Minimum SOC2 Type 2 Evidence Needed
- Security policies and procedures: Detailing the organization's security standards and how they are implemented.
- Risk assessments: To identify and assess the risks to the organization's systems and data.
- Incident response plans: To detail the organization's procedures for identifying, responding, and recovering from security incidents.
- Access control documentation: To demonstrate that only authorized individuals have access to sensitive data and systems.
- Auditing and monitoring logs: To demonstrate that the organization is continuously monitoring its systems and data for potential security incidents.
- Vulnerability management documentation: To demonstrate that the organization is identifying and remediating vulnerabilities in its systems and applications.
- Business continuity and disaster recovery plans: To demonstrate that the organization has a plan in place to keep the business running in case of an emergency or disaster.
- Compliance management documentation: To demonstrate that the organization is in compliance with relevant industry standards and regulations such as SOC2, PCI-DSS, HIPAA, FedRAMP and CMMC.
- Third-party vendor assessment: To demonstrate that the organization is assessing the security of its third-party vendors and service providers.
- Employee training records: To demonstrate that employees are trained on security policies and procedures.