SOC 2 audit evidence - preparation guide

New hire access approval

New user access privileges to critical systems are approved by management prior to provisioning.

Approval form signed by authorized personnel and/or system logs showing access granted.

CC6.2, CC6.3

Terminated employee access removal

A defined terminations process is followed including revocation of user access from systems in a timely manner.

Documentation of termination notice, system logs showing access revoked, and confirmation emails.

CC6.2, CC6.3, CC6.5, C1.2

Periodic user access reviews

User access reviews are performed at least quarterly to confirm user access to in-scope systems is appropriate.

Review reports, sign-off by reviewer, and evidence of action taken on anomalies (if required).

CC6.3, CC6.5

Role-based access control

An assessment of functional roles and system access privileges has been completed to identify the requirements for the segregation of duties.

Screen captures of system settings and documentation of approval process by stakeholders.

CC6.1, CC6.3, C1.1

Multi-factor authentication

Multi-factor authentication or equivalent is applied across in-scope systems.

List of privileged users, comparison to approval records, and evidence of removed or modified access.

CC6.1, CC6.6

User listings showing unique IDs

User access accounts to the network, infrastructure, and systems holding customer data are assigned to individual users.

User access request forms, system logs showing the assignment of access to individual users, and evidence of periodic reviews of user access privileges.

CC6.1, CC6.2, CC6.3

Customer agreements

Customer commitments, requirements, and responsibilities are outlined and communicated through formal service terms.

Copies of signed service agreements, records of customer onboarding sessions, and documentation of service terms communicated via email or other formal channels.

CC2.3

Change management policy

Documented change control policies and procedures are in place to guide personnel in the change management process.

Copies of the change management policy, change request forms with approvals, and logs of changes tracked through a change management system.

CC8.1

Segregated change environments

Development and test environments are logically separated from the production environment.

Network architecture diagrams, access control lists for development, test, and production environments, and system configuration logs showing enforced separation.

CC8.1

System-enforced code reviews

Code developments require a system-enforced peer review prior to merging with the master code branch.

Code review logs, pull request histories from a version control system (e.g., Git), and documentation of peer review sign-offs.

CC8.1

System-enforced release approval

Change releases require a system-enforced review and approval prior to deployment.

Change request forms with documented approvals, deployment logs showing approval timestamps, and system logs enforcing the change management workflow.

CC8.1

Testing of changes

System changes are tested based on the type of change prior to implementation.

Test plans and results, approval of testing outcomes, and records showing different levels of testing (e.g., unit, integration, user acceptance) based on the nature of the change.

CC8.1

Code of conduct

The code of conduct is documented to communicate conduct standards and enforcement procedures.

Copies of the code of conduct, training attendance records, acknowledgment forms signed by employees, and disciplinary action logs for violations.

CC1.1, CC1.4, CC1.5

Data handling policies

The requirements for managing data are established in the data classification, handling, retention and disposal policies.

Data classification policy documents, records of employee training on data handling policies, and logs or reports showing adherence to retention and disposal schedules.

C1.1

Register of confidential data

A register of the types and sources of confidential data collected and processed is maintained to track assets and storage locations of confidential data.

Confidential data register, data flow diagrams indicating data sources and storage locations, and audit logs tracking data collection and storage.

C1.1

Retention period of data

The retention period of confidential data is classified based on the purpose and type of data and location the data is stored.

Data retention policy, retention schedule for various data types, and system configurations enforcing retention periods.

C1.2

System boundaries for data protection

Confidential data is maintained within the system boundaries at all times where security controls are applied to restrict access to authorized individuals.

System access logs showing restricted access to confidential data, security policy documents, and role-based access control (RBAC) configuration files.

C1.1

Vulnerability scans

Vulnerability scans are performed at least quarterly.

Quarterly vulnerability scan reports, records of scan scheduling and execution, and logs showing remediation of identified vulnerabilities.

CC4.1, CC4.2, CC5.2, CC6.6, CC6.8, CC7.1

Penetration testing

Independent penetration testing is conducted annually.

Penetration test reports, engagement contracts with third-party security firms, and documentation of remediation actions based on penetration test findings.

CC4.1, CC4.2, CC5.2, CC6.6, CC6.8, CC7.1

Resolution of vulnerabilities

Vulnerabilities identified from the penetration tests, vulnerability scans, and any other sources, are centrally logged, classified and followed through to resolution in a timely manner based on their severity.

Vulnerability management logs, classification of vulnerabilities based on risk, and records of vulnerability resolution with time stamps.

CC7.2, CC7.3, CC7.5, CC7.1

Firewalls at access points

Firewalls are used at external points of connectivity to the infrastructure and network.

Network architecture diagrams showing firewall placements, firewall configuration logs, and reports of firewall rule changes and updates.

CC6.6

Antivirus installed on devices

Anti-virus software is installed to protect company devices.

Anti-virus software installation logs, update logs showing that the software is current, and reports of any detected malware or security threats.

CC6.8

Systematically enforced endpoint device restrictions

Systematically applied security restrictions are used to protect against malicious software and data leakage.

Security policies defining restrictions, system configurations enforcing security policies, and logs of security events related to malware or data leakage.

CC6.6, CC6.7, CC6.8

Encryption of data-at-rest

Data at rest in the production database(s) is automatically encrypted.

Database encryption policy, encryption configuration settings, and audit logs showing the encryption status of production databases.

CC6.1, CC6.7

Encryption of data-in-transit

Data in transit to the infrastructure is automatically encrypted.

Network configuration settings showing encryption protocols (e.g., TLS, VPN), encryption certificates, and logs confirming data in transit is encrypted.

CC6.6, CC6.7

Network monitoring alerts

Automated alerts and log reviews are used to identify and respond to suspicious network activity.

Logs of automated alerts, incident response reports triggered by suspicious activities, and configuration settings of the alerting system (e.g., SIEM logs).

CC6.8, CC7.1, CC7.2

New hire background checks

Background checks are completed for candidates prior to employment.

HR records showing background check results, confirmation of background checks completed before the employment start date, and vendor agreements for background check services.

CC1.1, CC1.4

Incident management policies

The incident management policies and procedures document the approach to identifying, reporting, evaluating, classifying and handling incidents.

Incident management policies, incident classification matrix, and documented procedures for incident reporting and escalation.

CC2.2, CC5.2, CC5.3

Incident tickets or records

Incident management processes are defined and followed for identification, assessment, classification, response, communications to interested parties, and resolution.

Incident response logs, post-incident reports, communication logs with stakeholders, and a classification report of incidents.

CC2.3, CC7.3, CC7.4, CC9.1, CC4.1

Incident response plans

Incident response plans are defined to provide guidelines for responding to major incidents including security breaches.

Incident response plan documentation, examples of past incident response actions, and approvals of the incident response plan.

CC2.2, CC2.3, CC7.3, CC7.4, CC7.5, CC9.1

Emergency Response Team

The established emergency response team is defined to respond to major adverse events in a timely manner.

Emergency response team rosters, communication logs from emergency response situations, and training records of emergency response personnel.

CC7.3, CC7.4

Annual review of incident response plans

The incident response plans are reviewed and updated at least annually to ensure they remain current and effective.

Documented annual review records of the incident response plan, change logs of updates made to the plans, and approval records of the updated plans.

CC7.5

Post-incident reviews

Root cause analysis is conducted on high-severity incidents to determine lessons learned and updates required to the incident response plans, as well as raise change requests for permanent fixes to prevent recurrence.

Root cause analysis reports, action items and lessons learned documents, and change requests raised as a result of root cause analysis.

CC2.2, CC2.3, CC4.2, CC7.3, CC7.4

Board of Directors meetings

Board of Directors meetings are held at least annually for organizational oversight and governance.

Board meeting minutes, agendas showing discussion points related to governance, and attendance records of Board members.

CC1.2

Resonsibilities of Board of Directors

The Board Charter sets out the responsibilities and scope of the Board of Directors.

Copy of the Board Charter, records of Board members signing acknowledgment of their responsibilities, and Board meeting materials referencing the Charter.

CC1.2

Board oversight of information security

The Board is responsible for oversight of the systems and data security with review at least annually.

Board meeting minutes showing discussions and decisions regarding system and data security, risk assessment reports presented to the Board, and annual review records of security policies.

CC1.2, CC4.2

Control framework responsibilities

Management are assigned ownership of ongoing monitoring of the effectiveness of controls and that key policy and process requirements are being adhered to.

Management responsibility matrices, monitoring logs showing ongoing review of controls, and periodic compliance reports submitted by management.

CC4.1,CC4.2

Annual review of policies

Key policies and processes are reviewed and updated at least annually to confirm their effectiveness, accuracy and compliance.

Policy review schedules, updated policy documents, sign-offs from policy owners, and records of changes made during the annual review process.

CC3.1, CC6.1, CC5.3

Log of control failures

Management tracks whether control failures, breaches of policies and procedures, customer complaints and other issues are assessed, tracked and monitored through to resolution, as applicable.

Incident tracking logs, root cause analysis reports, records of corrective actions, and audit trails showing the resolution of policy breaches and complaints.

CC4.2

Conduct Control Self-Assessments

The control framework is reviewed at least annually by the control owners to ensure the control descriptions and owners are accurate, and that the controls are operating effectively as described.

Control framework documentation, annual control review reports, control owner sign-offs, and records of testing control effectiveness.

CC2.1, CC4.1, CC5.1

Acceptable use policy

The acceptable use policy sets out the roles, responsibilities and requirements to maintain the security of systems, data and endpoint devices.

Acceptable use policy documents, employee acknowledgment records of the policy, and monitoring reports on policy adherence.

CC1.1, CC1.5, CC2.2, CC6.6, CC6.7, CC6.8, C1.1, C1.2

Information security policies

The security policies set out the requirements for managing information security across the organization's operations.

Security policy documents, risk assessments related to information security, and logs showing enforcement of security measures.

CC1.1, CC2.2, CC3.1, CC5.2, CC5.3, CC6.1

Vulnerability management policy

A vulnerability management program is defined and documented to assess and manage the technical security of systems including identification, prioritization and resolution of vulnerabilities.

Vulnerability scan reports, vulnerability management policies, logs of vulnerability remediation, and prioritization matrices for handling vulnerabilities.

CC2.3

Asset Management Policy

The asset management policy establishes the roles, responsibilities and requirements for managing critical information assets to protect their security, availability, and integrity.

Asset management policy, inventory of information assets, asset classification logs, and records of asset audits.

CC2.1, CC6.1, CC6.5

Access control policy

The access control policy sets out the required system access controls for secure authentication and account use.

Access control policy documents, system access logs, records of periodic access reviews, and user access request forms.

CC6.2, CC6.3

Password policy

The password policy sets out the requirements and guidelines for using secure and strong passwords.

Password policy documents, system configurations enforcing password complexity, and logs of password resets or updates.

CC6.1

Cryptography policy

The Cryptography Policy defines the required use of encryption and managing encryption keys to secure systems and data.

Cryptography policy documents, encryption key management logs, system settings showing encryption enabled, and audit logs showing the use of encryption.

CC2.1, CC5.2, CC6.8

Maintains Asset Inventory

An inventory of system assets and components is maintained to classify and manage the information assets.

Inventory records of system assets, asset classification and tagging reports, and logs of inventory audits or updates.

CC2.1, CC6.1, CC6.5

Operating system updates

A formal process is defined and followed to ensure operating system versions for devices are updated regularly.

Patch management policy, update logs showing OS versions and patch levels, and change management records documenting OS updates.

CC6.8

Data disposal requirements

The defined data disposal guidelines and requirements set out the process for ensuring data is erased prior to disposal of system assets.

Data disposal policy documents, certificates of data destruction, system logs showing data wipe activity, and third-party service provider contracts for secure disposal.

CC6.5, C1.2

Employee performance reviews

Employee performance reviews are conducted at least annually.

Performance review forms, employee acknowledgment of the review, schedules of annual performance reviews, and signed documentation of review discussions.

CC1.4, CC1.5

Employee security awareness training

Security awareness training is provided to employees.

Training materials, attendance records or certificates of completion for security awareness programs, and follow-up assessments or quizzes demonstrating understanding.

CC1.4, CC2.2, CC5.2, CC6.6, CC6.8

Risk Management Policy

Documented policies and procedures are in place to guide personnel when performing a risk assessment.

Risk assessment policy and procedure documents, records of completed risk assessments, and documented review of risk assessment outcomes.

CC3.1, CC3.2, CC3.3, CC3.4

Risk assessments

Risk assessments are completed at least annually to identify and analyze the risks and identify any required mitigation actions.

Annual risk assessment reports, risk registers, meeting minutes discussing identified risks, and documentation of mitigation strategies implemented.

CC3.2, CC3.3, CC3.4, CC5.1, CC5.2

Risk assessment of fraud

The risk assessment process considers the potential for fraud including malicious acts of employees or other users of the system.

Fraud risk assessment documents, internal audit reports on fraud prevention controls, fraud incident reports, fraud risk considered as part of the organization or department risk assessment.

CC3.3

Risk assessment of operating changes

The risk assessment process identifies and assesses changes that could significantly impact the system of internal control.

Risk assessment documents, change management logs, risk impact analysis reports, and documentation of control testing after significant changes.

CC3.4

Risk management strategies

Management develops risk mitigation strategies to address risks identified during the risk assessment process.

Risk mitigation plans, action items from risk assessment meetings, records of implemented controls or countermeasures, and progress tracking reports on mitigation efforts.

CC3.2, CC3.3,

CC5.1

System redundancy

The system is designed with multiple availability zones and redundancy to support continued availability in the event of a failure.

System architecture diagrams showing redundancy and availability zones, system failover tests, uptime monitoring reports, and service level agreements (SLAs) with cloud providers.

CC9.1, A1.1, A1.2

Backup configuration and schedule

Backups of the application and database are performed daily.

Backup logs showing successful daily backups, reports from backup software, and restoration tests confirming data recovery from backups.

CC7.5, CC9.1, A1.2, A1.3

Backup restoration tests

Backup and restoration tests are performed on at least an annual basis to ensure the recovery controls are effective.

Backup test logs, restoration test reports, and documentation showing recovery times and effectiveness of the restoration process.

CC4.1, CC5.2, CC5.3, CC9.1, A1.3

Business continuity plans

The business continuity plans document the scenarios, impacts, key stakeholders, response plans, escalation points and communication channels to effectively manage critical events.

Business continuity plan documents, scenario testing reports, records of stakeholder engagement meetings, and communication logs during BCP tests.

CC7.5, CC9.1

Disaster Recovery Plan

The Disaster Recovery Plan includes defined procedures to recover from significant events, and is reviewed and updated at least annually.

Disaster recovery plan documents, annual review logs, test results from disaster recovery drills, and updated versions of the DR plan showing changes.

CC7.5, CC9.1, A1.2

Cyber liability insurance

The organization has purchased insurance to offset or compensate for the financial loss of an adverse event with the services.

Insurance policy documents, coverage summaries, and communication with insurance providers confirming coverage for adverse events.

CC9.1

Backup policy

The backup policy establishes the requirements for backups and recoverability.

Backup policy documents, logs showing adherence to backup frequency requirements, and audit trails of data restoration testing in compliance with the policy.

CC9.1, A1.2

Load balancer

A load balancer is used to automatically distribute traffic across multiple availability zones.

Load balancer configuration settings, system architecture diagrams showing the use of load balancers, traffic distribution logs, and uptime monitoring reports confirming balanced traffic.

A1.1

Annual BCP testing

The business continuity plan is tested at least annually to ensure the response plans to critical events are effective.

Test results of business continuity plan drills, meeting minutes discussing test outcomes, improvement plans based on test findings, and documentation of the annual review.

CC5.2, CC9.1, A1.2, A1.3

Organization chart

The organization chart documents the reporting lines, accountable executives, team and individual roles, and is updated whenever there are changes in personnel.

Updated organization chart, records of changes made to roles and reporting lines, approval records of the updated chart, and employee onboarding or offboarding records.

CC1.3, CC1.5, CC3.4

Employee job descriptions

Job descriptions are documented for employees and management setting out the responsibilities, role requirements, and any key accountabilities.

Job description documents, acknowledgment forms signed by employees, role definition approvals by HR or management, and performance review records linked to role requirements.

CC1.3

Documented policies with responsibilities

The documented policies and procedures establish roles, responsibilities, and area accountabilities.

Policy and procedure documents, role and responsibility matrices, acknowledgment forms from employees, and documentation of policy training sessions.

CC1.3, CC2.2, CC3.1, CC5.3,

CC5.2, CC1.4

Responsibilities for information security and privacy

The responsibilities for information security and privacy are established, documented and communicated to employees.

Information security and privacy policy documents, employee training records, signed acknowledgment forms, and security-related communications (e.g., email updates, posters).

CC1.3, CC1.5

New hire employment contracts

Employment contracts are formed with employees.

Signed employment contracts, offer letters, records of employee onboarding, and legal reviews of employment contracts for compliance.

C1.1

System monitoring tools

Monitoring tools are used to identify and evaluate system performance, capacity, availability, and security-related indicators.

Monitoring tool configuration settings, performance logs, capacity usage reports, security alert logs, and incident response records based on monitoring data.

CC7.2, A1.2

Auto-scaling configuration

Processing capacity is configured to auto-scale to meet processing demand.

System configuration showing auto-scaling settings, logs of processing capacity adjustments during peak demand, and reports on the effectiveness of auto-scaling.

A1.1

Version control software

Version control software is used to track changes to the source code and provide rollback capability if required.

Version control logs (e.g., Git), change request forms, rollback event logs, and code review documentation within the version control system.

CC7.1, CC8.1

Annual vendor risk assessment

An annual vendor risk assessment is completed to ensure the identification and treatment of risks remains accurate and appropriate.

Vendor risk assessment reports, vendor risk rating logs, meeting minutes discussing vendor risks, and action plans or mitigation strategies for high-risk vendors.

CC3.2, CC4.1, CC9.2

Vendor management policy

Management has defined a third-party vendor risk management approach for evaluating third-party risks.

Third-party vendor risk management policy, vendor risk assessment criteria, vendor contracts reviewed for compliance, and audit reports on third-party risk evaluations.

CC2.3, CC3.2, CC3.4, CC9.2

Vendor agreements

The entity's third-party agreements outline and communicate; the scope of services, roles and responsibilities, terms of the business relationship, communication protocols, compliance requirements, service levels and just cause for terminating the relationship.

Signed third-party agreements, service level agreements (SLAs), compliance requirement clauses within contracts, and records of vendor performance reviews.

CC2.3, CC3.2, CC9.2