Soc2 Compliance

# SOC 2 Evidence Collection Guide

Practical guide for collecting, organizing, and maintaining audit evidence for SOC 2 Type I and Type II engagements. Covers evidence types, automation strategies, and documentation requirements.

---

## Evidence Fundamentals

### What Auditors Look For

1. **Existence** — The control is documented and exists
2. **Design effectiveness** — The control is designed to address the TSC criterion (Type I + Type II)
3. **Operating effectiveness** — The control operates consistently over the observation period (Type II only)

### Evidence Quality Criteria

| Criterion | Description |
|-----------|-------------|
| **Relevant** | Directly demonstrates the control's operation |
| **Reliable** | Generated by systems or independent parties (not self-reported) |
| **Timely** | Falls within the audit/observation period |
| **Sufficient** | Enough samples to demonstrate consistency |
| **Complete** | Covers the full population or a representative sample |

### Evidence Types

| Type | Description | Examples |
|------|-------------|---------|
| **Inquiry** | Verbal or written descriptions from personnel | Interview notes, written responses |
| **Observation** | Auditor witnesses control in operation | Process walkthroughs, live demonstrations |
| **Inspection** | Review of documents, records, or configurations | Policy documents, system screenshots, logs |
| **Re-performance** | Auditor re-executes the control to verify results | Access review validation, configuration checks |

---

## Evidence by Control Area

### Access Management

| Control | Type I Evidence | Type II Evidence |
|---------|----------------|-----------------|
| Access provisioning | Provisioning policy, role matrix | Sample provisioning tickets with approvals (full period) |
| Access removal | Termination checklist, deprovisioning SOP | Sample termination events with access removal timestamps |
| Access reviews | Review policy, review template | Completed quarterly access review reports with sign-offs |
| MFA enforcement | MFA policy, configuration screenshot | MFA enrollment report showing 100% coverage |
| Privileged access | Privileged access policy, admin list | Quarterly privileged access reviews, admin activity logs |

### Change Management

| Control | Type I Evidence | Type II Evidence |
|---------|----------------|-----------------|
| Change authorization | Change management policy, workflow description | Sample change tickets with approvals, peer reviews |
| Testing requirements | Testing policy, test plan template | Test results for sampled changes, QA sign-offs |
| Emergency changes | Emergency change procedure | Emergency change tickets with post-hoc approvals |
| Deployment process | CI/CD documentation, deployment runbook | Deployment logs, rollback records |
| Code review | Code review policy | Pull request histories showing reviewer approvals |

### Incident Response

| Control | Type I Evidence | Type II Evidence |
|---------|----------------|-----------------|
| IR plan | Incident response plan document | Plan review/update records, version history |
| IR testing | Tabletop exercise schedule | Tabletop exercise reports, lessons learned |
| Incident handling | Triage procedures, classification criteria | Incident tickets with timestamps, escalation records |
| Postmortems | Postmortem template, review process | Completed postmortem documents, follow-up actions |
| Communication | Communication plan, stakeholder list | Notification records, status page updates |

### Vulnerability Management

| Control | Type I Evidence | Type II Evidence |
|---------|----------------|-----------------|
| Scanning | Scanning schedule, tool configuration | Scan reports covering the full period (weekly/monthly) |
| Remediation SLAs | Remediation policy with SLA definitions | Remediation tracking showing SLA compliance rates |
| Patch management | Patching policy, schedule | Patch records, before/after scan comparisons |
| Penetration testing