What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

How long does SOC 2 take?

Type I: 8–12 weeks once controls are in place. Type II: add a 6–12 month observation window. Total cold-start to Type II report: 9–14 months.

Type I or Type II first?

Type I is a point-in-time snapshot — cheaper and faster. Most enterprise buyers eventually require Type II. Common path: Type I first (close immediate deals), then run Type II during the observation window.

Which Trust Services Criteria do I need?

Security (CC1–CC9) is mandatory. Add Availability, Confidentiality, Processing Integrity, or Privacy based on what you've committed to customers in contracts/MSAs.

Do I need a tool like Vanta or Drata?

Not strictly required, but you'll need a centralised evidence repository. Spreadsheet works for Type I; for Type II the automation pays for itself.

SOC 2 Readiness Checklist 2026 — 40 Steps to Type II Audit (CC1–CC9)

The checklist

CC1 Control Environment

1

Document organisational chart with roles & responsibilities

critical

Identify who owns security, privacy, and each control. Auditor will trace any control back to a named human.

→ TSC CC1.1

2

Publish a code of conduct and have every employee acknowledge

high

PDF + signed acknowledgement (Drata/Vanta/DocuSign) stored per employee in HR system.

→ TSC CC1.1, CC1.4

3

Run background checks on all new hires before access provisioning

critical

Use Checkr/Certn — keep evidence for 7 years.

→ TSC CC1.4

4

Mandatory annual security awareness training

critical

KnowBe4 / Curricula / Hoxhunt — track completion to 100% before audit cutoff.

→ TSC CC1.4, CC2.2

CC2 Communication

5

Publish information security policy approved by leadership

high

Reviewed annually; version controlled; communicated to all staff.

→ TSC CC2.2, CC5.3

6

Maintain a customer-facing trust page / privacy notice

high

Auditor will check that external commitments match internal controls.

→ TSC CC2.3

7

Establish a whistleblower / anonymous reporting channel

high

Ethics hotline or anonymous form; documented escalation path.

→ TSC CC2.3

CC3 Risk Assessment

8

Conduct annual risk assessment with documented register

critical

Identify threats, likelihood, impact, owner, treatment. Reviewed by leadership.

→ TSC CC3.1, CC3.2

9

Maintain a vendor / third-party risk register with tiering

critical

Tier vendors by data sensitivity; SOC 2 / ISO / pen-test review on file for Tier-1.

→ TSC CC3.2, CC9.2

10

Run an annual fraud risk assessment

high

Document fraud scenarios (insider, financial, data exfil) with controls mapped to each.

→ TSC CC3.3

CC4 Monitoring Activities

11

Perform quarterly internal control testing (sample-based)

high

Walk through evidence for 5–10 controls each quarter; remediate findings.

→ TSC CC4.1, CC4.2

12

Track and resolve issues in a ticketed remediation log

high

Jira / Linear / Asana board with SLAs; closed tickets are your evidence.

→ TSC CC4.2

CC5 Control Activities

13

Document segregation of duties for privileged actions

critical

No single person can deploy code AND access production DB AND modify audit logs.

→ TSC CC5.1, CC5.2

CC6 Logical Access

14

Enforce SSO + MFA on every production system

critical

Okta / Google Workspace / Entra ID; no shared credentials anywhere.

→ TSC CC6.1, CC6.2

15

Quarterly user access reviews with manager sign-off

critical

Export user lists per system; managers attest in writing every 90 days.

→ TSC CC6.2, CC6.3

16

Documented joiner / mover / leaver process with same-day deprovisioning

critical

JIRA workflow or Drata/Vanta automation; evidence = ticket per termination within 24h.

→ TSC CC6.2, CC6.3

17

Encrypt data at rest (AES-256) and in transit (TLS 1.2+)

critical

Verify with AWS Config / GCP Asset Inventory; document cipher policy.

→ TSC CC6.1, CC6.7

18

Centralised secrets management — no secrets in code/repos

critical

AWS Secrets Manager / Doppler / Vault; scan repos with Gitleaks/TruffleHog.

→ TSC CC6.1

19

Endpoint protection (EDR) on all employee devices

high

CrowdStrike / SentinelOne / Jamf MDM with disk encryption + screen lock policy.

→ TSC CC6.7, CC6.8

CC7 System Operations

20

Centralised logging with 1-year retention (minimum)

critical

CloudWatch / Datadog / Splunk; log to write-once storage to prevent tampering.

→ TSC CC7.2

21

Documented & tested incident response plan

critical

IR runbook + tabletop exercise within last 12 months + post-mortem template.

→ TSC CC7.3, CC7.4

22

Vulnerability scanning at least quarterly

high

Tenable / Qualys / AWS Inspector; document remediation SLAs (critical 30d, high 60d).

→ TSC CC7.1

23

Annual penetration test by independent third party

critical

Report + remediation tickets + retest. Auditor will read the full report.

→ TSC CC7.1

24

Customer notification process for security incidents (≤72h target)

high

Documented playbook with templates; legal + comms involvement.

→ TSC CC7.4, CC7.5

CC8 Change Management

25

All production changes go through pull-request review

critical

Branch protection enforced; min 1 reviewer; CI green required.

→ TSC CC8.1

26

Separate environments (dev / staging / prod) with no shared credentials

high

Different AWS accounts / GCP projects ideal; isolated VPCs at minimum.

→ TSC CC8.1

27

Documented rollback procedure for every deploy

high

Blue/green or canary; runbook for emergency rollback within 15 min.

→ TSC CC8.1

28

Infrastructure-as-code with version control & approvals

high

Terraform / Pulumi reviewed via PR; manual console changes logged & retroactively approved.

→ TSC CC8.1

CC9 Risk Mitigation

29

Cybersecurity insurance policy in force

high

Active policy with adequate limits ($1M+ typical); evidence the certificate.

→ TSC CC9.1

30

Business continuity & disaster recovery plan with RTO/RPO

critical

Documented plan + last test result; backup restoration verified annually.

→ TSC CC9.1, A1.2

31

Vendor SLAs reviewed annually for sub-service organisations

high

Carve-out vs inclusive method documented; subservice SOC 2 reports on file.

→ TSC CC9.2

Availability (A)

32

Capacity monitoring and forecasting

high

Dashboards for CPU/memory/disk/network with alert thresholds.

→ TSC A1.1

33

Documented backup schedule + restoration testing

critical

Daily/weekly/monthly RPO; quarterly restore test with evidence.

→ TSC A1.2, A1.3

Confidentiality (C)

34

Data classification policy applied to all systems

high

Public / Internal / Confidential / Restricted; encryption requirements per tier.

→ TSC C1.1

35

Data retention & destruction schedule with evidence of deletion

high

Retention matrix per data type; certificate of destruction for media disposal.

→ TSC C1.2

Processing Integrity (PI)

36

Input validation and error handling on all data interfaces

high

Documented schema validation; error logs reviewed for systemic failures.

→ TSC PI1.1, PI1.2

Privacy (P)

37

Privacy notice updated and consent captured at collection

high

Cookie consent + signup-time disclosure; aligned to GDPR/CCPA if in scope.

→ TSC P1.1, P2.1

Evidence Collection

38

Centralised evidence repository (Drata/Vanta/Secureframe/own)

critical

Auditor needs single source of truth — link to every control's evidence.

→ All TSC

Audit Prep

39

Conduct a readiness assessment with your CPA firm before kickoff

critical

Identifies gaps 4–8 weeks before formal audit start; cheaper than mid-audit remediation.

→ All TSC

40

Designate a primary audit point-of-contact and weekly auditor sync

high

Auditor questions go to one human, batched daily; weekly status call keeps you on schedule.

→ Audit Mgmt

SOC 2 Readiness Checklist — 40 Steps to a Clean Type II

The checklist

CC1 Control Environment

CC2 Communication

CC3 Risk Assessment

CC4 Monitoring Activities

CC5 Control Activities

CC6 Logical Access

CC7 System Operations

CC8 Change Management

CC9 Risk Mitigation

Availability (A)

Confidentiality (C)

Processing Integrity (PI)

Privacy (P)

Evidence Collection

Audit Prep

Pitfalls — where teams actually fail

Real enforcement actions for SOC 2

FAQ

Other checklists