SOC 2 Compliance Checklist — GCP
In the print dialog, choose Save as PDF as the destination.
Framework: AICPA Trust Services Criteria (TSC) 2017 with 2022 revised points of focus Scope: Security (mandatory) + Availability, Confidentiality (common add-ons) Status legend:
[ ]Not started ·[~]In progress ·[x]Complete
Before engaging your auditor
Do not represent any control as implemented until you have collected and retained evidence. Auditors require logs, screenshots, policy documents, and configuration exports — not just running services.
Shared Responsibility
Google's SOC 2 report covers the physical infrastructure, hypervisor, and managed service platforms. Your SOC 2 report must cover your controls — IAM, logging, network, encryption, and processes running on top of GCP. Download Google's compliance reports from the Google Cloud Compliance Reports Manager to use as vendor evidence.
CC1 — Control Environment
| # | Item | Status | Owner |
|---|---|---|---|
| 1.1 | Document an Information Security Policy approved by management | [ ] | CISO / Compliance |
| 1.2 | Define organizational roles and security responsibilities (RACI) | [ ] | CISO |
| 1.3 | Establish a security awareness training program; track completion annually | [ ] | HR / Security |
| 1.4 | Conduct background checks for employees with access to customer data | [ ] | HR |
| 1.5 | Enable Google Cloud Organization with Organization Policies to enforce project-level guardrails | [ ] | Cloud Admin |
| 1.6 | Download Google Cloud SOC 2 report from Compliance Reports Manager and retain as vendor evidence | [ ] | Compliance |
Reference: Google Cloud Compliance Reports Manager → · GCP Shared Responsibility Model →
CC2 — Communication and Information
| # | Item | Status | Owner |
|---|---|---|---|
| 2.1 | Publish a customer-facing security page or Trust Center | [ ] | Security / Marketing |
| 2.2 | Maintain an incident notification process (SLA for notifying customers) | [ ] | Security |
| 2.3 | Enable Cloud Audit Logs (Admin Activity) in all projects as the primary audit information source | [ ] | Cloud Admin |
| 2.4 | Document and communicate a security incident reporting channel internally | [ ] | Security |
Reference: Logging & Monitoring →
CC3 — Risk Assessment
| # | Item | Status | Owner |
|---|---|---|---|
| 3.1 | Conduct a formal risk assessment annually; document in a risk register | [ ] | Compliance |
| 3.2 | Enable Security Command Center (SCC) Premium for continuous vulnerability and misconfiguration detection | [ ] | Security |
| 3.3 | Enable SCC and activate the CIS Google Cloud Foundations Benchmark v2.0 standard | [ ] | Cloud Admin |
| 3.4 | Review SCC findings monthly and track remediation in a ticketing system | [ ] | Security |
| 3.5 | Assess risks posed by third-party vendors and document mitigations | [ ] | Compliance |
Reference: Security Command Center →
CC4 — Monitoring Activities
| # | Item | Status | Owner |
|---|---|---|---|
| 4.1 | Enable Organization Policy constraints across the GCP org to enforce config baselines | [ ] | Cloud Admin |
| 4.2 | Enable Security Command Center Premium on all projects via the organization | [ ] | Cloud Admin |
| 4.3 | Configure Cloud Monitoring alerting policies for critical security events (IAM changes, firewall changes, login failures) | [ ] | Cloud Admin |
| 4.4 | Conduct a penetration test at least annually; retain the report | [ ] | Security |
| 4.5 | Perform quarterly access reviews via IAM Recommender; document and remediate excess permissions | [ ] | Security |
Reference: Logging & Monitoring →
CC5 — Control Activities
| # | Item | Status | Owner |
|---|---|---|---|
| 5.1 | Apply least-privilege IAM; no use of primitive roles (Owner, Editor) in production | [ ] | Cloud Admin |
| 5.2 | Use Cloud Identity or Google Workspace for all human access; no shared service accounts for engineers | [ ] | Cloud Admin |
| 5.3 | Enforce segregation of duties — developers cannot directly deploy to production | [ ] | Engineering Lead |
| 5.4 | Require pull-request reviews and CI pipeline success before production deployments | [ ] | Engineering Lead |
| 5.5 | All infrastructure defined as code (Terraform, Deployment Manager) with version control | [ ] | Cloud Admin |
Reference: IAM & Access Control →
CC6 — Logical and Physical Access Controls
CC6.1 — Logical Access Security
| # | Item | Status | Owner |
|---|---|---|---|
| 6.1.1 | Enforce 2-Step Verification (2SV) for all users via Admin Console or Context-Aware Access policy | [ ] | Cloud Admin |
| 6.1.2 | Require hardware security keys (FIDO2) for super admins and privileged users | [ ] | Cloud Admin |
| 6.1.3 | Enable Privileged Access Manager (PAM) for just-in-time access to sensitive roles | [ ] | Cloud Admin |
| 6.1.4 | Enforce strong password policy via Cloud Identity Admin Console | [ ] | Cloud Admin |
| 6.1.5 | Enable automatic key rotation in Cloud KMS for all customer-managed encryption keys (CMEK) | [ ] | Cloud Admin |
| 6.1.6 | Enable uniform bucket-level access on all Cloud Storage buckets; disable public access | [ ] | Cloud Admin |
| 6.1.7 | Enable CMEK on all Persistent Disks and Cloud SQL instances containing sensitive data | [ ] | Cloud Admin |
CC6.2 — New Access Provisioning
| # | Item | Status | Owner |
|---|---|---|---|
| 6.2.1 | Use Cloud Identity (or Google Workspace) with IdP federation for all engineer access | [ ] | Cloud Admin |
| 6.2.2 | Document a formal access request and approval process | [ ] | Security |
| 6.2.3 | Grant access via predefined or custom IAM roles at the project or resource level; avoid primitive roles | [ ] | Cloud Admin |
CC6.3 — Access Removal
| # | Item | Status | Owner |
|---|---|---|---|
| 6.3.1 | Deprovision Cloud Identity accounts within 24 hours of termination | [ ] | HR / Cloud Admin |
| 6.3.2 | Revoke all active OAuth tokens and API keys on account termination | [ ] | Cloud Admin |
| 6.3.3 | Apply IAM Recommender monthly; remove roles with no usage in 90+ days | [ ] | Cloud Admin |
| 6.3.4 | Run quarterly access reviews for all project-level IAM bindings; remove unjustified access | [ ] | Cloud Admin |
CC6.6 — Network Controls
| # | Item | Status | Owner |
|---|---|---|---|
| 6.6.1 | Set compute.skipDefaultNetworkCreation Organization Policy to prevent default VPC creation | [ ] | Cloud Admin |
| 6.6.2 | Deploy production workloads in private subnets with Private Google Access; no external IPs on VMs | [ ] | Cloud Admin |
| 6.6.3 | No VPC firewall rule allows unrestricted inbound access (0.0.0.0/0) on admin ports (22, 3389) | [ ] | Cloud Admin |
| 6.6.4 | Enable VPC Flow Logs on all subnets; send to Cloud Logging | [ ] | Cloud Admin |
| 6.6.5 | Deploy Cloud Armor WAF on all external HTTP(S) Load Balancers | [ ] | Cloud Admin |
CC6.7 — Data Transmission Controls
| # | Item | Status | Owner |
|---|---|---|---|
| 6.7.1 | Enforce TLS 1.2+ on all public endpoints; disable older protocols via SSL policies | [ ] | Cloud Admin |
| 6.7.2 | Enable storage.requireTls Organization Policy constraint on all Cloud Storage buckets | [ ] | Cloud Admin |
| 6.7.3 | Store all secrets, API keys, and credentials in Secret Manager; never in code or environment variables | [ ] | Engineering |
| 6.7.4 | Enable automatic rotation for all Secret Manager secrets | [ ] | Cloud Admin |
Reference: Network Security → · Encryption →
CC7 — System Operations
| # | Item | Status | Owner |
|---|---|---|---|
| 7.1 | Enable Admin Activity audit logs for all services at the organization level (cannot be disabled) | [ ] | Cloud Admin |
| 7.2 | Enable Data Access audit logs for sensitive services (Cloud Storage, BigQuery, Cloud SQL, Secret Manager) | [ ] | Cloud Admin |
| 7.3 | Export all audit logs to a centralised log bucket with a locked retention policy | [ ] | Cloud Admin |
| 7.4 | Enable Security Command Center Premium; configure notification feeds for HIGH/CRITICAL findings | [ ] | Cloud Admin |
| 7.5 | Enable Event Threat Detection and Container Threat Detection in SCC | [ ] | Cloud Admin |
| 7.6 | Enable VM Manager (OS patch management and vulnerability scanning) on all Compute instances | [ ] | Cloud Admin |
| 7.7 | Document and test an incident response runbook; review quarterly | [ ] | Security |
| 7.8 | Configure Pub/Sub notification channels to route HIGH/CRITICAL SCC findings to a ticketing system | [ ] | Cloud Admin |
Reference: Logging & Monitoring → · Incident Response →
CC8 — Change Management
| # | Item | Status | Owner |
|---|---|---|---|
| 8.1 | All production infrastructure changes made via IaC (Terraform, Cloud Deploy); no manual console changes | [ ] | Cloud Admin |
| 8.2 | Require peer review (pull request) for all IaC changes | [ ] | Engineering Lead |
| 8.3 | CI/CD pipeline runs security scans (tfsec, checkov, Container Analysis) before deployment | [ ] | Engineering |
| 8.4 | Enable Security Command Center misconfiguration detection to alert on drift from approved baselines | [ ] | Cloud Admin |
| 8.5 | Maintain a change log; document major infrastructure changes with rationale | [ ] | Cloud Admin |
| 8.6 | Test deployments in a staging environment before production | [ ] | Engineering |
CC9 — Risk Mitigation
| # | Item | Status | Owner |
|---|---|---|---|
| 9.1 | Maintain a vendor inventory; assess each vendor's SOC 2 / ISO 27001 status annually | [ ] | Compliance |
| 9.2 | Obtain Google Cloud SOC 2 report annually from Compliance Reports Manager as vendor evidence | [ ] | Compliance |
| 9.3 | Enable Cloud Backup or snapshot policies for all critical data stores | [ ] | Cloud Admin |
| 9.4 | Document and test BCP/DRP; verify RTO and RPO targets can be met | [ ] | Cloud Admin |
| 9.5 | Use multi-region or regional resources and Cloud Load Balancing to meet defined availability SLAs | [ ] | Cloud Admin |
Reference: Google Cloud Compliance Reports Manager → · Cloud Backup and DR →
Risk Manager and Assured Workloads
Risk Manager scans your GCP environment and produces a risk report that maps findings to insurance and compliance frameworks — useful as pre-audit evidence.
Assured Workloads enforces data residency, personnel access controls, and compliance posture (FedRAMP, IL4, CJIS) at the folder level — consider for regulated workloads requiring geographic data controls.
Reference: Google Cloud Risk Manager → · Assured Workloads →