Process Library Hub

SOC 2 Compliance Processes

A launch-ready hub for the core workflows behind a SOC 2 program. Use it to understand process coverage across access control, change management, incident response, and risk monitoring, then expand into the full template library.

Updated • 15 core workflows mapped • 4 operating groups

Get All SOC 2 Templates Browse Processes

This page works as an answer-first overview of the operating workflows that support a SOC 2 program. It shows how the process library is organized, which teams are involved, what control families each process touches, and where teams should begin implementation.

What’s Included

Access control, change management, incident response, and risk-monitoring workflows, each with control references and operating cadence.

Who It’s For

Security leads, IT admins, engineering managers, HR, compliance owners, and auditors who need a shared operating map.

How To Use It

Start with the framework map, follow the recommended implementation sequence, then drill into the process groups below.

SOC 2 Framework Process Map

How SOC 2 processes connect across trust service criteria. Click any process to view the full diagram and template.

🗺️

Full SOC 2 Framework Process Map

Interactive SVG diagram - click any node to navigate

Process navigation

All SOC 2 Processes

Grouped by control category. Each process links to a full diagram, step-by-step instructions, and an editable Creately template.

Control Environment
Accountability and Disciplinary Actions CC1.5 As needed Medium
Background Check CC1.1 · CC1.4 Per hire Low
Board Oversight and Governance CC1.2 Quarterly High
Code of Conduct Acknowledgment CC1.1 · CC1.3 Annual Low
Employee Competency Assessment CC1.4 Annual Medium
Organizational Structure Review CC1.3 Annual Medium
Performance Review CC1.4 · CC1.5 Annual Medium
Security Awareness Training CC1.1 · CC1.4 Annual Medium
Control Activities
Authorization and Approval Procedures CC5.2 Ongoing Low
Policy and Procedure Deployment CC5.3 As needed Low
Segregation of Duties CC5.1 Quarterly Medium
Technology General Controls CC5.2 · CC5.3 Annual High
Logical and Physical Access Controls
Data Classification and Handling CC6.5 · CC6.7 Annual Medium
Data Retention and Disposal CC6.5 Annual Medium
Employee Offboarding Access Deprovisioning CC6.1 · CC6.2 Per departure Medium
Employee Onboarding Access Provisioning CC6.1 · CC6.2 Per hire Medium
Encryption Key Management CC6.1 · CC6.7 Annual High
Multi-Factor Authentication Enrollment CC6.1 Per user Low
Physical Access Control CC6.4 · CC6.5 Monthly Medium
Privileged Access Management CC6.1 · CC6.3 Monthly High
User Access Review CC6.1 · CC6.2 Quarterly Medium
Visitor Management CC6.4 Ongoing Low
Change Management
Architecture Review CC8.1 Per major change High
Change Request and Approval CC8.1 Per change Medium
CI/CD Deployment Pipeline CC8.1 Per release High
Code Review CC8.1 Per change Medium
Emergency Change CC8.1 As needed High
Rollback and Recovery Procedures CC8.1 As needed Medium
Risk Assessment
Annual Risk Assessment CC3.1 · CC3.2 Annual High
Fraud Risk Assessment CC3.3 Annual Medium
Risk Treatment and Mitigation Planning CC3.3 Quarterly High
Significant Change Risk Evaluation CC3.4 As needed Medium
Threat Modeling CC3.2 Per major change High
Vendor Risk Evaluation CC3.2 · CC3.4 Per vendor Medium
Risk Mitigation
Business Continuity Planning CC9.1 Annual High
Cyber Insurance Review CC9.2 Annual Low
Disaster Recovery Testing CC9.1 Annual High
Vendor Communication and Oversight CC9.2 Quarterly Medium
Vendor SLA Management CC9.2 Quarterly Medium
Monitoring Activities
Automated Control Monitoring CC4.1 Ongoing High
Continuous Compliance Monitoring CC4.1 Ongoing Medium
Control Effectiveness Review CC4.1 Quarterly High
Deficiency Identification and Remediation CC4.2 As needed Medium
Management Review Meeting CC4.1 · CC4.2 Quarterly Medium
Communication and Information
External Communication Management CC2.3 Ongoing Medium
Incident Notification CC2.2 · CC2.3 As needed High
Policy Review and Update CC2.1 · CC2.2 Annual Medium
Security Policy Communication CC2.1 Annual Low
System Description Maintenance CC2.1 Annual Medium
Whistleblower and Anonymous Reporting CC2.2 Ongoing Low
System Operations
Backup Verification and Testing CC7.2 Monthly Medium
Capacity Planning CC7.1 Quarterly Medium
Change Monitoring and Detection CC7.1 Ongoing Medium
Incident Response CC7.3 · CC7.4 As needed High
Infrastructure Monitoring CC7.1 Ongoing High
Patch Management CC7.1 Monthly Medium
Penetration Testing CC7.1 Annual High
Post-Incident Review CC7.4 · CC7.5 Per incident Medium
Security Incident Detection CC7.2 · CC7.3 Ongoing High
Vulnerability Management CC7.1 Monthly High

Recommended Implementation Sequence

Start with these five processes to build a solid SOC 2 foundation, then expand to full coverage.

1

Access Review

Establish who has access to what. Foundation for all access controls.

2

Employee Onboarding & Offboarding

Ensure access is granted and revoked with every personnel change.

3

Change Management

All system changes go through a documented review and approval process.

4

Incident Response

Detect, respond to, and learn from security incidents systematically.

5

Risk Assessment

Identify and prioritize risks across your organization annually.

Key Roles

People you'll need involved across your SOC 2 compliance program.

Security LeadIT AdminHR ManagerEngineering ManagerCompliance OfficerCTO / VP EngineeringExternal Auditor

Frequently Asked Questions

What does this SOC 2 process library include?

This page groups core SOC 2 operational workflows into access control, change management, incident response, and risk monitoring so teams can understand the process landscape and implementation order.

Who should use this page?

Security leaders, IT administrators, engineering managers, HR teams, compliance owners, and auditors can use this page as a shared operating map for a SOC 2 program.

How should teams start implementing SOC 2 processes?

Most teams should begin with access review, onboarding and offboarding, change management, incident response, and risk assessment before expanding into the full process library.

Get all 60 SOC 2 process templates

Pre-built, customizable Creately templates. Open in the BPMN editor and adapt for your team.

Get Started Free