SOC 2 Compliance Checklist
151 controls mapped to AICPA Trust Services Criteria with evidence collection guidance.
Delivered immediately after checkout — your template and guide links are emailed to you with your receipt.
Used by compliance teams at banks, fintechs, and asset managers
Quick buying summary
What you get and when you can use it
- Good fit if
- You're doing your first SOC 2 audit and don't know what evidence the auditor will actually ask for
- Format
- Editable workbook plus PDF/supporting guide materials where included. Instant download after checkout.
- Time to value
- Start reviewing, editing, and assigning owners the same day; customize to your organization before sharing outputs externally.
- After purchase
- After checkout, your templates and guides are available immediately and the download link is sent to your email with your Stripe receipt. No account required.
What's included
- 151 controls across all 5 TSC categories
- Evidence collection guidance
- Observation period tracker
- Gap assessment framework
- SOC 2 audit process guide
- 90-day readiness plan
Use rights: customize for internal business use and use outputs with your auditors, customers, bank partners, and regulators. Do not resell or redistribute the template files.
Preview
See what the template covers
5 SOC 2 Trust Service Criteria — Security, Availability, Processing Integrity, Confidentiality, Privacy
Type 1 vs Type 2 comparison — timeline, cost, and readiness differences for each
12-month SOC 2 preparation roadmap — Month-by-month phases from gap assessment through audit
30-Day Money-Back Guarantee
If this template doesn't meet your expectations, email us within 30 days for a full refund. No questions asked.
Usage, access, and purchase details
Can my team customize it?
Yes. The template is intended to be edited for your internal business use and adapted to your controls, owners, products, vendors, and evidence.
Can I share outputs externally?
Yes. You can use completed outputs with auditors, customers, bank partners, regulators, and internal stakeholders. Do not resell or redistribute the source template files.
How do I receive it?
Checkout is handled through Stripe. After purchase, you receive the template and guide download link immediately on the confirmation page and by email, along with your Stripe receipt. No account is required.
What if it is not a fit?
Email within 30 days for a refund. The guarantee is meant to remove purchase risk while you evaluate whether the template fits your use case.
Frequently Asked Questions
How are the 151 controls distributed across the 5 Trust Services Criteria?
The distribution follows AICPA weighting: Security (CC-series) has the largest block (~80 controls) covering logical access, change management, risk assessment, and monitoring. Availability covers system performance and redundancy. Processing Integrity covers accuracy and completeness. Confidentiality covers data classification and protection. Privacy covers personal information handling and GDPR/CCPA alignment. You can filter by TSC category in the Excel template.
What does the evidence collection guidance tell me for each control?
For every one of the 151 controls, the guidance specifies: the exact artifact type an auditor will request (screenshot, policy document, log export, configuration file), where to find it in common tech stacks (AWS, GCP, Azure, Okta, GitHub), what "good" evidence looks like vs. what gets flagged as insufficient, and the retention period for each evidence type. This is the part that saves you the most time in audit prep.
What's in the 90-day readiness plan?
The 90-day plan divides readiness into 3 phases: Month 1 — complete the gap assessment and score each TSC category; Month 2 — remediate high-gap areas, implement missing controls, and begin evidence collection; Month 3 — conduct internal readiness review, finalize evidence package, and engage auditor for Type 1. The plan includes weekly milestones and a responsibility matrix.
What's the difference between Type 1 and Type 2, and which does this kit support?
Type 1 is a point-in-time assessment of whether controls are designed correctly. Type 2 covers a 6–12 month observation period testing whether controls operated effectively. This kit supports both — the gap assessment and 90-day readiness plan prepare you for Type 1, while the observation period tracker and evidence collection templates support the Type 2 observation period.
Do I need to scope for all 5 Trust Services Criteria?
No — Security (CC-series) is the only required category. Availability, Processing Integrity, Confidentiality, and Privacy are optional add-ons. The gap assessment framework includes a scoping section that helps you decide which optional categories to include based on your customer contracts and business requirements. Most first-time SOC 2 reports cover Security only.
Can engineering teams use this without compliance support?
Yes — the kit is specifically designed for engineering and compliance teams working together on their first engagement. The evidence collection guidance is written in technical language where appropriate, with specific instructions for collecting evidence from AWS, GCP, Azure, and common SaaS tools. Engineering leads can own the technical controls collection while compliance owns the policy and governance controls.
🎉 First-Time Buyer?
Want 20% off before you buy? Enter your email and we’ll send the code.
Not ready to buy?
Try our free Risk Register first — no payment required.
Download Free Risk Register →Related Products
Business Continuity & Disaster Recovery (BCP/DR) Kit
BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
Ready to Get Started?
Get the SOC 2 Compliance Checklist and start building a defensible risk program today.