Most startups approach SOC 2 wrong. They treat it as a one-time checklist to complete right before an audit instead of a system to maintain year-round. The result: a frantic scramble, expensive last-minute work, and often a failed audit in the first attempt.

This checklist isn't about memorizing the 100+ SOC 2 controls. It's about understanding exactly what you need to build, document, and maintain to pass a SOC 2 Type II audit with a clean opinion.

Before you start: SOC 2 Type II audits look at controls operating over a period of time (typically 6-12 months). You can't sprint to compliance in a week. Build the habit before the audit window.

The 5 Trust Service Criteria (TSC)

SOC 2 is built around five Trust Service Criteria. Your auditor will test against the ones you include in your scope.

Security Required & always in scope
Availability Common for SaaS with SLAs
Confidentiality When handling sensitive data
Processing Integrity Rare for most startups
Privacy Only with formal privacy notice

Most startups start with Security only. Adding Availability makes sense if you offer an SLA. Privacy requires a formal privacy notice and is the most complex criterion. Start narrow and expand if customers require it.

Security Criteria Checklist

These controls are required for every SOC 2 audit. Build them before your audit window starts.

SSO / Centralized Identity Provider
All employee accounts use a central IdP (Okta, Google Workspace, Azure AD). No shared passwords. MFA enforced for all accounts.
Role-Based Access Control (RBAC)
Access granted on least-privilege basis. Regular access reviews quarterly. Revocation automated on offboarding.
Vulnerability Scanning
Automated scans of production infrastructure monthly. Critical findings patched within 7 days. Scan results documented.
Security Patch Management
OS and dependency patches applied within 30 days of release. Documented patch schedule and exceptions process.
Change Management Process
Code changes reviewed by a second engineer. Production deployments tracked and documented. Rollback procedures defined.
Data Encryption in Transit & at Rest
TLS 1.2+ for all data in transit. AES-256 for data at rest. Encryption keys rotated annually.
Log Management & Monitoring
Authentication logs, system events, and access logs retained for 12 months. Alerts configured for anomalous access patterns.
Vendor Risk Assessments
All third-party vendors with access to customer data reviewed annually. Security questionnaire or SOC 2 Type II report on file.

Availability Criteria Checklist

If you're adding Availability to your scope (common for SaaS platforms), here's what you need:

Uptime Monitoring
Automated monitoring of all critical services with alert escalation. Current uptime SLA defined and measurable.
Disaster Recovery Plan
Documented RTO (Recovery Time Objective) and RPO (Recovery Point Objective). Backup and restoration tested quarterly.
Incident Response Procedure
Written incident response plan with defined escalation paths, communication templates, and post-incident review process.
Environment Separation
Production, staging, and development environments logically or physically separated. No development access to production data.

What to Do First

Start with your technology stack. Map out every system that touches customer data or critical operations. For each system, answer: Who has access? How is access granted and revoked? What logs exist?

Then map your policies to your actual practices. Auditors aren't just reading your documents — they're testing whether what you wrote matches what you actually do. The most common audit failure isn't missing controls — it's controls that exist on paper but aren't enforced in practice.

Pro tip: Run an internal readiness assessment 3-4 months before your audit window starts. It surfaces gaps while you still have time to close them.

Common Mistakes Startups Make

1. Copying policies word-for-word from templates

Auditors can tell. Generic policies that don't match your actual infrastructure get flagged immediately. Write policies that describe how your team actually operates.

2. Trying to do everything right before the audit

SOC 2 Type II requires evidence that controls operated consistently over 6-12 months. You can't manufacture that history in a sprint. Compliance is a continuous practice.

3. Ignoring vendor risk

Your vendors are in scope. If you're using AWS, Okta, GitHub, Datadog — your auditor will expect vendor risk assessments and evidence of monitoring. Don't treat this as an afterthought.

4. Forgetting the people side

Background checks, security awareness training, acceptable use policies — these are controls too. Your engineering team isn't exempt from compliance requirements.

Timeline: How Long Does This Actually Take?

If you're starting from scratch with a small team (under 20 people):

Total: 12-18 months from start to clean opinion. For companies that already have strong security practices, the readiness phase can be shorter — but don't underestimate the observation period. You can't skip it.

Ready to automate compliance evidence collection?

RiskForge continuously monitors your controls, collects evidence automatically, and alerts you to gaps before your next audit. Set up in 15 minutes.

Start Free Trial — No Credit Card

Continue Reading

HIPAA Compliance Guide for Small Businesses

April 12, 2026

Compliance Automation Cost: Vanta vs Drata vs RiskForge

April 8, 2026