Skip to main content

SOC 2 Evidence Collection

Required Evidence by Control

  • Access Control Evidence
  • Change Management Evidence
  • Monitoring Evidence
  • Backup and Recovery Evidence
CC6.1 - Logical Access ControlsEvidence to collect:
  • Access control matrix (roles and permissions)
  • User access review logs (quarterly)
  • MFA enforcement configuration
  • Screenshot of authentication settings
  • Sample of access provisioning tickets
  • Sample of access deprovisioning tickets (within 24 hours of termination)
  • Failed login attempt logs
  • Privileged access usage logs
Collection Script:
# scripts/soc2_evidence_collection.sh

# Collect access review evidence
python scripts/export_access_review.py \
  --period "2025-Q1" \
  --output evidence/access_reviews/2025-Q1.pdf

# Export MFA enrollment status
python scripts/export_mfa_status.py \
  --output evidence/mfa/enrollment_status.csv

# Collect authentication logs
kubectl logs -n production deployment/auth-service \
  --since=30d > evidence/auth_logs/auth_logs_$(date +%Y%m).log

SOC 2 Type II Observation Period

Timeline and Milestones

Month 1-3: Preparation and Readiness
├── Month 1: Gap analysis and control design
├── Month 2: Implement controls and documentation
└── Month 3: Testing and remediation

Month 4-6: Observation Period Begins (Type II)
├── Month 4: Evidence collection starts
├── Month 5: Quarterly access reviews
└── Month 6: Continuous monitoring

Month 7-9: Continued Observation
├── Month 7: Mid-period audit check-in
├── Month 8: Quarterly access reviews
└── Month 9: Evidence compilation

Month 10-12: Audit and Reporting
├── Month 10: Auditor testing begins
├── Month 11: Auditor fieldwork
└── Month 12: SOC 2 report issuance
Key Requirements:
  • Minimum 3-month observation (some auditors require 6-12 months)
  • Continuous operation of controls throughout period
  • Complete evidence trail for all controls
  • No material exceptions or unmitigated findings

Next Steps

Readiness Checklist

Verify audit readiness

Trust Service Criteria

Review control requirements

Back to Overview

Return to SOC 2 overview