✅Interactive Checklist

SOC 2 / ISO 27001 Readiness Checklist

Prepare for compliance audits with a structured gap assessment.

40 items0%

Critical items (marked ★) carry higher weight. This checklist covers 40 controls across 8 domains aligned to SOC 2 Trust Services Criteria and ISO 27001 Annex A. Address critical gaps first to avoid major audit findings.

LinkedIn·X·Facebook

Governance & Policy

Establish the policy framework that underpins all controls.

0/5

An Information Security Management System (ISMS) scope is defined and approved by leadership.★ Critical

1.1

An information security policy is published, approved by senior management, and reviewed at least annually.★ Critical

1.2

A risk assessment methodology is defined and risk registers are maintained with treatment plans.

1.3

Roles and responsibilities for information security are formally assigned (e.g., CISO, data owners, system owners).

1.4

Management reviews of the ISMS are conducted at least annually with documented minutes and actions.

1.5

Access Control

Ensure only authorised individuals access systems and data.

0/5

A formal access control policy defines provisioning, modification, and de-provisioning processes.★ Critical

2.1

Principle of least privilege is enforced, with privileged access limited and monitored.

2.2

Access reviews are performed at least quarterly for critical systems and semi-annually for others.

2.3

Multi-factor authentication is required for remote access, cloud management consoles, and privileged accounts.

2.4

Terminated user accounts are disabled within 24 hours and access revocation is evidenced.

2.5

Change Management

Control changes to systems to prevent unauthorised or disruptive modifications.

0/5

A formal change management policy governs all changes to production systems.

3.1

Changes are tested in a non-production environment before deployment.

3.2

Change approvals are documented and include segregation of duties (developer ≠ approver ≠ deployer).★ Critical

3.3

Emergency change procedures are defined with retrospective approval requirements.

3.4

A configuration management database (CMDB) or equivalent tracks production system configurations.

3.5

Incident Management

Detect, respond to, and learn from security incidents.

0/5

An incident response plan is documented, tested, and includes severity classification and escalation paths.★ Critical

4.1

Security incidents are logged in a centralised system with root cause analysis and remediation tracking.

4.2

Incident notification procedures meet contractual and regulatory requirements (e.g., 72-hour GDPR notification).

4.3

Post-incident reviews are conducted and lessons learned are incorporated into controls.

4.4

Incident metrics (MTTD, MTTR, incident count by severity) are reported to management.

4.5

Business Continuity

Ensure critical services can continue or recover during disruptions.

0/5

A business impact analysis (BIA) identifies critical processes, RTOs, and RPOs.

5.1

Business continuity and disaster recovery plans are documented for all critical systems.★ Critical

5.2

DR plans are tested at least annually with results documented and gaps remediated.

5.3

Backup procedures are defined with regular testing of restore procedures.

5.4

Redundancy and failover mechanisms are in place for critical infrastructure components.

5.5

Monitoring & Audit

Maintain visibility into security posture through logging, monitoring, and audit.

0/5

Security event logging is enabled on all critical systems with logs retained per policy (typically 12 months).★ Critical

6.1

Logs are forwarded to a centralised SIEM or log management platform and monitored for anomalies.

6.2

Internal audits of the ISMS are conducted at least annually by independent assessors.

6.3

Vulnerability scanning is performed at least quarterly and penetration testing at least annually.

6.4

Audit trails are tamper-evident and access to log management systems is restricted.

6.5

Physical & Environmental

Protect physical assets and environments housing information systems.

0/5

Physical access to data centres, server rooms, and network closets is controlled and logged.

7.1

Visitor access procedures are enforced with sign-in/sign-out and escort requirements.

7.2

Environmental controls (fire suppression, HVAC, UPS, water detection) are in place and monitored.

7.3

Equipment disposal procedures ensure data is securely wiped or destroyed with certificates of destruction.

7.4

Clean desk and clear screen policies are enforced, particularly in shared or open-plan environments.

7.5

People & Training

Ensure personnel understand and fulfil their security responsibilities.

0/5

Security awareness training is mandatory for all employees and completed at least annually.★ Critical

8.1

Background checks are performed for employees with access to sensitive data or critical systems.

8.2

Phishing simulation exercises are conducted at least quarterly with tracked results.

8.3

Confidentiality and acceptable use agreements are signed by all employees and contractors.

8.4

Role-specific security training is provided for developers, administrators, and incident responders.

8.5