SOC 2 Auditor Questions: 40 Questions You'll Be Asked

Governance Questions (CC1–CC2)

1. "Who is responsible for information security at your organisation, and what is their title and reporting structure?" — Have a clear answer: "Our CTO owns the information security programme and reports directly to the CEO." 2. "How does management demonstrate its commitment to security?" — Reference your ISP approval, security budget allocation, and tone-from-the-top at company meetings. 3. "How do employees learn about your security policies?" — Describe your distribution process and acknowledgement tracking. 4. "What security training do employees receive, and how frequently?" — Annual training, topics covered, completion rate, and the LMS or method used.

5. "How do you communicate security expectations to contractors and vendors?" — Reference your vendor contracts with security clauses, DPAs, and any onboarding security briefings for contractors. 6. "How do you ensure third parties understand your security requirements?" — Reference DPAs and vendor management policy.

Access Control Questions (CC6)

7. "How is access to production systems provisioned for new employees?" — Walk through the access request and approval process. 8. "What happens to access when an employee is terminated?" — Describe your offboarding checklist and the 24-hour revocation target. 9. "How do you enforce MFA?" — Describe your SSO configuration and the policy that requires MFA for all users. 10. "How often do you review who has access to your production systems?" — Quarterly, describe the process and who conducts the review.

11. "How do you handle privileged access (admin accounts)?" — Describe your approach to limiting admin access to those who need it. 12. "How do you control access to your production database?" — Specific controls: IAM policies, database user accounts, connection string management. 13. "What would you do if you discovered an employee had more access than their role requires?" — Describe your access review process and the escalation/remediation workflow.

Operations and Monitoring (CC7)

14. "How do you monitor for security threats in your environment?" — GuardDuty, Security Hub, CloudWatch alarms, log monitoring. 15. "What happens when GuardDuty generates a HIGH severity finding?" — Describe your alert routing, incident classification, and response process. 16. "How do you manage vulnerabilities in your infrastructure?" — Describe your scanning tools (Prowler, Security Hub), frequency, CVSS thresholds, and remediation SLAs. 17. "When did you last conduct a penetration test?" — State the date, the firm, and what you did with the findings.

18. "How are security logs retained and protected?" — CloudTrail in all regions, 12-month retention, S3 Object Lock, KMS encryption. 19. "How do you ensure your AWS configuration stays compliant over time?" — AWS Config rules, Security Hub continuous scanning, weekly exports. 20. "How do you test your backup restore capability?" — Quarterly restore tests, describe the most recent test.

Change Management (CC8)

21. "Walk me through your process for deploying a code change to production." — PR creation, code review (who approves), CI checks required, deployment approval, deployment process. 22. "Who can approve a production deployment?" — Named roles or specific people, not just "any engineer." 23. "What happens in an emergency when you need to deploy immediately?" — Describe your emergency change process: deploy, create retroactive ticket within 24 hours, obtain retroactive approval. 24. "Can a developer deploy their own code changes?" — No, describe your branch protection rules that prevent self-approval.

25. "How do you manage changes to your infrastructure (Terraform)?" — PR process, plan output review, same approval requirements as code changes. 26. "How do you track what changes were made and when?" — Your ticketing system (Jira/Linear), GitHub PR history, and AWS Config change timeline.

Risk Management (CC3, CC9)

27. "How do you identify and assess security risks?" — Annual risk assessment, risk register, risk owners, and risk acceptance process. 28. "How do you manage risks associated with your vendors?" — Vendor risk tier model, annual reviews, SOC 2 report collection, DPAs. 29. "What vendors have access to your production systems or customer data?" — Name your Tier 1 vendors and what access they have. 30. "What happens if a vendor has a security incident?" — Describe your vendor incident notification clause and your response process.

Incident Response

31. "Walk me through your incident response process from detection to resolution." — Describe all phases: detection (monitoring tools), triage (classification and IC assignment), containment (specific actions for account compromise, network incidents), recovery, post-incident review. 32. "How have you tested your incident response plan?" — Tabletop exercise date, scenario used, and outcomes/action items. 33. "Has your organisation experienced any security incidents in the past 12 months?" — Answer honestly. If yes, describe and reference the post-incident report. 34. "How quickly would you notify customers of a data breach?" — 72-hour target, describe your notification procedure and template.

35. "Who is the Incident Commander for a P1 incident?" — Name the person and their backup. 36. "How do you preserve forensic evidence during an incident?" — EBS snapshots, log preservation in locked S3, avoiding modification of affected systems before forensic capture.

Team Preparation Tips

Schedule 1-hour briefing sessions with each control owner 2 weeks before fieldwork. Walk through their specific questions (the access questions go to the person who owns access reviews, the change management questions go to the engineering lead). Practice the "walk me through" questions out loud — hearing the answer spoken helps identify inconsistencies.

Consistency rule: your answers must be consistent with your policies and with each other. If the programme owner says "quarterly access reviews" and the engineering lead says "we do access reviews whenever we think of it," that inconsistency will trigger additional auditor questions.

Golden rule: "I don't know, but I'll find out" is a better answer than a guess that turns out to be wrong. Auditors respect accuracy over confidence.