SecurityWall Logo
Back to Blog
SOC 2
May 24, 2026
10 min read

SOC 2 Compliance Checklist 2026 (Interactive, 12 Domains)

HM

Hisham Mir

May 24, 2026

SOC 2 Compliance Checklist 2026 (Interactive, 12 Domains)

This is an interactive, use-it-now SOC 2 compliance checklist covering all 12 control domains. Tick items as you go the progress bar tracks your completion, and each domain tells you exactly what evidence auditors look for and the single most common gap they find. Nothing is saved or sent anywhere; it runs entirely in your browser.

The checklist gives you the shape of SOC 2 readiness the key checkpoints in each domain. It is not the full control set; a complete SOC 2 programme spans 200+ controls. When you want a scored, prioritised picture of where you actually stand across every control, the free SOC 2 Readiness Assessment does that in 10 minutes and gives you a weighted score, a critical gap list, and a board-ready summary. Use this checklist to understand the terrain; use the tool to get your number.

A note on scope: the first nine domains map to the SOC 2 Common Criteria, which every SOC 2 engagement includes. The last three Confidentiality, Privacy, and Availability are additional Trust Services Criteria that apply only if you select them for your audit. Tick those only if they are in your scope.

Interactive Checklist
Your SOC 2 Readiness Progress
0%
0 / 0 checkpoints
This is the manual checklist. For all 200+ controls scored automatically, use the free tool →
Evidence auditors look forSigned, version-controlled policies with approval dates; org chart; signed acknowledgements; leadership or board minutes referencing security oversight.
Most common gapPolicies exist but show no evidence of annual review or leadership approval — auditors flag "shelf-ware" that doesn't match how the organisation actually operates.
Evidence auditors look forDated risk assessment, a risk register with named owners and treatment status, and evidence of re-assessment after a significant change.
Most common gapA one-time risk assessment with no evidence of updates — a register that hasn't changed in a year despite new systems, vendors, or products.
Evidence auditors look forTraining completion records, onboarding checklists, internal communications about security, and customer-facing security commitments.
Most common gapTraining happens informally with no completion records — there's no way to demonstrate it actually reached everyone across the audit period.
Evidence auditors look forMonitoring reports, self-assessment records, a penetration test report with remediation tracking, and scan results showing the cadence.
Most common gapMonitoring happens, but deficiencies aren't tracked to closure — auditors find open findings with no remediation evidence.
Evidence auditors look forIAM exports, MFA configuration evidence, dated access-review records, offboarding tickets showing timely revocation, and privileged-access logs.
Most common gapAccess reviews are the single most common SOC 2 exception — they don't happen on schedule or aren't documented. Terminated users retaining access is a frequent critical finding.
Evidence auditors look forLogging configuration, alert rules, sample alerts with responses, endpoint coverage reports, and vulnerability-remediation SLA tracking.
Most common gapLogging exists but alerting is incomplete or unmonitored — events are captured, but no one is notified. Detection gaps surface fast under assumed-breach testing.
Halfway — Want the Scored Version?

This checklist shows you the key checkpoints. For a scored assessment across all 200+ controls — with domain-level gap prioritisation and an executive summary — the free SecurityWall SOC 2 Readiness Assessment gives you results in 10 minutes.

Take the Free Assessment →
Evidence auditors look forChange tickets with approvals, pull-request records showing review, CI/CD configuration, and separation-of-duties evidence.
Most common gapThe process is documented but not consistently followed — auditors sample production changes and find some deployed without recorded approval or review.
Evidence auditors look forA vendor inventory, collected vendor SOC 2 reports, signed contracts and DPAs with security terms, and vendor-review records.
Most common gapNo central vendor inventory, or critical vendors onboarded with no security review — common in fast-scaling startups.
Evidence auditors look forThe IR plan, tabletop exercise records, an incident log with post-mortems, and a documented escalation matrix.
Most common gapAn IR plan exists on paper but has never been tested — auditors increasingly ask for evidence of a tabletop or a real incident handled per the plan.
Evidence auditors look forClassification policy, encryption configuration evidence, a retention schedule, key-management documentation, and data-flow diagrams.
Most common gapEncryption in transit is universal, but encryption at rest or formal key management is missing or undocumented; retention policies exist but disposal isn't evidenced.
Evidence auditors look forPublished privacy policy, records of handled data subject requests, a PII inventory, signed NDAs, and subprocessor agreements.
Most common gapPrivacy is assumed to be "covered by GDPR work" but never mapped to the SOC 2 Privacy criteria, and the data subject request process is undocumented.
Evidence auditors look forBackup configuration and logs, restoration-test records, the BCP/DR plan, DR test results, and uptime-monitoring dashboards.
Most common gapBackups run but restoration is never tested — "we have backups" without proof they can be restored is a classic finding, as are DR plans that were never exercised.
This checklist covers the key checkpoints. Your SOC 2 programme has 200+ controls — get them all scored, free →

What Your Completion Score Actually Tells You

Your percentage on this checklist is a rough self-read, not an audit result. As a rule of thumb: below 50% means you have substantial control-building ahead and should not engage an auditor yet; 50–80% means the foundations exist but specific domains need work; above 80% means you are close, with the remaining gaps usually being evidence and documentation rather than missing controls.

But a checklist can only tell you whether a control exists it can't weight the domains by how heavily auditors scrutinise them, score partial implementations, or tell you which gaps to fix first. That is what the free SOC 2 Readiness Assessment does: it scores all 200+ controls with weighting applied to the highest-risk domains, produces a prioritised critical-gap list, and gives you an executive summary you can take to your board. The checklist shows you the terrain; the tool gives you the map.

Free SOC 2 Readiness Assessment

From Checklist to Score.
In 10 Minutes.

All 200+ controls scored and weighted, a prioritised critical-gap list, and a board-ready executive summary. No sign-up, 100% in your browser. Built by an OSCP, OSWE, CREST, and CISSP-certified team.

100% browser-based. No login. No data ever leaves your device.

Related reading:

Frequently Asked Questions

Is this SOC 2 compliance checklist free to use?

Yes completely free, no sign-up, and nothing is saved or transmitted. It runs entirely in your browser. For a scored version across all 200+ controls, the free SOC 2 Readiness Assessment is also free and produces a weighted score in about 10 minutes.

Does this checklist cover every SOC 2 control?

No. It covers the key checkpoints in each of the 12 domains so you can understand the shape of SOC 2 readiness. A full SOC 2 programme spans 200+ controls; the readiness assessment tool scores all of them and prioritises your gaps.

Are all 12 domains required for SOC 2?

The first nine map to the SOC 2 Common Criteria, which every SOC 2 engagement includes. Confidentiality, Privacy, and Availability are additional Trust Services Criteria that apply only if you choose to include them in your audit scope.

What's the difference between this checklist and a gap analysis?

This checklist is a self-guided overview. A formal gap analysis is a consultant-led engagement with interviews, evidence sampling, and a written remediation roadmap. Most companies use a checklist or the readiness tool first, then commission a gap analysis if the result shows meaningful gaps.

What completion score means I'm ready for an audit?

As a rough guide, above 80% on this checklist suggests you are close, with remaining gaps usually in evidence and documentation rather than missing controls. Below 50% means significant control-building remains. The readiness tool gives a far more precise, weighted read than a simple checkbox count.

Tags

SOC 2ComplianceSaaSSecurity AuditSOC 2 Type IISOC 2 Readiness
HM

About Hisham Mir

Hisham Mir is a cybersecurity professional with 10+ years of hands-on experience and Co-Founder & CTO of SecurityWall. He leads real-world penetration testing and vulnerability research, and is an experienced bug bounty hunter.

Back to All Posts
    SOC 2 Compliance Checklist 2026 (Interactive, 12 Domains)