Before the audit
Map your controls to the Trust Services Criteria (security is required; availability, confidentiality, processing integrity, and privacy are optional). Assign owners, define evidence sources (tickets, configs, logs, policies), and agree on a change freeze window if needed.
Evidence that auditors expect
Access: Joiner/mover/leaver process, periodic access reviews, MFA coverage for critical systems.
Change management: Approvals, testing notes, and deployment records for production changes.
Monitoring & incidents: Alerting coverage, incident tickets, post-incident summaries, and remediation tracking.
Vendors: Risk tiers, due diligence, and contracts for subprocessors that touch customer data.
Common gaps
Undocumented exceptions, screenshots instead of system-generated evidence, and policies that are not acknowledged or enforced. Close these early—retrofitting evidence in the last two weeks before fieldwork is painful and risky.
BPO / RPO
SOC 2 Readiness: A Practical Checklist for First-Time Audits
Control mapping, evidence collection, and common gaps to address before your first SOC 2 audit. Trust service criteria, ownership, and how to avoid last-minute scrambles.