[{"data":1,"prerenderedAt":228},["ShallowReactive",2],{"blog-checklists/soc2-basics-checklist":3},{"id":4,"title":5,"body":6,"category":205,"date":206,"dateModified":206,"description":207,"draft":208,"extension":209,"faq":210,"featured":208,"headerVariant":213,"image":214,"keywords":214,"meta":215,"navigation":216,"ogDescription":217,"ogTitle":214,"path":218,"readTime":214,"schemaOrg":219,"schemaType":220,"seo":221,"sitemap":222,"stem":223,"tags":224,"twitterCard":226,"__hash__":227},"blog/blog/checklists/soc2-basics-checklist.md","SOC 2 Basics Checklist: 20-Item Guide for Startups",{"type":7,"value":8,"toc":199},"minimark",[9,16,19,22,47,70,92,112,135,140,143,146,168,187],[10,11,12],"tldr",{},[13,14,15],"p",{},"SOC 2 requires documented security policies, access controls with MFA, encryption, logging, incident response procedures, and vendor management. This 20-item checklist covers the essentials. 5 critical items must be fixed before launch, 7 important items within the first week, and 8 recommended items when you can.",[13,17,18],{},"SOC 2 feels overwhelming until you realize it is mostly about proving you do things you should already be doing. If your first enterprise prospect just asked about compliance and you broke out in a cold sweat, start here. This checklist breaks down the audit requirements into concrete technical tasks you can actually knock out.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Document your overall approach to security and data protection","Create an Information Security Policy",[27,32],{"description":33,"label":34},"Require MFA for all production systems and critical tools","Implement multi-factor authentication (MFA)",[27,36],{"description":37,"label":38},"Encrypt all databases and file storage","Enable encryption at rest",[27,40],{"description":41,"label":42},"Use HTTPS and TLS 1.2+ for all connections","Enable encryption in transit",[27,44],{"description":45,"label":46},"Collect logs from all systems and retain for at least 90 days","Set up centralized logging",[23,48,51,54,58,62,66],{"title":49,"count":50},"Security Policies and Documentation","5",[27,52],{"description":53,"label":30},"Document your overall approach to security, roles, responsibilities, and commitment to protecting data. How to write a security policy",[27,55],{"description":56,"label":57},"Define how access is granted, reviewed, and revoked. Include principle of least privilege. How to write access control policy","Write an Access Control Policy",[27,59],{"description":60,"label":61},"Describe how you identify, respond to, and recover from security incidents. How to create an incident response plan","Document an Incident Response Plan",[27,63],{"description":64,"label":65},"Define how different types of data should be handled, stored, and protected. How to create data classification policy","Create a Data Classification Policy",[27,67],{"description":68,"label":69},"Document how code and infrastructure changes are reviewed, tested, and deployed. How to create change management policy","Establish a Change Management Policy",[23,71,73,76,80,84,88],{"title":72,"count":50},"Access Controls",[27,74],{"description":75,"label":34},"Require MFA for all access to production systems, cloud providers, and critical tools. How to implement MFA",[27,77],{"description":78,"label":79},"Define roles with minimum necessary permissions. Avoid giving everyone admin access. How to set up RBAC","Set up role-based access control (RBAC)",[27,81],{"description":82,"label":83},"Document how access is provisioned for new employees and revoked when they leave. How to manage user onboarding/offboarding","Implement user onboarding and offboarding procedures",[27,85],{"description":86,"label":87},"Review who has access to what systems quarterly. Remove access that is no longer needed. How to conduct access reviews","Conduct quarterly access reviews",[27,89],{"description":90,"label":91},"Single sign-on makes access management easier and provides better audit trails. How to implement SSO","Use SSO where possible",[23,93,95,98,101,104,108],{"title":94,"count":50},"Technical Controls",[27,96],{"description":97,"label":38},"Encrypt databases and file storage. Most cloud providers offer this by default, but verify it is enabled. How to enable encryption at rest",[27,99],{"description":100,"label":42},"Use HTTPS everywhere. Ensure TLS 1.2 or higher for all connections. How to enable encryption in transit",[27,102],{"description":103,"label":46},"Collect logs from all systems in a central location. Retain logs for at least 90 days. How to set up centralized logging",[27,105],{"description":106,"label":107},"Set up alerts for suspicious activity, failed login attempts, and security-relevant events. How to set up intrusion detection","Implement intrusion detection or monitoring",[27,109],{"description":110,"label":111},"Run automated security scans on a regular schedule. Address critical and high severity findings. How to conduct vulnerability scanning","Conduct regular vulnerability scanning",[23,113,115,119,123,127,131],{"title":114,"count":50},"Operational Controls",[27,116],{"description":117,"label":118},"Require at least one reviewer for all code changes before merging to production. How to implement code review","Implement code review process",[27,120],{"description":121,"label":122},"Run automated tests before deployment to catch bugs and regressions. How to set up automated testing","Set up automated testing",[27,124],{"description":125,"label":126},"Maintain regular backups and test restoration at least annually. How to document and test backups","Document and test backups",[27,128],{"description":129,"label":130},"Maintain a list of vendors with access to customer data. Review their security practices. How to manage vendor security","Manage vendor security",[27,132],{"description":133,"label":134},"Train employees on security basics: phishing, password hygiene, data handling. How to conduct security training","Conduct security awareness training",[136,137,139],"h2",{"id":138},"soc-2-type-1-vs-type-2","SOC 2 Type 1 vs Type 2",[13,141,142],{},"SOC 2 Type 1 evaluates your controls at a specific point in time. Type 2 evaluates whether those controls operated effectively over a period (usually 3 to 12 months). Most enterprise buyers want Type 2, but Type 1 is a valid starting point.",[13,144,145],{},"For startups, the typical path is: implement controls, get a Type 1, operate for 3 to 6 months, then get a Type 2. Budget for approximately $20,000 to $50,000 for the audit depending on scope and auditor.",[147,148,149,156,162],"faq-section",{},[150,151,153],"faq-item",{"question":152},"When does a startup need SOC 2?",[13,154,155],{},"Typically when selling to enterprises. Many enterprise buyers require SOC 2 compliance from vendors. If you are B2B and your prospects ask about your security certifications, it is time to consider SOC 2.",[150,157,159],{"question":158},"How much does SOC 2 certification cost?",[13,160,161],{},"For a small startup, expect to pay $20,000 to $50,000 for the audit itself. Add costs for compliance tools ($500 to $2,000 per month), consultant help ($10,000 to $30,000), and internal time. Total first-year costs typically range from $40,000 to $100,000.",[150,163,165],{"question":164},"Which trust service criteria should I include?",[13,166,167],{},"Security is required. Add Availability if you have uptime SLAs. Confidentiality if you handle sensitive data with specific contractual obligations. Processing Integrity if you process transactions. Privacy if you handle personal data with specific privacy commitments. Most startups start with Security only or Security plus Availability.",[169,170,171,177,182],"related-articles",{},[172,173],"related-card",{"description":174,"href":175,"title":176},"Data protection compliance guide","/blog/checklists/gdpr-checklist","GDPR Compliance Checklist",[172,178],{"description":179,"href":180,"title":181},"Essential security for startups","/blog/checklists/startup-security-checklist","Startup Security Checklist",[172,183],{"description":184,"href":185,"title":186},"Understanding SOC 2 compliance","/blog/glossary/soc2","What is SOC 2?",[188,189,192,196],"cta-box",{"href":190,"label":191},"/","Start Free Scan",[136,193,195],{"id":194},"start-your-soc-2-journey","Start Your SOC 2 Journey",[13,197,198],{},"A security scan gives you a baseline and helps identify gaps before your audit.",{"title":200,"searchDepth":201,"depth":201,"links":202},"",2,[203,204],{"id":138,"depth":201,"text":139},{"id":194,"depth":201,"text":195},"checklists","2026-02-05","SOC 2 basics checklist for startups. Understand the trust service criteria, implement essential controls, and prepare for your first SOC 2 audit.",false,"md",[211,212],{"question":152,"answer":155},{"question":158,"answer":161},"green",null,{},true,"Essential SOC 2 preparation checklist for early-stage startups.","/blog/checklists/soc2-basics-checklist","[object Object]","HowTo",{"title":5,"description":207},{"loc":218},"blog/checklists/soc2-basics-checklist",[225],"Compliance Checklist","summary_large_image","OcHLn5D9m0s-B4jZ1xz9s5LwGHmlbZ7_3fmQQER2XDI",1775843930646]