bagelhole/soc2-compliance

SOC 2 Compliance

Implement SOC 2 Trust Services Criteria controls, evidence collection, and continuous compliance monitoring for Type I and Type II audits.

When to Use

• Preparing for a SOC 2 Type I or Type II audit
• Mapping existing controls to Trust Services Criteria
• Automating evidence collection for auditor requests
• Building continuous compliance monitoring into CI/CD
• Onboarding new services and ensuring SOC 2 control coverage

Trust Services Criteria Detailed Checklist

security_common_criteria:
  CC1_control_environment:
    CC1.1: "Management demonstrates commitment to integrity and ethical values"
    CC1.2: "Board exercises oversight of internal controls"
    CC1.3: "Management establishes structure, authority, and responsibility"
    CC1.4: "Commitment to competence - hire and retain qualified personnel"
    CC1.5: "Individuals are held accountable for internal control responsibilities"
    evidence:
      - Code of conduct document
      - Organizational chart
      - Job descriptions with security responsibilities
      - Board meeting minutes discussing security
      - Background check policy and records

  CC2_communication:
    CC2.1: "Entity obtains or generates relevant quality information"
    CC2.2: "Entity internally communicates information including objectives and responsibilities"
    CC2.3: "Entity communicates with external parties"
    evidence:
      - Security awareness training records
      - Internal security newsletters or updates
      - Customer-facing security documentation
      - Status page and incident communication records

  CC3_risk_assessment:
    CC3.1: "Entity specifies objectives clearly to identify and assess risks"
    CC3.2: "Entity identifies risks to achievement of objectives"
    CC3.3: "Entity considers potential for fraud"
    CC3.4: "Entity identifies and assesses significant changes"
    evidence:
      - Annual risk assessment report
      - Risk register with ratings and treatment plans
      - Fraud risk assessment documentation
      - Change management records

  CC4_monitoring:
    CC4.1: "Entity selects, develops, and performs ongoing/separate evaluations"
    CC4.2: "Entity evaluates and communicates internal control deficiencies"
    evidence:
      - Continuous monitoring dashboard screenshots
      - Internal audit reports
      - Vulnerability scan results
      - Penetration test reports

  CC5_control_activities:
    CC5.1: "Entity selects and develops control activities to mitigate risks"
    CC5.2: "Entity selects and develops technology-based controls"
    CC5.3: "Entity deploys control activities through policies and procedures"
    evidence:
      - Information security policy
      - Access control procedures
      - Change management procedures
      - Encryption standards documentation

  CC6_logical_access:
    CC6.1: "Logical access security over protected information assets"
    CC6.2: "Prior to access, users are registered and authorized"
    CC6.3: "Access to data, software, functions, and other IT resources is authorized and modified"
    CC6.6: "Logical access security measures against threats from outside system boundaries"
    CC6.7: "Transmission of data between parties is protected"
    CC6.8: "Controls to prevent or detect unauthorized or malicious software"
    evidence:
      - IAM credential report
      - MFA enforcement configuration
      - Access review completion records
      - Firewall and WAF configurations
      - TLS/encryption configurations
      - Endpoint protection deployment records

  CC7_system_operations:
    CC7.1: "Detect anomalies and potential security incidents"
    CC7.2: "Monitor system components for anomalies"
    CC7.3: "Evaluate detected events and determine incidents"
    CC7.4: "Respond to identified security incidents"
    CC7.5: "Identify and remediate security incidents"
    evidence:
      - SIEM alert rules and dashboards
      - Monitoring configuration (CloudWatch, Datadog, etc.)
      - Incident response plan
      - Incident tickets and post-mortems

  CC8_change_management:
    CC8.1: "Entity authorizes, designs, develops, configures, documents, tests, approves, and implements changes"
    evidence:
      - Change management policy
      - Pull request approval requirements
      - CI/CD pipeline configurations
      - Deployment records with approvals

  CC9_risk_mitigation:
    CC9.1: "Entity identifies, selects, and develops risk mitigation activities"
    CC9.2: "Entity assesses and manages risks associated with vendors"
    evidence:
      - Risk treatment plans
      - Vendor assessment records
      - Business associate agreements
      - Insurance certificates

availability_criteria:
  A1.1: "System processing capacity and availability are maintained"
  A1.2: "Environmental protections and recovery measures"
  A1.3: "Recovery plan procedures to support system availability"
  evidence:
    - Uptime SLA documentation
    - Capacity monitoring dashboards
    - Disaster recovery plan
    - DR test results
    - Backup verification records

processing_integrity_criteria:
  PI1.1: "Entity obtains or generates, uses, and communicates quality information"
  evidence:
    - Input validation procedures
    - Data processing accuracy checks
    - Error handling and retry logic documentation
    - Output reconciliation records

confidentiality_criteria:
  C1.1: "Entity identifies and maintains confidential information"
  C1.2: "Entity disposes of confidential information"
  evidence:
    - Data classification policy
    - Encryption configurations
    - Data retention and destruction policies
    - Secure disposal records

privacy_criteria:
  P1-P8: "Privacy notice, choice, collection, use, disclosure, access, quality, monitoring"
  evidence:
    - Privacy policy (published)
    - Consent management records
    - Data processing inventory
    - DSAR handling procedures

Tool Mappings for Control Evidence

control_to_tool_mapping:
  CC6.1_logical_access:
    aws:
      - IAM credential report (aws iam generate-credential-report)
      - IAM Access Analyzer findings
      - AWS SSO configuration
      - GuardDuty findings
    azure:
      - Azure AD sign-in logs
      - Conditional Access policies
      - PIM role assignments
    github:
      - Organization member list and roles
      - Repository access permissions
      - Branch protection rules
    okta:
      - User status report
      - MFA enrollment report
      - Application assignment report

  CC7.2_monitoring:
    tools:
      - CloudWatch / Azure Monitor / Cloud Monitoring dashboards
      - Datadog / New Relic / Grafana alert configurations
      - SIEM (Splunk, Elastic, Sentinel) saved searches
      - PagerDuty / OpsGenie escalation policies
    evidence_format:
      - Dashboard screenshots with date stamps
      - Alert rule configuration exports
      - Incident response records from ticketing system

  CC8.1_change_management:
    tools:
      - GitHub/GitLab PR merge requirements
      - CI/CD pipeline configurations (GitHub Actions, Jenkins)
      - Terraform plan outputs
      - Deployment logs
    evidence_format:
      - PR with approvals and CI checks
      - Deployment audit trail
      - Change advisory board meeting notes (if applicable)

Evidence Collection Automation

#!/usr/bin/env bash
# collect-soc2-evidence.sh - Automated SOC 2 evidence collection
# Run monthly or before audit requests

EVIDENCE_DIR="./soc2-evidence/$(date +%Y-%m)"
mkdir -p "$EVIDENCE_DIR"

echo "=== CC6.1 - Logical Access Evidence ==="

# AWS IAM credential report
aws iam generate-credential-report
sleep 10
aws iam get-credential-report --output text --query Content | \
  base64 -d > "$EVIDENCE_DIR/aws-iam-credential-report.csv"

# AWS IAM Access Analyzer findings
aws accessanalyzer list-findings \
  --analyzer-arn "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/org-analyzer" \
  --filter '{"status": {"eq": ["ACTIVE"]}}' \
  > "$EVIDENCE_DIR/access-analyzer-findings.json"

# MFA enforcement status
aws iam list-users --query 'Users[*].UserName' --output text | \
  tr '\t' '\n' | while read -r user; do
    mfa=$(aws iam list-mfa-devices --user-name "$user" --query 'MFADevices[0].SerialNumber' --output text)
    echo "$user,$mfa"
  done > "$EVIDENCE_DIR/mfa-status.csv"

# GitHub organization members and roles
gh api orgs/YOUR_ORG/members --paginate --jq '.[] | [.login, .role_name // "member"] | @csv' \
  > "$EVIDENCE_DIR/github-org-members.csv"

# GitHub branch protection rules
for repo in $(gh repo list YOUR_ORG --json name -q '.[].name'); do
  gh api repos/YOUR_ORG/$repo/branches/main/protection \
    > "$EVIDENCE_DIR/branch-protection-$repo.json" 2>/dev/null
done

echo "=== CC7.2 - Monitoring Evidence ==="

# CloudTrail status
aws cloudtrail get-trail-status --name org-audit-trail \
  > "$EVIDENCE_DIR/cloudtrail-status.json"

# Active CloudWatch alarms
aws cloudwatch describe-alarms --state-value ALARM \
  > "$EVIDENCE_DIR/active-alarms.json"

# GuardDuty findings summary
aws guardduty list-findings --detector-id DETECTOR_ID \
  --finding-criteria '{"criterion":{"severity":{"gte":4}}}' \
  > "$EVIDENCE_DIR/guardduty-findings.json"

echo "=== CC8.1 - Change Management Evidence ==="

# Recent deployments (GitHub Actions)
gh run list --repo YOUR_ORG/YOUR_REPO --limit 50 --json conclusion,createdAt,displayTitle,headBranch \
  > "$EVIDENCE_DIR/recent-deployments.json"

# Pull requests merged in audit period
gh pr list --repo YOUR_ORG/YOUR_REPO --state merged --limit 100 \
  --json number,title,author,mergedBy,mergedAt,reviews \
  > "$EVIDENCE_DIR/merged-prs.json"

echo "=== A1 - Availability Evidence ==="

# Backup status
aws rds describe-db-snapshots --db-instance-identifier prod-db \
  --query 'DBSnapshots | sort_by(@, &SnapshotCreateTime) | [-5:]' \
  > "$EVIDENCE_DIR/rds-backup-snapshots.json"

# S3 replication status
aws s3api get-bucket-replication --bucket prod-data-bucket \
  > "$EVIDENCE_DIR/s3-replication-config.json"

echo "Evidence collected in $EVIDENCE_DIR"
tar -czf "$EVIDENCE_DIR.tar.gz" "$EVIDENCE_DIR"
echo "Archive: $EVIDENCE_DIR.tar.gz"

Audit Preparation Timeline

audit_prep_timeline:
  12_months_before:
    - Select auditor firm and sign engagement letter
    - Perform gap assessment against TSC criteria
    - Remediate identified control gaps
    - Begin formal evidence collection cadence

  6_months_before:
    - Conduct internal readiness assessment
    - Verify all controls are operating effectively
    - Complete risk assessment and update risk register
    - Ensure vendor assessments are current
    - Test disaster recovery procedures

  3_months_before:
    - Run automated evidence collection and verify completeness
    - Conduct access review and remediate findings
    - Review and update all policies and procedures
    - Perform vulnerability scan and penetration test
    - Confirm all training records are current

  1_month_before:
    - Prepare evidence request list responses
    - Organize evidence into auditor-friendly structure
    - Brief key personnel on audit interviews
    - Verify monitoring dashboards show healthy state
    - Confirm incident response records are complete

  during_audit:
    - Designate audit liaison for request management
    - Provide timely evidence and clarifications
    - Track open auditor questions
    - Escalate issues to control owners promptly

  after_audit:
    - Review draft report and provide management response
    - Create remediation plan for any exceptions
    - Communicate results to stakeholders
    - Update controls and processes based on findings
    - Begin next audit period evidence collection

Continuous Compliance Monitoring

# GitHub Actions workflow for continuous SOC 2 checks
name: SOC2 Compliance Checks
on:
  schedule:
    - cron: '0 6 * * 1'  # Weekly on Monday
  workflow_dispatch:

jobs:
  access-review:
    runs-on: ubuntu-latest
    steps:
      - name: Check MFA enforcement
        run: |
          USERS_WITHOUT_MFA=$(aws iam generate-credential-report && sleep 5 && \
            aws iam get-credential-report --output text --query Content | \
            base64 -d | awk -F, '$4=="true" && $8=="false" {print $1}')
          if [ -n "$USERS_WITHOUT_MFA" ]; then
            echo "::error::Users without MFA: $USERS_WITHOUT_MFA"
            exit 1
          fi

      - name: Check for unused credentials
        run: |
          THRESHOLD=$(date -d '90 days ago' +%Y-%m-%dT%H:%M:%S)
          aws iam get-credential-report --output text --query Content | \
            base64 -d | awk -F, -v t="$THRESHOLD" '$5!="N/A" && $5<t {print $1" last used "$5}'

      - name: Verify CloudTrail is logging
        run: |
          STATUS=$(aws cloudtrail get-trail-status --name org-audit-trail --query 'IsLogging' --output text)
          [ "$STATUS" = "True" ] || (echo "::error::CloudTrail logging stopped" && exit 1)

      - name: Check GuardDuty is enabled
        run: |
          DETECTOR=$(aws guardduty list-detectors --query 'DetectorIds[0]' --output text)
          [ "$DETECTOR" != "None" ] || (echo "::error::GuardDuty not enabled" && exit 1)

Best Practices

• Start with a gap assessment to understand current control maturity before engaging an auditor
• Automate evidence collection to reduce the burden of auditor requests and ensure consistency
• Map each control to a specific tool, owner, and evidence artifact for traceability
• Implement continuous monitoring rather than point-in-time checks for Type II readiness
• Maintain a central evidence repository organized by control criteria
• Conduct quarterly internal reviews to catch control drift before the audit period
• Keep policies living documents with version history and annual review dates
• Train all employees on their role in maintaining SOC 2 controls
• Use the audit preparation timeline to avoid last-minute scrambling
• Treat each auditor exception as an improvement opportunity rather than a failure