SOC 2 Evidence Collection SOP¶
Sub-procedure of soc2-gap-sop.md
Overview¶
Detailed procedures for collecting, organizing, and maintaining evidence for SOC 2 audits, including evidence types by control area, collection automation strategies, and quality validation requirements. This sub-procedure ensures comprehensive evidence availability for Type I and Type II audits.
Scope¶
Parent SOP: SOC 2 Gap Assessment Pillar: Protect (Security & Compliance) Service Area: SOC 2 Evidence Collection
Prerequisites¶
- Parent SOP requirements met
- Control matrix finalized with all TSC criteria mapped
- Control owners identified for each control
- Evidence repository established
- Audit period defined (Type II: start and end dates)
- Evidence collection schedule created
Procedure¶
Step 1: Evidence Requirements Definition¶
Objective: Define evidence needed for each control
Evidence Type Categories:
| Type | Description | Examples |
|---|---|---|
| Policy/Procedure | Documented requirements | Security policy, access control procedure |
| Configuration | System settings | Firewall rules, password policy settings |
| Population | Complete list of items | All users, all changes, all incidents |
| Sample | Representative subset | Sample of access reviews, sample of changes |
| Screenshot | Point-in-time capture | Dashboard, configuration screen |
| Report | Generated output | Vulnerability scan, access report |
| Log | Activity records | Audit logs, change logs |
| Attestation | Signed statement | Management attestation, vendor attestation |
Evidence by Control Area:
| Control Area | Common Evidence Types |
|---|---|
| CC1 - Control Environment | Org charts, job descriptions, board minutes, code of conduct |
| CC2 - Communication | Training records, policy acknowledgments, security awareness |
| CC3 - Risk Assessment | Risk assessment reports, risk register, fraud risk assessment |
| CC4 - Monitoring | Control monitoring reports, exception tracking |
| CC5 - Control Activities | Policies, procedures, control documentation |
| CC6 - Access | User lists, access reviews, MFA configuration, termination evidence |
| CC7 - Operations | Vulnerability scans, incident log, backup logs, SIEM configuration |
| CC8 - Change Management | Change tickets, code reviews, deployment records |
| CC9 - Risk Mitigation | Vendor assessments, SOC 2 reports, BCP/DR test results |
Step 2: Evidence Collection by Control¶
Objective: Collect required evidence for each in-scope control
CC1 - Control Environment Evidence:
| Control | Evidence Required | Collection Method |
|---|---|---|
| Board/Management Oversight | Board meeting minutes, security discussions | Manual - request from executive admin |
| Organizational Structure | Current org chart, reporting lines | Manual - request from HR |
| Security Responsibility | CISO/Security Officer job description | Manual - request from HR |
| Code of Conduct | Policy document, acknowledgment records | Manual - policy repository, HRIS |
| HR Policies | Background check policy, employee handbook | Manual - request from HR |
CC6 - Access Control Evidence:
| Control | Evidence Required | Collection Method |
|---|---|---|
| User Provisioning | New user tickets with approvals | Automated - ticketing system export |
| Access Modifications | Change tickets with approvals | Automated - ticketing system export |
| User Termination | Termination checklist, deprovisioning evidence | Manual/Automated - HR + IT systems |
| Access Reviews | Completed access review documentation | Manual - review records |
| MFA Configuration | MFA settings, enrollment statistics | Automated - IdP export |
| Password Policy | Password policy configuration | Screenshot - identity system |
| Privileged Access | Privileged user list, justification | Manual - PAM system export |
CC7 - System Operations Evidence:
| Control | Evidence Required | Collection Method |
|---|---|---|
| Vulnerability Scanning | Scan reports, remediation tracking | Automated - scanner export |
| Security Monitoring | SIEM configuration, alert examples | Screenshot + report export |
| Incident Response | IR plan, incident log, incident tickets | Manual - IR documentation |
| Malware Protection | EDR configuration, coverage report | Automated - EDR console export |
| Backup Verification | Backup logs, success reports | Automated - backup system export |
| Recovery Testing | DR test documentation, results | Manual - DR test records |
CC8 - Change Management Evidence:
| Control | Evidence Required | Collection Method |
|---|---|---|
| Change Policy | Change management policy | Manual - policy repository |
| Change Requests | Change tickets with approvals | Automated - ticketing system export |
| Code Review | Pull request reviews, approval records | Automated - source control export |
| Testing | Test results, QA signoff | Manual/Automated - CI/CD records |
| Deployment | Deployment records, production changes | Automated - deployment tool export |
| Rollback | Rollback procedures, examples if any | Manual - runbook + incident records |
Step 3: Type II Period Evidence¶
Objective: Collect evidence spanning the entire audit period
Period Evidence Requirements:
| Control Type | Evidence Requirement | Frequency |
|---|---|---|
| Periodic Controls | Evidence of each execution | Per occurrence |
| Continuous Controls | Sample throughout period | Monthly/Quarterly samples |
| Policy-Based | Policy in effect throughout | Point-in-time + change history |
| Configuration | Configuration throughout | Quarterly screenshots or change log |
Population and Sampling:
| Population Type | Evidence Needed |
|---|---|
| All Users | Complete user list at period end + adds/removals |
| All Changes | Change log for full period |
| All Incidents | Incident log for full period |
| All Vendors | Vendor inventory + assessment records |
| All Access Reviews | All reviews completed during period |
Sample Selection Guidance:
| Population Size | Suggested Sample Size |
|---|---|
| 1-50 | 100% or auditor discretion |
| 51-200 | 25-50 items |
| 201-500 | 25 items |
| 500+ | 25 items + statistical sampling |
Step 4: Evidence Collection Automation¶
Objective: Automate evidence collection where possible
Automation Opportunities:
| Evidence Type | Automation Approach | Tools |
|---|---|---|
| User Lists | Scheduled export from identity provider | Okta, Azure AD, Google Workspace |
| Vulnerability Scans | Scheduled report generation | Qualys, Tenable, Rapid7 |
| Change Logs | API integration or scheduled export | Jira, GitHub, GitLab |
| Backup Status | Automated backup reporting | AWS Backup, Veeam, Datto |
| Access Reviews | Compliance platform | Vanta, Drata, Secureframe |
GRC/Compliance Platform Integration:
| Platform | Capabilities | Best For |
|---|---|---|
| Vanta | Automated evidence collection, continuous monitoring | Startups, cloud-native |
| Drata | Automated compliance, evidence management | Growth-stage, multi-framework |
| Secureframe | Compliance automation, personnel management | SMB, fast implementation |
| Manual Process | Spreadsheets, file organization | Minimal tooling budget |
Step 5: Evidence Quality Validation¶
Objective: Ensure evidence meets audit requirements
Quality Validation Checklist:
| Quality Attribute | Validation Method |
|---|---|
| Completeness | Evidence covers full control requirement |
| Accuracy | Evidence reflects actual control operation |
| Timeliness | Evidence from correct audit period |
| Authenticity | Evidence from authoritative source |
| Relevance | Evidence directly supports control |
| Clarity | Evidence is understandable to auditor |
Common Evidence Issues:
| Issue | Resolution |
|---|---|
| Missing dates | Add timestamps or date documentation |
| Unclear source | Document where evidence was obtained |
| Partial coverage | Collect additional evidence to fill gaps |
| Outdated | Refresh with current evidence |
| Wrong format | Convert to auditor-acceptable format |
Evidence Review Process:
- Control Owner Review - Verify evidence is correct and complete
- SBK Review - Validate evidence meets audit requirements
- Gap Identification - Document missing or insufficient evidence
- Remediation - Collect additional evidence as needed
- Final Validation - Confirm evidence package is audit-ready
Step 6: Evidence Repository Management¶
Objective: Maintain organized, secure evidence repository
Repository Structure:
| Folder | Contents | Retention |
|---|---|---|
| /Current-Period/ | Evidence for current audit | Until audit complete |
| /Prior-Periods/ | Evidence from prior audits | 3 years minimum |
| /Policies/ | Current and historical policies | Indefinite |
| /Working-Documents/ | Draft evidence, notes | Until audit complete |
Security Requirements:
| Requirement | Implementation |
|---|---|
| Access Control | Limited to audit team and control owners |
| Encryption | At rest and in transit |
| Audit Trail | Log all access and modifications |
| Backup | Regular backup of repository |
| Retention | Per retention schedule |
Deliverables¶
| Deliverable | Format | Owner |
|---|---|---|
| Evidence Requirement Matrix | Excel | SBK Consultant |
| Evidence Collection Schedule | Project plan | Audit Coordinator |
| Organized Evidence Repository | Folder structure | Audit Coordinator |
| Evidence Quality Report | Checklist/Report | SBK Consultant |
| Population Lists | Excel/CSV | Control Owners |
| Sample Selections | Documented selections | Auditor/SBK |
Quality Gates¶
- Evidence requirements defined for all in-scope controls
- Evidence collection assignments made to control owners
- Evidence collected for all controls
- Type II period evidence covers full audit period
- Evidence quality validated
- Repository organized per structure requirements
- Populations complete and accurate
- Sample selections documented
Related Documents¶
- Parent SOP: SOC 2 Gap Assessment
- SOC 2 Readiness SOP
- SOC 2 Audit Prep SOP
- SOC 2 Ongoing Compliance SOP
- Cross-Pillar SOPs
Last Updated: February 2026 Parent SOP: soc2-gap-sop.md