Free · No account required

SOC 2 Readiness Checklist

65 controls across Access, Infrastructure, Change Management, Policies, and more. Tick off what's done. 37 require continuous evidence collection — the hardest part to do manually. TrailProof automates those. The rest are one-time HR, policy, and process tasks. Progress saves in your browser.

Optimised for AWS-based startups · covers IAM, S3, RDS, CloudTrail, GuardDuty, VPC, GitHub, Google Workspace and Okta

0 / 65 controls complete0%

Complete

Remaining

Need monitoring

TrailProof= continuous evidence collected by TrailProof

Access Control

· 10 automated

0/14

MFA enabled on AWS root accountTrailProof

Multi-factor authentication is enforced on the AWS root account.

MFA enabled for all IAM usersTrailProof

All IAM users with console access have MFA enabled.

No active root account access keysTrailProof

The AWS root account has no active programmatic access keys.

IAM password policy enforcedTrailProof

Strong password policy configured with minimum length, complexity, and rotation requirements.

Unused IAM credentials disabledTrailProof

IAM users with credentials unused for 90+ days are disabled or removed.

Least privilege access enforced

IAM users and roles are granted only the permissions required for their role.

Access reviews conducted quarterly

User access rights are reviewed quarterly and unnecessary access revoked.

Offboarding removes access within 24 hours

When employees leave, all system access is revoked within 24 hours.

Okta MFA policy enforcedTrailProof

Okta enforces MFA for all users across all connected applications.

Inactive Okta users disabledTrailProof

Okta users inactive for 30+ days are flagged or automatically disabled.

Google Workspace MFA enforcedTrailProof

MFA is enforced for all Google Workspace accounts at the domain level.

Google Workspace admin accounts limitedTrailProof

Super admin privileges are limited to the minimum number of accounts necessary.

Inactive Google Workspace users disabledTrailProof

Users inactive in Google Workspace are detected and disabled.

Physical access to offices controlled

Physical access to offices and server rooms is controlled and logged.

Monitoring & Detection

· 6 automated

0/9

CloudTrail enabled in all regionsTrailProof

AWS CloudTrail is enabled and logging API activity across all regions.

CloudTrail log file validation enabledTrailProof

CloudTrail log file integrity validation is enabled to detect tampering.

CloudTrail logs encrypted with KMSTrailProof

CloudTrail logs are encrypted at rest using a KMS customer-managed key.

GuardDuty enabledTrailProof

AWS GuardDuty is active and detecting threats across the account.

GuardDuty findings reviewed regularly

GuardDuty findings are reviewed and triaged on a regular schedule.

VPC flow logs enabledTrailProof

VPC flow logs are capturing network traffic for monitoring and analysis.

Security alerts configuredTrailProof

CloudWatch alarms are configured for root account usage, unauthorized API calls, and IAM policy changes. Checked automatically by TrailProof.

Audit log retention of 12+ months

Audit and access logs are retained for a minimum of 12 months.

Audit log review process documented

A documented process exists for regularly reviewing audit logs.

Infrastructure Security

· 11 automated

0/13

S3 buckets not publicly accessibleTrailProof

All S3 buckets have public access blocked unless explicitly required.

S3 bucket encryption enabledTrailProof

Server-side encryption is enabled on all S3 buckets.

S3 bucket versioning enabledTrailProof

Versioning is enabled on S3 buckets containing production or customer data.

S3 access logging enabledTrailProof

Access logging is enabled on S3 buckets to maintain an audit trail.

RDS encryption at restTrailProof

All RDS instances have encryption at rest enabled.

RDS instances not publicly accessibleTrailProof

RDS databases are not directly accessible from the public internet.

RDS automated backups enabledTrailProof

Automated backups are enabled with a retention period of at least 7 days.

Security groups restrict inbound accessTrailProof

Security groups do not allow unrestricted inbound access on sensitive ports.

No unrestricted SSH (port 22) accessTrailProof

Port 22 is not open to 0.0.0.0/0 in any security group.

KMS key rotation enabledTrailProof

AWS KMS keys have automatic annual rotation enabled.

EC2 IMDSv2 enforcedTrailProof

EC2 instances use Instance Metadata Service v2 (IMDSv2) to prevent SSRF attacks.

Encryption in transit enforced (TLS)

TLS is enforced for all data in transit — no unencrypted HTTP in production.

Vulnerability management process in place

Regular vulnerability scans are performed and findings remediated in a timely manner.

Change Management

· 4 automated

0/7

Branch protection on main/masterTrailProof

GitHub branch protection rules are configured and enforced on the main branch.

Pull request reviews requiredTrailProof

All changes to main require at least one peer code review before merging.

GitHub organisation 2FA enforcedTrailProof

Two-factor authentication is enforced for all members of the GitHub organisation.

Secret scanning enabledTrailProof

GitHub secret scanning is active and alerting on any exposed credentials.

Change management process documented

A written process defines how code and infrastructure changes are approved and deployed.

Staging environment used before production

Changes are tested in a staging environment before deployment to production.

Rollback procedures documented

Documented procedures exist for rolling back failed changes quickly.

Data Protection

· 1 automated

0/5

Data classification policy in place

Data is classified by sensitivity level (e.g. public, internal, confidential, restricted).

Data retention policy documented

A policy defines how long different types of data are retained and how it is disposed of.

Customer data encrypted at rest

All customer data is stored encrypted at rest across all storage systems.

Backup and recovery process tested

Backups are tested regularly to verify successful restoration.

RDS multi-AZ enabled for productionTrailProof

Production RDS instances use Multi-AZ deployment for high availability.

Risk Management

0/5

Formal risk assessment completed

A risk assessment has been conducted and documented, identifying key risks to the system.

Risk register maintained

A risk register is maintained and reviewed at least annually.

Penetration test completed

A third-party penetration test has been completed within the past 12 months. Available as an add-on via TrailProof — delivered by an OSCP & CREST-certified consultant.

Third-party vendor risk assessed

Key vendors and subprocessors have been assessed for security risk.

Business continuity plan documented

A business continuity and disaster recovery plan is documented and tested.

Policies & Governance

· 5 automated

0/7

Information security policy in placeTrailProof

A written information security policy has been adopted and communicated to all staff. Generated by TrailProof AI.

Acceptable use policy documentedTrailProof

All employees have a signed acceptable use policy covering company systems and data. Generated by TrailProof AI.

Incident response policy documentedTrailProof

A written incident response plan exists with clear roles and escalation paths. Generated by TrailProof AI.

Vendor management policy documentedTrailProof

A vendor management policy defines how third-party relationships are assessed and monitored. Generated by TrailProof AI.

All 8 SOC 2 policy documents in placeTrailProof

Complete policy documentation covering all SOC 2 Trust Service Criteria exists and is current. TrailProof generates all 8 documents with AI, tailored to your company.

Policies reviewed and updated annually

Security policies are formally reviewed and updated at least once per year.

Security ownership assigned at management level

A named individual or team owns information security at the management level.

HR & Training

0/5

Employee background checks conducted

Background checks are performed before hiring employees with access to sensitive systems.

Security awareness training completed annually

All employees complete security awareness training at least once per year.

NDA / confidentiality agreements signed

All employees and contractors sign confidentiality agreements before starting.

Onboarding security checklist used

New employees complete a security onboarding checklist before receiving system access.

Offboarding security checklist used

When employees leave, a checklist ensures all access is revoked and equipment returned.

Get the free SOC 2 Preparation Guide

8–10 pages covering Type I vs Type II, picking an auditor, the evidence you need, the biggest mistakes startups make, and a 90-day action plan. Free, no strings.

37 controls need continuous evidence collection

These are the ones auditors spend the most time on — infrastructure configuration, access logs, encryption state, branch protection. They change constantly and need to be re-evidenced for every audit period. TrailProof monitors them automatically across AWS, GitHub, Google Workspace and Okta, and AI writes the executive summary and all 8 policy documents.

See how TrailProof works →Sign in

TrailProof · SOC 2 evidence automation · trailproof.app