What Policies Do I Need for SOC 2 Type II? The 39-Policy Checklist

If you are pursuing SOC 2 Type II attestation, you will need a complete information security policy library aligned to the AICPA Trust Services Criteria. This article lists every policy that a SOC 2 Type II audit expects to see, how auditors evaluate them, and the fastest path to a compliant policy set.

The Short Answer

Plan on delivering at least 39 distinct policies to your SOC 2 Type II auditor. These map to the nine common criteria (CC1 through CC9) plus the additional criteria for availability, confidentiality, processing integrity, and privacy if those Trust Services Criteria are in scope.

The 39 Policies Your SOC 2 Audit Expects

CC1 - Control Environment (5 policies)

1. Code of Conduct and Ethics Policy - integrity, ethical values, whistleblower program
2. Governance Policy - board oversight, risk appetite, accountability
3. Organizational Structure and Authority Policy - segregation of duties, reporting lines
4. HR Policy and Background Check Policy - hiring, onboarding, termination, background screening
5. Workforce Development and Training Policy - security awareness, role-based training

CC2 - Communication and Information (3 policies)

6. Information Classification and Handling Policy
7. External Communications Policy - customer communications, marketing claims
8. Incident Communication Policy - internal and external notification procedures

CC3 - Risk Assessment (3 policies)

9. Risk Management Policy
10. Fraud Risk Assessment Policy
11. Change Impact Assessment Policy

CC4 - Monitoring Activities (2 policies)

12. Internal Audit and Monitoring Policy
13. Control Self-Assessment Policy

CC5 - Control Activities (2 policies)

14. Control Design and Implementation Policy
15. Technology Controls Policy

CC6 - Logical and Physical Access (6 policies)

16. Access Control Policy
17. Identity and Authentication Policy - MFA, SSO, password requirements
18. Privileged Access Management Policy
19. Physical Security Policy
20. Asset Management Policy
21. Media Handling and Destruction Policy

CC7 - System Operations (5 policies)

22. System Monitoring and Logging Policy
23. Vulnerability Management Policy
24. Patch Management Policy
25. Incident Response Policy
26. Problem Management Policy

CC8 - Change Management (2 policies)

27. Change Management Policy
28. Secure Software Development Lifecycle Policy

CC9 - Risk Mitigation (2 policies)

29. Business Continuity Policy
30. Vendor and Third-Party Risk Management Policy

A1 - Availability (2 policies)

31. Capacity Management Policy
32. Disaster Recovery Policy

C1 - Confidentiality (1 policy)

33. Data Confidentiality and Retention Policy

PI1 - Processing Integrity (1 policy)

34. Data Processing Integrity Policy

P1-P8 - Privacy (5 policies)

35. Privacy Notice and Data Subject Rights Policy
36. Consent Management Policy
37. Privacy Impact Assessment Policy
38. Data Minimization and Retention Policy
39. Cross-Border Data Transfer Policy

What Auditors Actually Check in Each Policy

Your SOC 2 Type II auditor is not just checking that a policy exists. They evaluate four dimensions of every policy during the audit period:

• Design - Does the policy address the relevant Trust Services Criterion?
• Implementation - Is the policy published, approved, and communicated to the workforce?
• Operating Effectiveness - Is the policy actually followed? Auditors sample test evidence across your audit period.
• Review Cadence - Is the policy reviewed and re-approved annually? Policies older than 12 months without review are a common finding.

Common Policy Mistakes That Fail SOC 2 Audits

1. Templates copied from the internet without customization. Auditors recognize generic language and will dig for actual operating practices.
2. Policies without clear owners. Every policy needs a named role accountable for it.
3. No version history. Auditors want to see the document control trail.
4. Missing review dates. Annual review must be documented, not just performed.
5. Policies that contradict actual practice. A password policy mandating 90-day rotation while your IdP enforces no rotation is an instant finding.

The Fastest Path to a Complete SOC 2 Policy Set

CyberPolicyPros delivers a SOC 2 Type II policy package with all 39 policies pre-authored, CPGF-governed, and ready for customization. The Advanced (Level 4-5) tier includes the quantitative metrics, executive reporting cadence, and exception governance that pass a Type II operating-effectiveness evaluation.

Browse SOC 2 Policy Templates

Related Reading

• ISO 27001:2022 Policy Templates - SOC 2 and ISO 27001 share about 60 percent overlap. Bundle them.
• NIST 800-53 Rev 5 Policy Templates - the control catalog SOC 2 auditors reference for technical control design
• What is CPGF? - the governance methodology behind every CyberPolicyPros policy