Skip to main content

SOC 2 & ISO 27001 Evidence Readiness Checklist

A readiness pass for SOC 2 or ISO 27001 that maps controls to framework requirements and gathers operating evidence across access reviews, change management, vulnerability remediation, monitoring, and tested DR. It favors automated, continuous evidence over a pre-audit scramble.

Estimated Time
2-4 weeks
Type
security audit
Category
Compliance
Steps
13

When to Use This Checklist

Use this checklist when preparing for a SOC 2 Type II or ISO 27001 audit, or when building a continuous-compliance program in advance of one. Both frameworks assess whether security controls are not only designed but operating effectively over time. Auditors want evidence, so the work is as much about capturing proof as about implementing controls.

How to Use This Checklist

Start by mapping your existing controls to the framework's requirements: SOC 2 trust services criteria or ISO 27001 Annex A. This reveals gaps early. For each control, identify what evidence demonstrates it is operating, such as access-review records, approved pull requests, scan reports, or incident retrospectives. The recurring theme across both frameworks is access control and change management, so prioritize clean evidence there.

Wherever possible, automate evidence collection. Manual screenshot-gathering before an audit is error-prone and does not demonstrate that controls run continuously, which is exactly what a Type II audit assesses.

What Good Looks Like

Controls map cleanly to the framework, and each one has a steady stream of evidence rather than a last-minute scramble. Access follows least privilege, with documented periodic reviews and prompt deprovisioning of leavers. Every production change is reviewed and traceable. Vulnerabilities are scanned and remediated within a stated SLA, and security events are logged, monitored, and alerted on. The incident-response plan has been exercised, backups are tested, data is encrypted with managed keys, and all policies are formally approved, versioned, and regularly reviewed. Evidence collection is automated, so compliance is a continuous state, not an annual event.

Common Pitfalls

The classic pitfall is treating compliance as a point-in-time scramble, gathering screenshots days before the audit. This fails Type II audits, which examine whether controls operated throughout the period. Another is having policies on paper that do not match reality, such as an access-review policy with no evidence reviews happened. Incomplete deprovisioning, untested backups, and incident plans that were written but never exercised are common findings. Manual, ad-hoc evidence collection is itself a weakness auditors note.

Related Resources

Align controls with SOC 2 and ISO 27001 control sets, and use NIST CSF 2.0, NIST SP 800-53, and CIS Controls v8 as a practical control catalogue. Least privilege and a tested incident-management process underpin the most frequently examined criteria.