SOC 2 Readiness Control
Access Control
Who can access production systems and customer data, and how you enforce authentication and approvals.
Why auditors care
SSO, MFA, and role-based access
Demonstrate clear ownership, evidence, and cadence to show this control operates consistently.
What to implement
- •Assign an owner and set a review cadence.
- •Document the policy, procedure, and escalation path.
- •Track exceptions with remediation dates.
Evidence auditors expect
- •Dated records of reviews or approvals.
- •Screenshots/exports showing configurations and coverage.
- •Tickets proving remediation or follow-up.
Common mistakes
- •Unowned control with no cadence.
- •Evidence not tied to who/when/what changed.
- •No process for exceptions or emergency changes.
FAQ
Why auditors care
Access defines your blast radius. Auditors look for SSO, MFA, role-based access, and timely offboarding.
Common gaps
Local accounts without MFA, shared admin credentials, and slow offboarding workflows.