SOC 2 checklist 2026: all Trust Services Criteria & points of focus
SOC 2 isn’t a one-time certification — it’s evidence your controls operate continuously. This checklist walks every control an auditor examines, and flags which a platform can automate.
What SOC 2 requires
SOC 2 is assessed against 21 controls across 5 families: Common Criteria (CC), Availability, Confidentiality, Processing Integrity, Privacy. Each must be both designed and operating — auditors want evidence it worked throughout the period, not just that it existed on paper.
The control checklist
All 33 Common Criteria plus the supplemental categories — the complete TSC set an auditor examines. Use the table below as your working checklist — 37 line items. Controls marked Auto can be monitored continuously by SBCMSP; Manual controls need a documented process and human evidence.
| Control | Requirement | Coverage |
|---|---|---|
| CC1 — Control Environment | ||
| CC1.1 | Integrity & ethical values | Manual |
| CC1.2 | Board independence & oversight | Manual |
| CC1.3 | Structures & reporting lines | Manual |
| CC1.4 | Attract, develop & retain competence | Manual |
| CC1.5 | Accountability for internal control | Manual |
| CC2 — Communication & Information | ||
| CC2.1 | Quality information to support controls | Manual |
| CC2.2 | Internal communication of objectives | Manual |
| CC2.3 | External communication | Manual |
| CC3 — Risk Assessment | ||
| CC3.1 | Specify objectives for risk | Manual |
| CC3.2 | Identify & analyze risk | Manual |
| CC3.3 | Consider fraud potential | Manual |
| CC3.4 | Assess changes that impact controls | Manual |
| CC4 — Monitoring Activities | ||
| CC4.1 | Ongoing & separate evaluations | Auto |
| CC4.2 | Evaluate & communicate deficiencies | Manual |
| CC5 — Control Activities | ||
| CC5.1 | Select controls that mitigate risk | Manual |
| CC5.2 | Technology general controls | Auto |
| CC5.3 | Deploy through policies & procedures | Manual |
| CC6 — Logical & Physical Access | ||
| CC6.1 | Logical access security software & infrastructure | Auto |
| CC6.2 | User registration & authorization | Auto |
| CC6.3 | Role-based access & least privilege | Auto |
| CC6.4 | Physical access restriction | Manual |
| CC6.5 | Disposal of protected assets | Manual |
| CC6.6 | Boundary protection against external threats | Auto |
| CC6.7 | Transmission & encryption of data | Auto |
| CC6.8 | Malware prevention & detection | Auto |
| CC7 — System Operations | ||
| CC7.1 | Vulnerability detection & configuration monitoring | Auto |
| CC7.2 | Anomaly & security-event monitoring | Auto |
| CC7.3 | Evaluate security events | Manual |
| CC7.4 | Incident-response program | Manual |
| CC7.5 | Recovery from incidents | Manual |
| CC8 — Change Management | ||
| CC8.1 | Authorize, design, test & approve changes | Manual |
| CC9 — Risk Mitigation | ||
| CC9.1 | Risk-mitigation activities | Manual |
| CC9.2 | Vendor & business-partner risk | Manual |
| Supplemental categories (if in scope) | ||
| A1.1–1.3 | Availability — capacity, backup & recovery | Auto |
| C1.1–1.2 | Confidentiality — identify & dispose of confidential info | Auto |
| PI1.1–1.5 | Processing Integrity — complete, accurate, timely processing | Manual |
| P1–P8 | Privacy — notice, consent, use, retention & disposal | Manual |
Evidence you must collect
For every control, an auditor expects evidence it operated throughout the review period. Common examples:
- Access reviews with timestamps and approver
- Change tickets linked to deployments
- Encryption and configuration snapshots
- Vendor / supplier risk assessments on file
Automating the checklist
Roughly two-thirds of SOC 2 controls can be monitored automatically. SBCMSP watches those continuously, collects timestamped evidence, and flags drift — so the audit becomes a review of a report you already have, not a month-long scramble.