100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

SOC 2 Compliance Cheat Sheet

SOC 2 Compliance Cheat Sheet

Explains the SOC 2 Trust Services Criteria, audit types, and common control evidence needed to prepare for a SOC 2 examination.

2 PagesIntermediateFeb 20, 2026

Trust Services Criteria

The five categories a SOC 2 report can be scoped against.

  • Security (required)- Protection against unauthorized access; the only mandatory criterion for every SOC 2 report
  • Availability- Systems are available for operation and use as committed or agreed (uptime, DR)
  • Processing integrity- System processing is complete, valid, accurate, timely, and authorized
  • Confidentiality- Information designated as confidential is protected as committed or agreed
  • Privacy- Personal information is collected, used, retained, and disposed of per the entity's privacy notice

Type I vs Type II Reports

The two flavors of SOC 2 report and what they attest to.

  • Type I- Assesses whether controls are suitably designed at a single point in time
  • Type II- Assesses operating effectiveness of controls over a period, typically 3-12 months
  • Observation period- Type II auditors sample evidence throughout the period, not just at the end
  • Auditor- Must be an independent licensed CPA firm following AICPA attestation standards

Common Control Areas

Typical control domains auditors examine for the Security criterion.

  • Access control- Least-privilege provisioning, periodic access reviews, and timely deprovisioning
  • Change management- Code changes require review, approval, and testing before production deployment
  • Logging and monitoring- Centralized logs, alerting on anomalies, and log retention policies
  • Vendor management- Due diligence and monitoring of third-party/subprocessor security posture
  • Incident response- A documented, tested plan for detecting, responding to, and reporting incidents
  • Encryption- Data encrypted in transit (TLS) and at rest (e.g. AES-256)
  • Risk assessment- Periodic formal assessment of threats and vulnerabilities to the environment

Automating Evidence Collection

Example script pulling access review evidence for an audit.

bash
#!/bin/bash# Export IAM users and their last activity for quarterly access review evidenceaws iam generate-credential-reportaws iam get-credential-report \  --query 'Content' --output text | base64 -d > credential_report.csv# Flag users inactive for more than 90 days for offboarding reviewawk -F',' 'NR>1 && $5=="false" {print $1, $11}' credential_report.csv \  | while read user last_used; do      echo "Review: $user last used $last_used"    done

Access Review Policy Definition

Documenting an access review control for audit evidence.

yaml
control: CC6.1-access-reviewdescription: Quarterly review of user access to production systemsfrequency: quarterlyowner: security-teamevidence:  - iam_access_report.csv  - access_review_signoff.pdfremediation_sla_days: 5   # time to revoke unneeded access after review
Pro Tip

Start collecting audit evidence continuously from day one of the observation period rather than scrambling before the audit — a Type II auditor will sample multiple months, and gaps in evidence for early months cannot be recreated retroactively.

Was this cheat sheet helpful?

Explore Topics

#SOC2Compliance#SOC2ComplianceCheatSheet#Cybersecurity#Intermediate#TrustServicesCriteria#TypeIVsTypeIIReports#CommonControlAreas#AutomatingEvidenceCollection#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech

Professional Web Designing Services

  • Responsive Websites
  • E-commerce Solutions
  • SEO Friendly Design
  • Fast & Secure
  • Support & Maintenance
Get a Free Quote

Share this Cheat Sheet