Skip to main content
RiscLens

SOC 2 Guides

SOC 2 Continuous Monitoring (Post Type II)

How to keep controls and evidence current between audits—without adding bloat.

Get your readiness scoreSee the readiness checklist →

Access & identity

  • Monthly access reviews on critical systems with approvals.
  • Strict offboarding SLA; monitor stale accounts and MFA coverage.
  • Role hygiene: remove direct permissions, use groups/roles.

Change management

  • Keep approvals + testing evidence on every prod change.
  • Flag emergency changes; require post-review.
  • Review deployment pipeline logs for failed or skipped steps.

Logging & alerting

  • Validate alert thresholds quarterly; avoid alert fatigue.
  • Track MTTR for critical alerts; keep on-call runbooks current.
  • Retain tamper-resistant logs per policy.

Incident response

  • Tabletop twice a year; refresh contact lists and escalation.
  • Document post-incident actions and ensure follow-through.
  • Log notifications to customers/partners when required.

Vendor risk

  • Re-tier vendors annually; update evidence for critical vendors.
  • Monitor new subprocessors and contract clauses.
  • Track remediation for vendor exceptions.

Business continuity

  • Test backups/restores at least annually; log RPO/RTO results.
  • Rehearse failover for critical services if feasible.
  • Update dependency map when architecture changes.

Cadence and ownership

  • Monthly: access/offboarding, alert quality check, critical vendor changes.
  • Quarterly: control owner review of evidence freshness; patch/backup tests.
  • Biannual: incident tabletop; policy refresh; audit readiness spot-check.
  • Annual: BCP/DR test; vendor re-tiering; full evidence vault sweep.

Quick wins

  • Automate access anomaly alerts (dormant accounts, no MFA, privilege drift).
  • Tag evidence with owner + refresh date; remind before it ages out.
  • Track exceptions centrally with due dates and retest proof.

Risks if you pause

  • Evidence goes stale; next audit stretches or fails samples.
  • Access and vendor sprawl create new control gaps.
  • Incident playbooks decay; response time increases.

Keep your Type II steady: refresh evidence on a cadence, track exceptions, and rehearse the controls that matter most.

Get your readiness score