Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch

Free Download · SOC 2 Type II

The complete SOC 2 Type II readiness checklist

30 control prompts across all 5 AICPA Trust Services Criteria, a Complementary User Entity Controls tracker for SaaS service organizations, and an ISO 27001:2022 cross-map so a single answer scores both audits. Built by RiskWatch's compliance team for VPs of Trust running Type II + ISO 27001 dual surveillance.

5 Trust Services CriteriaCUEC trackerISO 27001:2022 cross-map
Download the checklistSee the SOC 2 platform

Instant download · No credit card · No sales follow-up

Used by VPs of Trust + Security at B2B SaaS preparing for first-time Type II attestation, annual surveillance, and 380+ enterprise customer audit reviews.

NetAccessAonBoseIberdrola USAJohnson & JohnsonPfizer

What's Inside

30 control prompts. 5 Trust Services Criteria. One CUEC tracker.

Each section follows the AICPA SOC 2 2017 Trust Services Criteria (with 2022 revisions), Description Criteria DC-200, and SSAE 18 attestation framework. Use the prompts directly in your readiness scan or the Type II observation period, they map 1:1 to RiskWatch's platform questionnaire.

CC1–CC9

Common Criteria · Security TSC

The 9 Common Criteria categories, mandatory for every SOC 2 report. Shared with ISO 27001 Annex A and NIST CSF 2.0.

  • CC1 Control Environment, board oversight, ethics, organizational structure, competence
  • CC2 Communication & Information, internal control responsibilities + auditor communication
  • CC3 Risk Assessment, fraud risk, change-driven reassessment, COSO ERM alignment
  • CC4 Monitoring Activities, ongoing + separate evaluations, deficiency remediation
  • CC5 Control Activities, policy + procedure deployment, technology general controls
  • CC6 Logical & Physical Access, provisioning, MFA, encryption, physical access, malware
  • CC7 System Operations, vulnerability mgmt, anomaly detection, incident response, BCM
  • CC8 Change Management, authorize, design, develop, test, approve, deploy
  • CC9 Risk Mitigation, business disruption, vendor + business-partner risk
A1

Availability TSC · Additional Criteria

Optional add-on covering capacity planning, environmental protections, and recovery testing.

  • A1.1 Capacity demand monitoring + capacity-planning evidence
  • A1.2 Environmental protections, power, telecom, fire, climate
  • A1.3 Recovery + backup testing, RTO/RPO observed during the audit window
PI1

Processing Integrity TSC · Additional Criteria

Optional add-on for SaaS doing transactional or computational processing where output accuracy matters.

  • PI1.1 Definition of processing-integrity objectives + acceptable inputs
  • PI1.4 System processing is complete, accurate, and timely
  • PI1.5 Output reconciliation + error-handling for failed processing
C1

Confidentiality TSC · Additional Criteria

Optional add-on for data marked confidential by contract, NDA, or customer commitment.

  • C1.1 Identification + classification of confidential information
  • C1.2 Disposal of confidential information at end of retention
  • C1.x Confidentiality commitments tracked in vendor + sub-service-org contracts
P

Privacy TSC · Additional Criteria

Optional add-on aligned to AICPA + GAPP privacy principles. Cross-mapped to GDPR + CCPA where applicable.

  • P1 Notice + communication of privacy commitments to data subjects
  • P2 Choice + consent for collection, use, retention, and disclosure
  • P3 Collection limited to stated purposes
  • P4 Use, retention, and disposal aligned to privacy notice
  • P5 + P6 Access by data subjects + onward-transfer controls
CUEC

Complementary User Entity Controls Tracker

Customer-side controls SOC 2 reports require. Without CUEC attestations the auditor's opinion is meaningless. Track which customers have attested to which CUECs.

  • User-access provisioning + deprovisioning at the customer tenant
  • Annual user-access review by the customer admin
  • BYOK / KMS key rotation + customer-managed encryption keys
  • Audit log review + alerting at the customer side
  • Incident reporting back to the service organization within SLA

Why Use This Checklist

Auditor-aligned. Cross-mapped. CUEC-aware.

Auditor-aligned to AICPA SOC 2 + SSAE 18. Every prompt traces to the 2017 Trust Services Criteria document with the 2022 revisions, the AICPA Description Criteria DC-200 update, and the SSAE 18 attestation standard. Type I (point-in-time, design + implementation) and Type II (operating-effectiveness over a 6-12 month window) tracks are tagged separately so you don't reverse-engineer the difference at month 9 of the observation period.

Source: AICPA SOC 2

Cross-mapped to ISO 27001:2022, NIST CSF 2.0, and CSA STAR. The Common Criteria share evidence with ISO 27001:2022 Annex A (the 93-control set published in October 2022), NIST CSF 2.0 (Govern / Identify / Protect / Detect / Respond / Recover), and the Cloud Security Alliance CCM v4. Score one control, satisfy multiple frameworks. Most B2B SaaS run SOC 2 + ISO 27001 dual surveillance, the cross-map cuts dual-framework prep time by roughly 60%.

Source: ISO/IEC 27001:2022

Built around the CUEC ecosystem for SaaS service organizations. Complementary User Entity Controls, user-access provisioning, annual access reviews, BYOK key rotation, audit-log review, MFA enforcement, incident reporting, are the controls SOC 2 reports require customers to perform. The included CUEC tracker shows which customers have attested to which CUECs, surfaces audit-meaningless gaps, and routes missing attestations into the trust-portal workflow before the next auditor visit.

Source: AICPA SSAE 18

Who It's For

Built for the three roles that own SOC 2 inside a B2B SaaS

VP Trust, Director Compliance, and the engineering lead who has to actually implement the controls. Each role gets a tailored entry point, scoring lens, and remediation queue.

CISO / VP Trust + Security

Owns the multi-framework attestation strategy, the customer-facing trust portal, and the program calendar that runs SOC 2 Type II + ISO 27001 dual surveillance against 380+ enterprise customer audit reviews.

Outcome with the checklist

Use the checklist to scope first-time Type II vs renewal cycle, decide which Additional Criteria to add (Availability, Confidentiality, Privacy), and align board-level reporting to DC-200.

Director Compliance + Audit

Owns the audit cycle, evidence vault, sub-service-organization scoping (carve-out vs inclusive method), and the CSA STAR + SIG + CAIQ customer-questionnaire response binder.

Outcome with the checklist

Use the checklist to gap-scan the Common Criteria, build the Type II evidence calendar, and pre-stage CUEC attestation requests so customer SIG response time drops from 11 days to 2.

Engineering Lead · Implementing Controls

Owns the technical Security TSC (CC6 logical access, CC7 system operations, CC8 change management), incident response, vulnerability management, and the platform-side CUEC implementation.

Outcome with the checklist

Use the checklist to translate auditor language into engineering tickets, capture evidence at the moment it lands rather than reconstructing it pre-audit, and surface CUEC notifications to customer admins.

FAQ

Common questions about the SOC 2 Type II checklist

Type I vs Type II tracks, CUEC coverage, ISO 27001 cross-mapping, and auditor selection guidance, all answered up front so you can decide before the download.

Keep Reading

Related platforms + cross-mapped frameworks

Framework

SOC 2 Compliance Software

The full RiskWatch SOC 2 platform, 5 TSC, Type II, CUEC tracker, sub-service-org scoping, and ISO 27001 cross-mapping in one survey-based assessment library.

Read more

Cross-Mapped

ISO 27001 Compliance Software

The international counterpart, ISO 27001:2022 Annex A 93-control set with shared evidence to SOC 2, NIST CSF 2.0, and CSA STAR. Run dual surveillance from one platform.

Read more

Industry

Risk Management for IT + Software

The B2B SaaS / multi-product CSP industry build, multi-product Type II rollup, customer-facing trust portal, SIG + CAIQ response, and 380+ enterprise audit-review handling.

Read more

Type II + ISO 27001 dual surveillance

Run SOC 2 + ISO 27001 in parallel?

30-minute walkthrough of the unified library, one TSC control assessment scores against SOC 2 Common Criteria, the ISO 27001:2022 Annex A counterpart, the NIST CSF 2.0 outcome, and the customer SIG response simultaneously. No slideware, no consulting upsell.

Book a 30-minute walkthroughStart the 30-day free trial

Or call US: +1 941-500-4525

Request a Demo