ComplianceKit

Evidence Checklist

60 evidence items SOC 2 auditors request, organized by Trust Service Criteria

7

Complete

5

In Progress

48

Not Started

Overall Progress7/60 complete
Showing 60 items
#01Risk AssessmentSecurity

Formal risk assessment document identifying threats, vulnerabilities, and mitigations

#02Security Policies InventorySecurity

Complete set of approved, signed security policies

#03Organizational ChartSecurity

Current org chart showing security roles and reporting lines

#04Background Check ProceduresSecurity

Documentation of employee background check process

#05Security Awareness Training RecordsSecurity

Evidence that employees completed security training

#06Penetration Test ReportSecurity

Most recent third-party penetration test report

#07Vulnerability Scan ResultsSecurity

Output from automated vulnerability scanning tool

#08Firewall/Security Group RulesSecurity

Documentation of network access controls

#09Encryption Key Management ProceduresSecurity

Documentation of how encryption keys are managed

#10Multi-Factor Authentication EvidenceSecurity

Proof that MFA is enforced for all users

#11Access Review RecordsSecurity

Completed quarterly access reviews

#12Privileged Access ListSecurity

Current list of users with privileged/admin access

#13Offboarding ChecklistSecurity

Completed offboarding checklists for departed employees

#14Vendor Security AssessmentsSecurity

Security questionnaires or assessments for key vendors

#15Third-Party Service Provider ListSecurity

Inventory of all vendors with access to your systems or data

#16Incident Response PlanSecurity

Documented and tested incident response procedures

#17Incident LogSecurity

Record of security incidents during the audit period

#18Change Management RecordsSecurity

Evidence of change management process for system changes

#19SDLC DocumentationSecurity

Description of your software development lifecycle

#20Code Review EvidenceSecurity

Evidence that code reviews are performed

#21System Architecture DiagramAvailability

Current architecture diagram of production systems

#22Uptime/SLA RecordsAvailability

Historical uptime metrics for the audit period

#23Monitoring Alerts ConfigurationAvailability

Evidence of uptime and performance monitoring

#24Backup ProceduresAvailability

Documentation of backup configuration and testing

#25Disaster Recovery PlanAvailability

Documented DR procedures with RTO/RPO targets

#26DR Test ResultsAvailability

Evidence of disaster recovery testing

#27Capacity Planning DocumentationAvailability

Evidence of capacity monitoring and planning

#28Incident Notifications to CustomersAvailability

Records of customer notifications during outages

#29Business Continuity PlanAvailability

BCP covering non-technical continuity scenarios

#30Load Testing ResultsAvailability

Evidence of performance testing under load

#31Data Classification InventoryConfidentiality

Inventory of all data types and their classification level

#32Data Flow DiagramConfidentiality

Diagram showing how customer data flows through your systems

#33Encryption in Transit EvidenceConfidentiality

Proof that all data transmission is encrypted

#34Encryption at Rest EvidenceConfidentiality

Proof that stored data is encrypted

#35Data Retention ScheduleConfidentiality

Documented data retention and deletion policies

#36NDA TemplatesConfidentiality

Standard NDA for employees and contractors

#37Customer Data AgreementConfidentiality

Data processing agreement or DPA with customers

#38Privacy PolicyConfidentiality

Public-facing privacy policy

#39Data Deletion ProceduresConfidentiality

Process for responding to data deletion requests

#40Production Database Access ControlsConfidentiality

Evidence limiting who can access production data

#41Asset InventorySecurity

Complete inventory of hardware and software assets

#42Endpoint Protection EvidenceSecurity

Proof that all endpoints have security software installed

#43Password Manager Policy EvidenceSecurity

Evidence of password manager usage

#44Software InventorySecurity

Inventory of approved software and applications

#45Network Segmentation DocumentationSecurity

Evidence of network segmentation in cloud environment

#46Security Logging ConfigurationSecurity

Evidence that security events are logged

#47Log Review ProceduresSecurity

Evidence of regular log review

#48Patch Management RecordsSecurity

Evidence of timely system patching

#49Security Configuration StandardsSecurity

Baseline security configurations for systems

#50Penetration Testing RemediationSecurity

Evidence of remediating pen test findings

#51Security Metrics DashboardSecurity

Regular security metrics reporting to leadership

#52Acceptable Use Policy AcknowledgementsSecurity

Signed acknowledgements of AUP from all employees

#53Security Committee Meeting MinutesSecurity

Records of security review meetings

#54Physical Security EvidenceSecurity

Controls for physical access to office and equipment

#55Clean Desk Policy EvidenceSecurity

Evidence of clean desk/clear screen practices

#56Data Validation ControlsProcessing Integrity

Evidence of input validation and data integrity checks

#57Production Change Approval RecordsProcessing Integrity

Evidence that production changes are approved

#58Error Handling DocumentationProcessing Integrity

Evidence of proper error handling and notification

#59Data Quality ChecksProcessing Integrity

Evidence of data quality monitoring

#60API Security ControlsProcessing Integrity

Evidence of API authentication and authorization