each new hire, you need proof that the hiring checklist was followed. For each termination, you need proof that access was revoked on time.
HR documentation is one of the most common gaps Adelia Risk finds during SOC 2 readiness assessments. Your auditor will ask to see proof that your last five hires all had background checks completed, and that your last three terminations had system access revoked promptly. “We usually do that” is not enough. You need something concrete: screenshots of access removal, signed checklists, or system logs showing the deactivation date.
This applies across the whole checklist: if you cannot show the evidence, you are unlikely to get credit for the control. Every policy should have supporting evidence behind it, whether that is logs, screenshots, signed acknowledgments, completed tickets, or test results.
Document Your Technology Environment
Once governance and HR documentation are in order, it’s time to document what you’re actually running and how you’re protecting it.
CHECKLIST EXTRACT
Document Your Technology Environment
❏ Inventory all servers, workstations, network equipment, and mobile devices: Include who uses each device. Every device that touches in-scope data needs to be tracked.
❏ Inventory all software used by the company: Both purchased software and cloud-based tools (SaaS). Auditors want to see that you know what’s running in your environment.
❏ Create or update your network diagrams: Visual maps of your IT infrastructure showing how systems connect to each other and to the internet. If you are running on IaaS like AWS, GCP, or Azure, this may be closer to a data flow diagram showing which components you use, what data they handle, and how they connect.
❏ Confirm you have a ticketing system in place: You need to show how support requests and infrastructure changes are tracked, assigned, and resolved.
Auditors will also check that data is encrypted both at rest and in transit. If you’re storing client data, confirm your encryption standards meet current best practices (AES-256 at rest, TLS 1.2+ in transit).
Your technology inventory doesn’t need to be perfect on day one, but it needs to exist. Auditors will ask how many devices are in your environment, who has access to what, and how your systems connect.
If you are using cloud platforms like Google Workspace or Microsoft 365, those platforms may have their own compliance reports, but that does not cover your side of the shared-responsibility model. You still need to implement and document your own controls on top of the platform. Our M365 security audit and GWS security audit can help you identify which platform settings need attention and prepare your cloud configuration for your SOC 2 audit.
A ticketing system and formal change management process catch some teams off guard because they do not always feel like security work. In practice, they are how auditors see that changes to your systems go through a documented approval process. If your IT team is still handling requests over email or Slack, setting up a basic ticketing system before the audit will save time later.
Building Your Security Program
CHECKLIST EXTRACT
Build Your Information Security Program
❏ Conduct a formal risk assessment: Identify and document the risks to your organization, assess likelihood and impact, and document how each risk is being addressed. Risk assessment is a core expectation in both NIST guidance and SOC 2.
❏ Create an incident response plan: Cover detection, reporting, assessment, evidence preservation, communication, and lessons learned. Include who does what and how you’ll train the team.
❏ Set up security awareness training: Enroll all employees in regular training. Track participation and performance. Include simulated phishing tests.
❏ Perform vendor risk assessments: Every vendor that handles your data should have a risk assessment on file, completed during onboarding and reviewed periodically.
The formal risk assessment is the foundation of your entire SOC 2 program. Missing or incomplete risk assessments are among the most frequent audit findings we see. Don’t overthink this. Your risk assessment doesn’t need to be a 50-page document. Start by identifying your top risks. For most SMBs, 15 to 20 is a reasonable starting point. Rate their likelihood and impact, and document what you’re doing about each one. The NIST Cybersecurity Framework provides a solid structure for organizing your risk categories.
For vendor risk management, start with the vendors that access your most sensitive data. SecurityScorecard’s 2025 report found that 35.5% of all breaches were third-party related, which explains why auditors pay close attention to how you evaluate and monitor your vendors. Your auditor will want to see documented vendor assessments, security requirements in your contracts, and a regular review schedule.
Many auditors will also want to see results from vulnerability scans and, where appropriate, penetration tests. Regular scanning and periodic testing show that you are actively looking for weaknesses and following up on what you find.
Your incident response plan needs to answer the basics: who does what when something goes wrong, how do you communicate internally and to affected parties, and how do you document what happened. IBM’s 2025 Cost of a Data Breach Report found that organizations with tested incident response plans paid significantly less per breach than those without one.
Auditors will also want to see that you’ve tested the plan through a tabletop exercise at least once a year. Adelia Risk provides this as part of our Virtual CISO service.
Showing the Controls Are Working
On any SOC 2 compliance checklist, writing policies is the straightforward part. Showing that the controls are actually working is where teams usually get stuck.
CHECKLIST EXTRACT
Collect Evidence of Control Execution
❏ Gather proof of antivirus coverage on all machines: Show that antivirus is installed, active, and updating at least daily on every in-scope device.
❏ Pull recent account access reviews: Show that you’ve reviewed who has access to what across all core systems, and that you’ve removed access that’s no longer needed.
❏ Provide backup logs and test results: Show the schedule, recent successful backups, and at least one recent restore test.
❏ Prove administrative credentials are used only for admin tasks: Show that people with admin access use separate accounts for daily work.
The difference between a clean SOC 2 report and a qualified opinion often comes down to evidence. You can have well-written policies, but if you can’t produce a screenshot of your antivirus dashboard showing 100% coverage, or a log showing that a terminated employee lost access within 24 hours, the auditor has to note it as an exception.
The organizations that tend to have the smoothest SOC 2 audits are not always the ones with the most sophisticated security. They are usually the ones that can find their evidence quickly when the auditor asks for it. We help clients build evidence collection into their day-to-day operations from the start, with a routine for things like access reviews, backup test records, and policy sign-offs. If you wait until the auditor asks for evidence to start gathering it, you are already on the back foot.
Getting Audit-Ready
CHECKLIST EXTRACT
Get Audit-Ready
❏ Consider a readiness assessment before the formal audit: Think of it as a dry run. A consultant or your future auditor reviews your controls, flags gaps, and gives you time to fix them before the real audit.
❏ Evaluate SOC 2 compliance software: Tools like Vanta, Drata, Secureframe, or Sprinto automate evidence collection, continuous monitoring, and policy management.
❏ Choose your auditor (CPA firm): Only a licensed, independent CPA firm can issue a valid SOC 2 report. Interview 3 to 5 firms.
A SOC 2 readiness assessment is often one of the more useful steps in the process. You get a gap analysis before the formal audit, along with clearer feedback on where your controls need work. It is usually easier to fix those issues before the audit starts than after they show up in the report.
When choosing an auditor, ask how many SOC 2 audits they’ve completed in your industry, whether they write the System Description (Section 3 of the SOC 2 report) or you do, and how they handle minor control exceptions. Bring your auditor in early so that scope, documentation requirements, and evidence expectations are clear before the audit period starts. Waiting too long usually creates avoidable surprises.
Plan for a multi-year relationship with your CPA firm. The same auditor gets more efficient with each cycle because they already understand your environment and controls. SOC 2 reports are valid for 12 months, so this is an annual commitment. Building evidence collection into your daily operations now means renewal won’t be a scramble every year.
That said, consider changing audit firms every 3-5 years to get a fresh look at your systems and controls.
Where to Start When Everything Feels Urgent
Our SOC 2 audit checklist covers a lot of ground. Here’s how to break it into manageable phases:
Do Today
Identify your compliance lead, one person who owns this project across all departments
Pull your client contracts to confirm which Trust Services Criteria they actually require
Schedule a leadership meeting to confirm executive sponsorship and budget
Do This Week
Build your initial scope document listing which products, services, systems, and people are included
Start your technology inventory covering devices, software, and cloud services
Begin drafting your information security policies, starting with risk management and acceptable use
Do This Month
Complete your vendor inventory and start risk assessments for your most critical vendors
Set up security awareness training for all employees
Schedule a readiness assessment or begin conversations with 3 to 5 potential CPA firms
Evaluate SOC 2 compliance software platforms to help with evidence collection
When Outside Help Is Worth It
SOC 2 preparation is manageable for many small and midsized businesses, but it touches more departments and takes more coordination than most first-timers expect. If your team is stretched thin, if nobody owns security or compliance internally, or if you want experienced help getting through the first audit cycle, working with an advisor can save time and rework.
A Virtual CISO gives your company a dedicated cybersecurity advisor who has been through the SOC 2 process many times. Adelia Risk’s Virtual CISO service helps you define your scope, build your policies, prepare your evidence, and coordinate with your auditor so you can focus on running your business while the compliance work gets done right. If you’re also subject to HIPAA, CMMC, or ISO 27001, much of the SOC 2 preparation work carries over.
Want a second set of eyes on your SOC 2 compliance checklist, from scope through evidence collection? We’re happy to talk.
