Compliance Checklist

• Define the SOC 2 scope (systems, data, services). (ISMS.online)
• Choose applicable Trust Services Criteria (Security mandatory; others as needed). (ISMS.online)
• Assign compliance roles & responsibilities. (Hicomply)

• Information security policy suite (access control, incident response, change management). (Hicomply)
• Data classification & handling procedures. (Hicomply)
• Privacy and confidentiality policies. (The HIPAA Journal)

• Perform a formal risk assessment and risk treatment plan. (DSALTA)
• Implement logical and physical access controls (MFA, RBAC, principle of least privilege). (Compliancy Group)
• Quarterly access reviews and recertification. (Compliancy Group)

• Network firewalls, IDS/IPS, and SIEM monitoring. (Compliancy Group)
• Encryption of data at rest and in transit. (The HIPAA Journal)
• Vulnerability scanning and penetration tests.

• System performance and availability monitoring. (The HIPAA Journal)
• Backups with documented recovery testing. (DSALTA)
• Incident detection log aggregation. (Compliancy Group)

• Formal incident response plan (detect, respond, recover). (DSALTA)
• Documented disaster recovery and business continuity plans. (DSALTA)

• Vendor inventory with contract and security requirements. (DSALTA)
• Annual or risk-based third-party security assessments.

• Collect evidence (logs, screenshots, documentation). (DSALTA)
• Gap assessment, remediation actions documented. (Drata)
• Engage SOC 2 auditor.

• HIPAA policies & procedures (privacy, security, breach notification).
• Assigned security/privacy officers.
• Workforce training on HIPAA rules and PHI handling.
• Risk assessment and risk management plan.
• Documentation of risk analysis and mitigation.
• Sanction policy for workforce non-compliance.

• Access controls (unique user IDs, MFA, session timeout).
• Encryption for PHI in transit and at rest. (DSALTA)
• Automatic log-off procedures.
• Audit controls (log review, monitoring systems).
• Integrity controls (checksums, hashes, versioning).

• Facility access controls (badges, locks).
• Workstation use and security standards.
• Device and media controls for hardware that stores PHI.

• HIPAA-specific breach response plan.
• Notification procedures within HHS timelines.

• Signed agreements (BAAs) with vendors handling PHI.

• Establish ISMS scope and objectives aligned with business.
• Executive leadership commitment and governance.

• Perform formal risk assessment and risk treatment plans. (DSALTA)
• Maintain a risk register. (DSALTA)
• Statement of Applicability (SoA) detailing selected controls.

• Information security policies approved and published.
• Asset management procedures.
• Acceptable use and data classification policies.

ISO 27001 includes ~90 controls across Annex A domains. Examples:

• Identity & access control (A.9) (DSALTA)
• Cryptography (A.10) (DSALTA)
• Physical & environmental security (A.11)
• Operations security (A.12) — monitoring, logging
• Communications security (A.13)
• Supplier relationships (A.15)
• Incident management (A.16)
• Business continuity (A.17)

• Security awareness training records. (DSALTA)

• Internal audits of ISMS processes. (DSALTA)
• Management review meetings documented. (DSALTA)
• Corrective action follow-ups tracked.

• Monitor control effectiveness.
• Update risk treatments and SoA annually.

• Access management (MFA, RBAC) — SOC 2, ISO 27001, and HIPAA all require strong controls. (DSALTA)
• Risk assessments — required for ISO 27001 and valuable for SOC 2/HIPAA programs. (DSALTA)
• Incident response plans — part of all three frameworks. (DSALTA)

If you want, I can turn this into a customized Excel/CSV audit checklist or tie it to your specific tech stack and threat model.