Free resource
SOC 2 Evidence Checklist (Type II)
Exactly what a SOC 2 auditor asks for, organized by the nine Common Criteria. Work through it to prep your audit — or let CATAAM collect most of it automatically and continuously.
CC1 — Control Environment
- Code of conduct / ethics policy (signed by all employees)
- Org chart showing security governance and CISO reporting lines
- Defined security roles & responsibilities (RACI or job descriptions)
- Security training & awareness completion records (annual)
CC2 — Communication & Information
- Information security policy (distributed, dated)
- Acceptable use policy
- Publicly posted privacy & responsible-disclosure policies
- Incident notification procedure (customer-breach SLA)
CC3 — Risk Assessment
- Risk assessment methodology document
- Current risk register (dated within the audit period)
- Threat & vulnerability register; asset inventory linked to risk
- Risk scoring (likelihood × impact) and treatment decisions
CC4 — Monitoring Activities
- Internal audit / control-testing schedule and results
- Management review meeting minutes (security topics)
- Deficiency tracking log + remediation evidence for prior findings
CC5 — Control Activities
- Change management policy
- SDLC policy with security requirements
- Code review records (PR approval logs)
- Static analysis / SAST scan results from the audit period
CC6 — Logical & Physical Access
- Access control policy + list of privileged accounts
- MFA enforcement evidence (IdP policy screenshot, e.g. Okta / Azure AD)
- Onboarding/offboarding procedure; deprovisioning within SLA
- Quarterly access reviews; least-privilege / RBAC documentation
- Encryption at rest & in transit (RDS, S3, TLS on all endpoints)
- Vulnerability scan results (≥ quarterly) + remediation within SLA
CC7 — System Operations
- Security monitoring / SIEM documentation + alert rules
- Log retention policy (≥ 1 year) + central log forwarding
- Incident response plan, tested via tabletop during the period
- Incident log + root-cause analysis + lessons-learned applied
CC8 — Change Management
- Change management policy with approval gates
- Sample change tickets showing review & authorization
- Separation of duties between development and deployment
- Rollback / backout procedures
CC9 — Risk Mitigation
- Vendor / third-party risk assessment process + records
- Business continuity & disaster recovery plans (tested)
- Cyber-insurance documentation (if applicable)
Abbreviated from CATAAM's open-source SOC 2 Type II checklist. Availability, Confidentiality, Processing Integrity & Privacy criteria apply if in your audit scope — see the full version on GitHub.
SOC 2 Evidence FAQ
- What is a SOC 2 evidence checklist?
- A SOC 2 evidence checklist lists the documents and artifacts an auditor needs to verify each Trust Services control — policies, access reviews, logs, scan results, tickets — organized by the Common Criteria (CC1–CC9). It turns "what do they actually want?" into a concrete, control-by-control list.
- What evidence do you need for SOC 2 Type II?
- Type II requires evidence that controls operated effectively across a 6–12 month period — not just that they exist on one day. That means timestamped, recurring artifacts: quarterly access reviews, periodic vulnerability scans, change tickets, log reviews, and incident records spanning the whole audit window.
- How is this different from SOC 2 Type I?
- Type I checks control design at a point in time; Type II checks operating effectiveness over a period. The checklist is similar, but Type II needs multiple instances of each recurring control across the window.
- Can this be automated?
- Yes. Most of these items (IAM policies, MFA config, encryption settings, scan results, access reviews, change tickets) can be collected automatically. CATAAM connects to AWS, GitHub and Jira and harvests this evidence continuously, mapped to each control — so the checklist fills itself in.
Stop gathering this by hand
CATAAM collects and maps most of this evidence automatically — continuous, timestamped, audit-ready.
See SOC 2 evidence automation