Use this to organize evidence and activities for SOC 2 Type 1/2.
- Information Security Policy reviewed annually
- Access Control, Vendor Risk, Vulnerability Management Policies
- Roles and responsibilities defined (RACI)
- Documented risk assessment (inherent, residual, owner, due date)
- Centralized risk register and review cadence
- Executive/Board summary of top risks
- SSO enforced and MFA for privileged accounts
- Quarterly access reviews for critical systems
- Joiner/Mover/Leaver workflow with timely deprovisioning
- Code reviews and CI/CD checks
- Security testing integrated (SAST/DAST/dependency)
- Separation of duties for prod changes
- Vulnerability scans; SLA-based remediation
- Central logging/monitoring; alert triage runbooks
- Annual pen test and tracked remediation
- Backups tested
- DR plan with RTO/RPO and test results
- Data inventory and retention schedule
- Encryption in transit/at rest; key management
- DPIAs/PIAs where applicable
Exportable proofs: policy PDFs, screenshots, tickets, reports, minutes, pen test results.