SOC 2 Type 2 Checklist - Part 1 - V2_final
                     CHECK LIST
SOC 2
(Service Organization Control)
Type 2 Checklist   Part - 1
www.infosectrain.com
CC 1.0 Control Environment
CC1.1: Demonstrates Commitment to Integrity & Ethical Values
COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
Contractor agreements must include a Code of Business Conduct Examine the code of conduct for business and ensure that it is 
CC1.1.1 and a reference to the corporate Code of Conduct, and they must accessible via the corporate intranet.
be posted on the corporate intranet for all employees to access.
At the time of hire, the corporation requires new hires to Examine the code of conduct for business and ensure that there 
acknowledge a code of conduct. Disciplinary actions are taken are recorded enforcement processes that included disciplinary 
CC1.1.2 against employees who break the code of conduct in accordance action.
with the policy.
The business mandates that prospective hires undergo Examine and verify the documented information on employ 
CC1.1.3 background checks. background is accurate.
At the time of hiring, the business demands that employees & Examine and ensure that employees and contractors sign a 
CC1.1.4 contractors sign a confidentiality agreement. confidentiality agreement at the time of engagement.
Performance reviews for direct reports must be completed by Examine and ensure that company performs evaluation for all 
CC1.1.5 firm management at least once a year. employees annually.
www.infosectrain.com CC 1.0 Control Environment
CC1.2: Exercises Oversight Responsibility
COSO Principle 2: The board of directors demonstrates independence from management &
exercises oversight of the development and performance of internal control.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
All corporate policies are reviewed and approved yearly by the Examine the corporate rules and ensure that they have undergone 
CC1.2.1 board of directors of the firm or a pertinent subcommittee, such evaluation and senior management approval.
as senior management.
The board members of the organisation are qualified to oversee Examine and ensure that the information security controls have 
CC1.2.2 management's capacity to create, put into place, and run been created, implemented, reviewed and approved by proper 
information security controls. authorities.
The board of directors of the corporation holds formal meetings at Ensure independent directors were present, proper meeting 
CC1.2.3 least once a year and keeps minutes of those meetings. Directors minutes were taken, and observe board sessions were held at least 
who are not affiliated with the company are on the board. twice a year.
The Organisational Chart for all personnel is reviewed and Examine and ensure that each employee's organisational chart has 
CC1.2.4 approved annually by the entity's Senior Management. undergone evaluation and senior management's approval.
The management of the organisation exhibits a dedication to Examine the ethical management document and ensure that the 
CC1.2.5 morality and ethical behaviour. company management demonstrates a commitment to integrity 
and ethical values.
www.infosectrain.com CC 1.0 Control Environment
CC1.3: Establishes Structure, Authority, and Responsibility
COSO Principle 3: Management establishes, with board oversight, structures, reporting 
lines, and appropriate authorities and responsibilities in the pursuit of objectives.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
To oversee the development and application of information Examine and ensure that the management of the organisation has 
CC1.3.1 security controls, the firm management established clear roles created clear roles and responsibilities to oversee the development 
and responsibilities. and application of information security controls.
The board of directors of the corporation has a written charter Examine and ensure that the roles and responsibilities of the board 
CC1.3.2 outlining its internal control monitoring obligations. of directors are outlined in the bylaws.
The business keeps an organisational layout that details the Examine and ensure that the most recent organisation chart for the 
CC1.3.3 hierarchical framework and reporting structure. company accurately reflects the hierarchical framework and 
reporting structure.
To improve the operational performance of employees within the Examine and ensure that the job description improves the 
CC1.3.4 organisation; the business maintains job descriptions for operational performance of employees.
client-facing IT and engineering positions.
Roles and Responsibilities policy formally allocate roles and Examine the Roles and Responsibilities policy for the design, 
CC1.3.5 responsibilities for the design, development, implementation, implementation, operation, maintenance, and monitoring of 
operation, maintenance, and monitoring of information security information security measures.
controls.
www.infosectrain.com CC 1.0 Control Environment
CC1.4: Demonstrates Commitment to Competence
COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain 
competent individuals in alignment with objectives.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The businesses must make sure that new personnel have Examine and ensure the new hires' competence assessment.
CC1.4.1 undergone a thorough evaluation of their abilities to perform the 
duties of their positions.
The business runs background checks on new hires. Examine the onboarding process and make sure that new hires' 
CC1.4.2 backgrounds are checked.
Performance reviews for direct reports must be completed by firm Examine the performance evaluation and performance review policy 
CC1.4.3 management at least once a year. to confirm that annual performance evaluations are carried out.
Roles and Responsibilities policy formally allocate roles and Examine the Roles and Responsibilities policy for the design, 
CC1.4.4 responsibilities for the design, development, implementation, implementation, operation, maintenance, and monitoring of 
operation, maintenance, and monitoring of information security information security measures.
controls.
Employees must undergo security awareness training within 30 Examine the Information Security Policy and ensure that 
CC1.4.5 days of hire and at least once a year after that. employees undergo security training at the time of hire and on an 
annual basis after that.
www.infosectrain.com CC 1.0 Control Environment
CC1.5: Enforces Accountability
COSO Principle 5: The entity holds individuals accountable for their internal control 
responsibilities in the pursuit of objectives.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
All personnel in client-facing, IT, engineering, and information Examine and ensure that job responsibilities are routinely 
CC1.5.1 security professions are required to undergo quarterly evaluations evaluated.
addressing their job responsibilities.
At the time of hire, the corporation requires new hires to Examine the code of conduct for business and ensure that there 
acknowledge a code of conduct. Disciplinary actions are taken are recorded enforcement processes that included disciplinary 
CC1.5.2 against employees who break the code of conduct in accordance action.
with the policy.
Business has implemented information security awareness training, Examine the data on information security awareness and ensure that 
CC1.5.3 and the firm intranet makes the training resources accessible to all all employees have access to the contents via the business intranet.
employees.
The organisation mandates that all staff members complete Examine the training records for information security awareness.
CC1.5.4 information security awareness training once upon hire as well as 
once a year for all employees.
Every year, the business mandates that all employees review and Examine the firm policies to ensure that all employees have read 
CC1.5.5 acknowledge the company's policies. and agreed to them.
www.infosectrain.com CC 1.0 Control Environment
CC2.0 Communication and Information
CC2.1: Quality Information
COSO Principle 13: The entity obtains or generates and uses relevant, quality information 
to support the functioning of internal control.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The information generated by the organization's systems Examine the operation of internal controls, ensuring they have been 
CC2.1.1 undergoes assessment and analysis to identify its effects on the reviewed and evaluated within the system.
operation of internal controls.
Corporation conducts annual control self-assessments to confirm Examine yearly control self-assessments to ensure that crucial 
CC2.1.2 effective control presence and operation, implementing corrective policies are annually reviewed for the effectiveness of control actions based on findings. presence and operation. Additionally, implement necessary 
corrective actions based on identified findings.
The organization employs a log management tool to identify events Examine that the log management tool effectively identifies events 
CC2.1.3 that could potentially compromise the corporation's ability to that could impact security objectives.
accomplish its security goals.
To ensure customer accessibility, the corporation prominently Examine whether the corporation effectively presents current 
CC2.1.4 presents up-to-date information regarding its services on its information about its services on its website to ensure customer 
website. accessibility.
Corporation conducts host-based vulnerability scans on its Examine quarterly host-based vulnerability scans to detect critical 
external-facing systems quarterly. These scans identify critical and high vulnerabilities and then closely monitor and take proactive 
CC2.1.5 and high vulnerabilities, which are then closely monitored and measures to address these vulnerabilities, ensuring effective 
promptly addressed for remediation. mitigation.
www.infosectrain.com CC2.0 Communication and Information
CC2.2: Internal Communication for Effective Control
COSO Principle 14: The entity internally communicates information, including objectives and 
responsibilities for internal control, necessary to support the functioning of internal control.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The Code of Business Conduct, established by the company, contains Examine established behavioral standards in the Code of Business 
CC2.2.1 guidelines for appropriate conduct. All employees have access to this Conduct and verify their accessibility to all staff through the company's 
code via the company intranet, ensuring everyone knows it's ethical intranet platform.
guidelines.
The organization's management has established specific roles and Examine security policies and ensure that organization management has 
CC2.2.2 responsibilities to ensure information security controls are designed and designated roles and responsibilities for supervising the design and 
implemented. implementation of information security controls.
To understand what the company offers and how it can meet the needs Review documents to ensure that the company's comprehensive 
of its various audiences, organization provides comprehensive descriptions of its goods and services for internal and external users are 
CC2.2.3 descriptions of its products and services, catering to its internal clear and aligned with needs.
employees and external users such as customers, partners, and 
stakeholders.
The firm maintains documented information security policies and Examine the company's information security policies and procedures, 
CC2.2.4 procedures subject to an annual review, ensuring their continued confirming their documentation, yearly review, and acknowledgment by relevance and effectiveness in safeguarding sensitive information and new employees.
assets.
The company ensures that authorized internal users are promptly Examine internal communication practices and ensure that the company 
CC2.2.5 informed of system changes. effectively informs authorized internal users about system updates.
www.infosectrain.com CC2.0 Communication and Information
CC2.3: Communication with External Parties
COSO Principle 15: The entity communicates with external parties regarding matters affecting 
the functioning of internal control.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The firm implements an external-facing support system that enables Examine the CodeSee Website and ensure a support email is 
CC2.3.1 users to report information about system failures, incidents, available for users to report system issues and references to the 
concerns, and other complaints to the relevant personnel. right personnel.
The company informs customers about its security commitments Examine the Master Service Agreement to ensure that customers 
CC2.3.2 through agreements known as Master Service Agreements (MSA) or know the company's commitments and promises.
Terms of Service (TOS).
The company establishes contractual agreements with vendors and Examine a sample of a Signed Non-Disclosure Agreement to verify 
CC2.3.3 affiliated third parties, incorporating confidentiality and privacy the presence of confidentiality and privacy agreements with 
commitments relevant to the firm. contractors and third parties.
The company comprehensively describes its products and services Examine the CodeSee Website and verify the presence of a product 
CC2.3.4 to its internal and external users. description intended for communication to both internal and 
external users.
The company informs customers about significant system changes Examine the company website to ensure that customers are 
CC2.3.5 that could impact their processing operations. informed about significant system changes that could affect their 
processing activities.
www.infosectrain.com CC2.0 Communication and Information
CC3.0 Risk Assessment
CC3.1: Specification of Objectives
COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the 
identification and assessment of risks relating to objectives.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The company maintains a documented risk management Examine the Risk Assessment Policy, find documented steps for 
CC3.1.1 program, which guides identifying potential threats, assessing the identifying and managing risks, and observe in Secureframe a significance of associated risks, and outlining mitigation maintained list of risks with assigned ratings and tracked actions 
strategies. for improvement.
The company performs annual risk assessments, identifying Examine the documentation containing records of the annual 
CC3.1.2 threats and changes to service commitments and evaluating formal risk assessment exercise.risks, including the potential for fraud and its impact on 
objectives.
The company has an established vendor management program Examine Secureframe for vendor list with ratings, security, privacy, 
CC3.1.3 comprising components such as critical third-party vendor and reviews; also examined Vendor Management Policy inventory, vendor security and privacy requirements, and annual encompassing contract reviews, annual assessments, risk 
reviews of critical third-party vendors. evaluation, and due diligence procedures.
The company maintains a documented Business Examine the company's BC/DR plan to ensure its presence, 
CC3.1.4 Continuity/Disaster Recovery (BC/DR) plan and conducts annual approval, and yearly testing.
testing of the plan's effectiveness.
www.infosectrain.com CC3.0 Risk Assessment
CC3.2: Risk Identification and Analysis
COSO Principle 7: The entity identifies risks to the achievement of its objectives across the 
entity and analyzes risks as a basis for determining how the risks should be managed.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The firm performs an annual formal risk assessment, outlined in the Examine records documenting the annual formal risk assessment 
CC3.2.1 Risk Assessment and Management Policy, to identify potential threats exercise.
that could affect its systems' security commitments and requirements.
Each risk undergoes assessment and receives a risk score considering Examine how each risk is evaluated based on likelihood and impact on 
CC3.2.2 its likelihood of occurrence and impact on the security, availability, and platform security, availability, and confidentiality and ensure that risks confidentiality of the company's platform. Risks are then associated are linked to actions that reduce their effects.
with mitigating factors that address relevant aspects of the risk.
During onboarding, the firm mandates new staff members to review and Examine the company's policies and confirm that new staff members have 
CC3.2.3 acknowledge company policies, ensuring an understanding of duly reviewed and acknowledged these policies, ensuring their knowledge 
responsibilities and commitment to compliance. and commitment.
The organization establishes a documented risk management program Examine Risk Assessment and Treatment Policy for documented risk 
that encompasses instructions for identifying potential threats, management processes and verify Secureframe the existence of a 
CC3.2.4 assessing the significance of risks related to these threats, and maintained risk registry with identified vulnerabilities, severity ratings, 
formulating strategies to mitigate these risks. and tracked remediation actions.
The company implements a vendor management program that includes Examine the company's vendor management program to ensure it has a 
CC3.2.5 maintaining a list of critical third-party vendors, setting security & privacy process for documenting and overseeing vendor relationships.
requirements for vendors, & performing annual reviews of these vendors.
www.infosectrain.com CC3.0 Risk Assessment
CC3.3: Fraud Consideration in Risk Assessment
COSO Principle 8: The entity considers the potential for fraud in assessing risks to the 
achievement of objectives.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The company performs annual risk assessments that involve Examine the company's risk assessment documentation, 
CC3.3.1 identifying threats, changes to service commitments, formal risk confirming the yearly format of assessments, identifying threats 
assessments, and considering fraud's potential impact on and commitment modifications, formal risk assessment, and 
objectives. considering the impact of fraud on objectives.
The company establishes a documented risk management Examine the risk management program to ensure it offers 
program that provides instructions for identifying potential guidance for identifying potential threats and suggesting strategies 
CC3.3.2 threats, evaluating the significance of risks linked to those to mitigate these threats.
threats, and developing strategies to mitigate those risks.
www.infosectrain.com CC3.0 Risk Assessment
CC3.4: Identifying Changes
COSO Principle 9: The entity identifies and assesses changes that could significantly 
impact the system of internal control.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
Each year, the company conducts a formal risk assessment Review the records of the annual formal risk assessment exercise 
exercise in accordance with the Risk Assessment and and examine the Assessment and Management Policy.
CC3.4.1 Management Policy. The goal is to identify potential threats that 
could compromise the security commitments and requirements 
of the systems.
The company implements a configuration management Evaluate the company's configuration management procedure to 
CC3.4.2 procedure to ensure consistent deployment of system validate its implementation, ensuring the constant deployment of 
configurations throughout the environment. system configurations across the entirety of the environment.
The firm evaluates risks and scores based on their likelihood and Examine risk mitigating factors related to risk evaluation
potential impact on platform security, availability, and 
CC3.4.3 confidentiality. They are then linked to mitigating factors, wholly 
or partially addressing the risks.
The company conducts penetration testing, develops a Examine the company's penetration testing, verifying its annual 
CC3.4.4 remediation plan, and implements changes to address execution.
vulnerabilities by SLAs.
www.infosectrain.com CC3.0 Risk Assessment
CC4.0 Monitoring Activities
CC4.1: Continuous Evaluation
COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate 
evaluations to ascertain whether the components of internal control are present and functioning.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The senior management of the firm designates an Information Examine the coordination of planning, assessment, and 
CC4.1.1 Security Officer tasked with planning, evaluating, implementing, implementation within the internal control environment.
and overseeing the internal control environment.
The organization designates an Infrastructure owner responsible Examine the Infra Operations Person document, confirming their 
CC4.1.2 for all assets listed in the inventory. responsibility for overseeing all holdings within the inventory.
The organization utilizes Sprinto, a continuous monitoring system, Examine the ongoing monitoring and reporting activities of the 
CC4.1.3 to track and report the information security program's status to the Sprinto tool, which ensures the health of the information security Information Security Officer and other stakeholders. program is communicated to the Information Security Officer and 
other stakeholders.
CC4.1.4 The senior management of the entity annually reviews and grants Examine the yearly company policy, which has undergone review approval for all company policies. and received approval from Senior Management.
CC4.1.5 The firm conducts regular reviews and assessments of all Examine the subservice organizations outlined in the system and subservice organizations to verify their ability to fulfill customer note that they have undergone review and evaluation by the firm.
commitments.
www.infosectrain.com CC4.0 Monitoring Activities
CC4.2: Reporting of Control Deficiencies
COSO Principle 17: The entity evaluates and communicates internal control deficiencies in 
a timely manner to those parties responsible for taking corrective action, including senior
management and the board of directors, as appropriate.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The company conducts annual control self-assessments to Examine the Secureframe platform to verify recent policy reviews 
CC4.2.1 ensure controls' presence and effective functioning, followed by and publications. Additionally, examine the Information Security 
appropriate corrective actions in response to identified findings. Policy to confirm its annual review and updates, reinforcing 
security control effectiveness.
The company informs employees through the Information Examine Information Security Policy to ensure employees 
CC4.2.2 Security Policy about how to report problems, failures, incidents, understand how to report system problems.
or concerns related to the services or systems they provide.
The entity utilizes Sprinto, a continuous monitoring system, to Examine the sprinto system and ensure it constantly tracks, 
CC4.2.3 monitor and provide updates to the information security officer and monitors, and reports the information security program's position to other relevant stakeholders about the status of the information the security officer and stakeholders. 
security program.
CC4.2.4 Every year, Senior Management of the firm evaluates and Examine the firm policies and ensure that Senior Management has approves all corporate policies. examined and supported them.
CC4.2.5 Each year, senior management of the entity evaluates and Examine the report on the internal audit assessment and ensure approves the program's status for information security. that Senior Management has examined and given their approval.
www.infosectrain.com CC4.0 Monitoring Activities
CC5.0 Control Activities
CC5.1: Risk Mitigating
COSO Principle 10: The entity selects and develops control activities that contribute to the 
mitigation of risks to the achievement of objectives to acceptable levels.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The firm establishes a set of guidelines that outline acceptable Examine the policies for the control environment.
CC5.1.1 behavior about the firm's regulatory framework.
The firm possesses a well-defined Acceptable Usage Policy Examine the Acceptable Usage Policy and ensure it is accessible to 
CC5.1.2 accessible to all employees through the firm's intranet. all employees via the company's intranet.
Senior Management of the firm separates Roles and Examine and ensure that the firm's senior management has separate 
CC5.1.3 Responsibilities to reduce risks to the services offered to its clients. Roles and Responsibilities to minimize risks to the services provided 
to its clients. 
The company maintains a documented risk management Examine the risk management program to verify its provision of 
CC5.1.4 program outlining procedures for identifying potential threats, guidance in identifying potential hazards, evaluating risk assessing their significance, and implementing mitigation significance, and formulating mitigation strategies.
strategies for associated risks.
www.infosectrain.com CC5.0 Control Activities
CC5.2: Establishment of Technology Control Activities
COSO Principle 11: The entity also selects and develops general control activities over 
technology to support the achievement of objectives.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The firm employs Sprinto, a continuous monitoring system, to Examine  the ongoing monitoring capabilities of the Sprinto 
CC5.2.1 track and report to the information security officer and other software, which tracks, records, and updates the information 
stakeholders on the state of the information security program. security officer and stakeholders on the program's status.
Each year, senior management of the firm evaluates and approves Examine the internal audit assessment report and ensure it 
CC5.2.2 the program's status for information security. subsequently receives examination and approval from Senior 
Management.
The structure of operations for all personnel is reviewed and Examine the organizational staff chart and ensure it is subsequently 
CC5.2.3 approved annually by the firm's Senior Management. examined and approved by Senior Management.
Every subservice firm is routinely reviewed and evaluated by the Examine that the system's subservice organizations undergo 
CC5.2.4 firm to make sure obligations to the firm's clients can be regular reviews and evaluations.
maintained.
CC5.2.5 The organization establishes policies detailing acceptable Examine the guidelines for the control environment.behavior concerning the company's control environment.
www.infosectrain.com CC5.0 Control Activities
CC5.3: Implementing Control Policies
COSO Principle 12: The entity deploys control activities through policies that establish 
what is expected and in procedures that put policies into action.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The organization provides all employees access to policies and Examine the company's policies and practices and ensure they are 
CC5.3.1 procedures through the corporate intranet. accessible to all employees through the corporate intranet.
CC5.3.2 Every year, the organization mandates that all employees review Examine the company's policies and ensure that every employee and acknowledge the company's policies. has reviewed and approved them.
During onboarding, new employees must read and acknowledge the Examine the duties assigned to new employees in the system and 
CC5.3.3 company's policies, ensuring their awareness and preparedness to ensure each employee has reviewed and approved them.
meet their obligations.
CC5.3.4 The organization creates a set of policies that outline acceptable Examine system policies related to the control environment.conduct about the control environment at the organization.
The organization defines its objectives to simplify the Examine the Risk Assessment and Treatment Policy to ensure that 
CC5.3.5 identification and assessment of risks associated with them. risk categories have been specified to aid in identifying and 
evaluating risk related to objectives.
www.infosectrain.com CC5.0 Control Activities
Found this useful?
To Get More Insights Through our FREE
Course | Workshops | eBooks | White Paper
Checklists | Mock Tests
Press the       Icon & 
www.infosectrain.com