Skip to content
Insights
Request Services
SOC 2
Audit checklist · reviewed 2026-05-22

SOC 2 Trust Service Criteria — IAM controls checklist

IAM-specific evidence artifacts a SOC 2 auditor (CPA firm) tests during a Type 1 or Type 2 examination.

Share
Talk to a compliance lead

Applies to

SaaS + service organizations pursuing SOC 2 Type 1 or Type 2 attestation

Cycle cadence

Annual — Type 1 is point-in-time, Type 2 covers a 6-12 month observation window

Primary authority

AICPA

8 evidence items across 4 sections.

Common Criteria — Access (CC6.1, CC6.2, CC6.3)

The bulk of IAM evidence lives under CC6. CC6.1 is access provisioning; CC6.2 is access enforcement; CC6.3 is access modification + removal.

  • CC6.1 — Logical access controls implemented

    Evidence

    Documented access policy + system-side enforcement evidence (Conditional Access export, RBAC config).

    Who owns

    IAM engineering

  • CC6.1 — MFA enforcement

    Evidence

    Sign-in logs filtered to evidence MFA on all workforce + privileged user logins during the audit window.

    Who owns

    IAM engineering

  • CC6.2 — Authorization based on need

    Evidence

    Sample access-request tickets showing manager + data-owner approval before grant.

    Who owns

    IAM governance

  • CC6.3 — Removal of access (termination)

    Evidence

    Termination ticket sample (~25 employees) showing deprovisioning completed within policy (typically same-day or next-business-day).

    Who owns

    IAM engineering

Common Criteria — Privileged + sensitive (CC6.6)

  • CC6.6 — Restrictions for sensitive access

    Evidence

    PAM platform export showing vaulted privileged credentials, session monitoring, and recent rotation of all production secrets.

    Who owns

    Privileged access lead

Common Criteria — Audit (CC7.2, CC7.3)

  • CC7.2 — Monitor system components for anomalies

    Evidence

    SIEM dashboards + alert-investigation evidence for identity-event anomalies (failed logins, geo anomalies, privilege use).

    Who owns

    SOC

  • CC7.3 — Communication of security events

    Evidence

    Incident communication policy + sample security-event communications from the audit window.

    Who owns

    SOC / CISO

Recurring access reviews

  • Periodic access certification

    Evidence

    Campaign export from IGA showing reviewer, decision, rationale for each entitlement. Quarterly cadence is common; auditors expect risk-tiered cadence for higher-risk systems.

    Who owns

    IAM governance

    Collection tip

    Rubber-stamp rate is the silent risk here. Auditors increasingly ask for "how many entitlements were revoked during the cycle" as a proxy for genuine review.

Practitioner notes

What auditors actually focus on.

  • SOC 2 Type 2 lives or dies on evidence-window completeness. The auditor samples across the 6-12 month observation period; gaps in evidence collection translate to control deficiencies.

  • New SaaS startups often skip CC6.3 (termination deprovisioning) because they haven't had many terminations. A single missing termination evidence point becomes a finding.

  • AICPA TSC 2017 updated guidance pushes toward continuous monitoring. The bar for "manual quarterly check" is rising; evidence-as-code is the differentiated posture.

Pre-audit?

We pre-audit your SOC 2 IAM evidence.

Two-week gap analysis against this checklist, scored by criticality, with a prioritized remediation plan. Done before the 3PAO / CPA / examiner shows up.

Get a pre-auditCompliance crosswalk

Identity, cybersecurity, and custom software for regulated enterprises. Audit-ready operations from advisory through audit.

Americas HQ

Wilmington, DE

America/New York

India HQ

Hyderabad, TG

Asia/Kolkata

Services
  • IAM Consulting
  • IAM Technologies
  • Custom Software & AI
  • IAM Staffing
  • Request Services
  • Case Studies
Resources
  • All Resources
  • Complete Guide to IAM
  • IAM Frameworks Compared
  • IAM Certification Roadmap
  • IAM API Hub
  • IAM Explainers
  • IAM Vendor Status
  • Release Notes
  • State of Identity
  • State of PAM
  • State of IGA
  • State of CIAM
  • State of AI Agent Identity
  • IAM Salary Benchmark
  • Vendor Pricing Index
  • Year in Review 2026
  • Acquisition Tracker
  • Outage Tracker
  • Identity Incidents
  • Vulnerability Tracker
  • Cheat Sheets
  • Standards Explainers
  • Migration Playbooks
  • Audit Checklists
  • Reference Architectures
  • RFP Templates
  • IAM Anti-Patterns
  • Compliance Crosswalk
  • Market Landscape
  • Awesome IAM
  • IAM Glossary
  • Compliance Frameworks
  • Integration Guides
  • Vendor Alternatives
  • IAM by Industry
  • Salary Lookup
  • Directory
Research & media
  • IAM Compensation 2026
  • Vendor Moves Q3 2026
  • Identity Incidents Q3 2026
  • Vendor Security Posture 2026
  • Vendor Pricing 2026
  • AI Citation Tracker
  • Top 50 IAM Tools 2026
  • Podcast
  • Videos
  • Newsletter
  • Newsletter Archive
  • Embed Widgets
Free tools
  • JWT Decoder
  • JWT Signer
  • SAML Decoder
  • SAML Metadata Diff
  • OAuth Flow Visualizer
  • OIDC Debugger
  • OIDC Discovery Validator
  • PKCE Generator
  • WebAuthn Tester
  • Bearer Token Inspector
  • SCIM Validator
  • Password Entropy
  • IAM RFP Template
  • PAM Vendor Selector
  • Maturity Assessment
  • ROI Calculator
  • TCO Calculator
  • MFA Bypass Risk
  • Audit-Prep Burden
  • Quizzes
Company
  • About
  • Leadership
  • Approach
  • Why Choose Us
  • Partners
  • Press Kit
  • Press Topics
  • Global Presence
  • Locations
  • Insights
  • Now
  • Community
  • Open Roles
  • Submit Resume
  • Training
  • Contact

© 2026 askmeidentity, Inc.. Safeguard your digital frontier.

  • Privacy Policy
  • Terms of Service
  • Accessibility