Experiencing a security incident? Get emergency response →
All Whitepapers

Whitepaper · Compliance & GRC

SOC 2 & ISO 27001 Compliance Checklist

Auditors don't ask "do you have a policy?"; they ask "show me." This checklist is organized around the evidence you'll actually need to produce.

Category:
Compliance & GRC
Read time:
11 minutes
Covers:
SOC 2 Type II & ISO 27001:2022

A surprising number of companies preparing for their first SOC 2 or ISO 27001 audit already have most of the underlying security practices in place. They just don't have anything written down, assigned to an owner, or repeated on a schedule. Auditors aren't grading whether you're secure in the abstract; they're checking whether you can demonstrate, with evidence, that defined controls operate consistently over time.

So rather than listing control numbers (which read the same as the framework documents you already have), this checklist is organized around the kinds of evidence requests that come up again and again: by audit, the framework wants the same thing in slightly different language.

What Auditors Ask For, And What That Really Means

"Show me your access review."

What's actually being checked:

Periodic (typically quarterly) review of who has access to production systems and sensitive data, with evidence that access for departed employees or role changes was actually revoked, not just that a review meeting happened.

  • A documented access review process runs on a fixed schedule, with sign-off retained as evidence.

  • Offboarding includes a checklist step for access revocation, with timestamps that can be cross-referenced against HR records.

"Show me your risk assessment."

What's actually being checked:

A living document identifying specific risks to your organization (not a generic template), with assigned owners, treatment decisions, and evidence it's reviewed at least annually or after significant changes.

  • Risk register names specific risks relevant to your business (e.g. "customer database in single region", not "cyber risk").

  • Each risk has an owner, a treatment plan, and a review date, and the review actually happened.

"Show me your vulnerability management process."

What's actually being checked:

Evidence of regular vulnerability scanning and/or penetration testing, with findings tracked to remediation within defined SLAs based on severity. This is one of the most commonly requested pieces of evidence, and one of the easiest to satisfy with a recurring engagement.

  • Annual (at minimum) penetration test of in-scope systems, with a report and remediation tracking.

  • Defined remediation SLAs by severity (e.g. critical within 7 days), with evidence findings were actually closed within them.

"Show me your incident response plan, and that it works."

What's actually being checked:

A documented IR plan, plus evidence it's been tested (tabletop exercise) within the audit period. A plan that's never been exercised is a common finding.

  • A written incident response plan with defined roles. See our Incident Response Checklist for what good looks like.

  • At least one tabletop exercise documented within the last 12 months, with findings tracked.

"Show me your vendor/third-party risk management."

What's actually being checked:

A list of vendors with access to your systems or data, a risk-tiering approach, and evidence (e.g. SOC 2 reports, security questionnaires) that higher-risk vendors were assessed before onboarding.

  • A maintained vendor inventory with risk tiers, reviewed at least annually.

  • Security review evidence (SOC 2 report, questionnaire) on file for critical vendors.

Where Security Engineering Fits Into Compliance

A lot of the technical evidence above doesn't come from a GRC tool; it comes from your security engineering work. The diagram below shows how penetration testing, vulnerability scanning and incident response practices feed directly into the evidence an auditor reviews.

Diagram showing how security engineering activities feed into compliance evidence: penetration testing and vulnerability scanning feed into a vulnerability management evidence trail, access reviews and offboarding processes feed into access control evidence, and incident response plans and tabletop exercises feed into incident management evidence, all flowing into a central compliance evidence repository used during a SOC 2 or ISO 27001 audit
Figure 1: Security engineering activities are often the source of compliance evidence, not a separate workstream.

SOC 2 vs. ISO 27001: Do You Need Both?

We get this question often enough that it's worth addressing directly. SOC 2 is largely US-market-driven and produces a report describing your controls and an auditor's opinion on their operating effectiveness. ISO 27001 is an internationally recognized certification against a management-system standard, more commonly requested by enterprise customers outside North America (and increasingly within it).

The good news: the underlying evidence categories above largely overlap between both. Organizations targeting both typically build one evidence collection process and map it to both frameworks, rather than running two separate programs.

Frequently Asked Questions

How long does SOC 2 or ISO 27001 readiness typically take?

For organizations with most fundamentals already in place, 2-4 months to close evidence gaps before a SOC 2 Type I or ISO 27001 certification audit is common. A SOC 2 Type II report additionally requires an observation period (often 3-6 months) demonstrating controls operated over time.

Can a penetration test satisfy multiple framework requirements at once?

Often yes: a single, well-scoped annual penetration test report can serve as evidence for SOC 2, ISO 27001, and customer security questionnaires simultaneously, provided the scope and methodology are clearly documented.

Do you provide the penetration testing AND help with the compliance gap assessment?

Yes, our team does both, and where useful, structures the penetration test scope and reporting specifically to map onto the evidence categories above.

We're a small team: is full ISO 27001 certification realistic?

Yes, and often more so than larger organizations expect, because the standard is scalable, and a small team with clear ownership of fewer systems can sometimes implement consistent evidence-generation faster than a larger, more fragmented one.

About the Author

SK

Sanjana Kulkarni

GRC & Compliance Lead, CipherTrivia · ISO 27001 Lead Auditor

Sanjana helps clients prepare for SOC 2 and ISO 27001 audits, bridging the gap between policy documentation and the technical evidence security engineering teams produce. She's seen the "show me" question often enough to know which answers actually hold up.

Turn your security work into audit-ready evidence

We can run a gap assessment against this checklist and align your testing program with your audit timeline. See our compliance services.

Schedule a Meet