Most SOC 2 programs start the same way: someone downloads a controls list, drops it into Excel, and assigns owners in a shared drive. That works for week one. It falls apart when you need to prove operating effectiveness across six months of access reviews, change tickets, and vendor updates.

This guide gives you a free SOC 2 controls list XLS you can use today—organized by the five AICPA Trust Services Criteria control areas—and walks through exactly how to turn it into an audit-ready inventory.

Related guides:

Spreadsheet audit prep

GIF via GIPHY

Key takeaways

Security (CC1–CC9) is mandatory for every SOC 2 report. Availability, Processing Integrity, Confidentiality, and Privacy are optional—include only what is in your audit scope.
The XLS maps 60 control activities across all five TSC control areas, with columns for owner, frequency, evidence source, and status.
A spreadsheet is a strong starting inventory; ongoing evidence collection and monitoring typically need automation before a Type II audit window closes.

Free download: SOC 2 controls list XLS

Download the SecureSlate SOC 2 Controls List (XLSX)

The file includes seven tabs:

Tab	What it covers
Instructions	How to scope, fill in, and maintain the workbook
All Controls	Master list of every control activity
CC-Series (Required)	Common Criteria CC1–CC9 — mandatory Security controls
Security Controls	Technical and operational safeguards (MFA, WAF, monitoring, etc.)
Privacy Controls	Consent, collection limits, purpose limitation, disposal
Confidentiality Controls	Classification, RBAC, encryption, retention
Availability Controls	Backups, DR/BCP, capacity planning
Processing Integrity	Input validation, pipeline monitoring, reconciliation

Each row includes tracking columns: Owner, Frequency, System/Scope, Evidence Artifact, Evidence Source, Status, and Notes. Filter and sort by CC category or TSC to match your scoping worksheet.

No signup required. Use it internally, customize rows for your environment, and import the finished inventory into SecureSlate when you are ready to automate evidence.

What is in the spreadsheet

The workbook follows the Trust Services Criteria (TSC) control areas published by the AICPA—the same structure auditors use when scoping a SOC 2 examination.

Common Criteria (CC1–CC9) — always in scope

These nine categories form the Security criterion. Every SOC 2 report includes them:

CC Category	Focus	Example controls in the XLS
CC1	Control Environment	Code of conduct, background checks, security training
CC2	Communication & Information	Internal security comms, external reporting channel
CC3	Risk Assessment	Risk register, management review, fraud considerations
CC4	Monitoring Activities	Control monitoring, deficiency remediation
CC5	Control Activities	Policy library, annual policy review
CC6	Logical & Physical Access	MFA, RBAC, access reviews, offboarding, WAF
CC7	System Operations	Logging, vulnerability management, incident response
CC8	Change Management	Change approval, peer review, staging before prod
CC9	Risk Mitigation	Vendor inventory, vendor SOC 2 review, BCP/DR testing

Optional TSC control areas

Add these tabs only if your audit scope includes the corresponding criterion:

Availability — secure backups, disaster recovery, business continuity, capacity planning
Processing Integrity — input validation, pipeline monitoring, reconciliation, processing-failure alerts
Confidentiality — data classification, encryption, secure disposal, retention schedules
Privacy — consent, data minimization, lawful collection, purpose limitation, disposal

If a customer asks for "SOC 2 with Security only," you can ignore the optional tabs entirely.

Criteria vs. controls (read this first)

Teams new to SOC 2 often conflate three terms. Getting this right saves rework during the scoping call:

Trust Services Criteria (TSC): The five high-level principles—Security, Availability, Processing Integrity, Confidentiality, Privacy.
Common Criteria (CC): The detailed Security requirements (CC1.1 through CC9.x). Security is never optional.
Control activities: What your company actually does to meet a criterion. "CC6 requires logical access controls" is the criterion; "MFA enforced in Okta for all production systems" is your control.

Your XLS should have one row per control activity, not one row per CC number. A single CC category like CC6 typically maps to five or more distinct controls (provisioning, MFA, access reviews, offboarding, etc.).

For a deeper breakdown of what auditors test under each CC series, see our full SOC 2 controls guide.

How to use the SOC 2 controls list XLS

Step 1: Confirm audit scope

Before filling in a single row, document:

Report type: Type I (design at a point in time) or Type II (operating effectiveness over 6–12 months)
TSC in scope: Security only, or Security + Availability / Confidentiality / etc.
System boundary: Which products, environments, and data types the report covers

Delete or hide rows for TSC categories not in scope. Do not leave them blank—auditors may ask why they appear in your inventory.

Step 2: Assign owners and frequencies

For every in-scope row, fill in:

Column	What to put
Owner	Named person or team (e.g., "Engineering Lead", "IT Admin")
Frequency	How often the control runs: per hire, quarterly, continuous, annual
System/Scope	Where it lives: Okta, AWS, GitHub, HRIS, etc.
Evidence Artifact	What you will hand an auditor: export, screenshot, ticket, signed doc
Evidence Source	The system of record that produces the artifact

Example row:

Control	Owner	Frequency	Evidence
CC6.4 — Quarterly access review	IT Admin	Quarterly	IdP access review export + manager sign-off

Step 3: Map evidence before the audit window

For Type II, auditors sample controls across your entire observation period. If you skip the June access review, that is a finding—not a gap you can fix retroactively.

Use the Status column to track progress:

Not Started → In Progress → Implemented → Needs Evidence → Audit Ready

Run a gap review 90 days before your audit window opens. Anything still at Not Started needs a remediation plan with a named owner and deadline.

Step 4: Keep one authoritative version

Version drift is the most common spreadsheet failure mode. Pick one location (shared drive or GRC platform), lock edit access, and name files with dates: soc2-controls-inventory-2026-Q2.xlsx. Avoid soc2-controls-FINAL-v3-copy.xlsx.

Where spreadsheets break down

An XLS controls list is the right tool for scoping and inventory. It is the wrong tool for continuous proof. Here is where teams hit the wall:

Problem	What happens	Typical cost
Manual evidence	Someone screenshots Okta every quarter	4–8 hrs/month per admin
Version drift	Three people maintain different tabs	Audit rework, conflicting answers
No continuous monitoring	MFA gets disabled in AWS; spreadsheet still says "Implemented"	Type II exception
Sample testing scramble	Auditor asks for 25 random PRs from March	Days of archaeology in Git history

If you are heading toward a Type II report, plan to move evidence collection off the spreadsheet before your observation period starts—not the week before the auditor arrives.

Import your XLS into SecureSlate

You do not need to rebuild your control inventory from scratch. Use the spreadsheet as the seed:

Clean your export. One row per control. Required fields: Control ID, Control Activity, Owner, Frequency, Evidence Type.
Upload and map. Import the file into SecureSlate and map each row to the relevant TSC and CC category.
Connect your stack. Link cloud (AWS, GCP, Azure), identity (Okta, Google Workspace), code (GitHub, GitLab), and HRIS so evidence collects continuously.
Monitor, don't snapshot. SecureSlate flags configuration drift—disabled MFA, open security groups, stale access—instead of waiting for quarterly screenshot day.

The goal is to keep the clarity of a spreadsheet without the manual evidence cycle that burns engineering hours.

Get started for free →

SecureSlate plans start at $284/month—built for growing teams that need SOC 2, ISO 27001, or multiple frameworks without a full-time compliance hire.

Frequently asked questions

Is Security required for every SOC 2 report?

Yes. The Security criterion (Common Criteria CC1–CC9) is mandatory regardless of which optional TSC categories you include. You cannot scope Security out.

How many controls should be in my SOC 2 spreadsheet?

There is no fixed number. Most SaaS companies track 40–80 control activities depending on scope and environment complexity. The SecureSlate template includes 60 starter rows across all five TSC areas; add or remove rows to match your program.

Can I use this XLS for SOC 2 Type I and Type II?

Yes. Type I focuses on control design—your spreadsheet helps prove policies and configurations exist. Type II tests operating effectiveness over time, so the Frequency and Evidence columns matter more; you need proof the control ran throughout the observation window.

What is the difference between this XLS and the AICPA Trust Services Criteria document?

The AICPA publishes the criteria (what must be achieved). This XLS provides control activities (what you implement) with tracking columns auditors expect during walkthroughs. It is a working inventory, not the official AICPA publication.

How do I map SOC 2 controls to ISO 27001?

Many controls overlap. The CC-Series tab includes an optional ISO 27001 Ref column for common mappings (e.g., CC6 access controls → ISO 27001 A.9). For a full crosswalk, see ISO 27001 vs SOC 2.

When should I stop using Excel for SOC 2?

When you start a Type II observation period, or when evidence collection exceeds ~4 hours per month. That is usually the point where automation pays for itself. See best SOC 2 compliance software for 2026 for a comparison of platforms.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. The downloadable template is provided for informational purposes. Customize it to your organization's actual practices and consult qualified counsel and/or auditors as needed.

SOC 2 Controls List XLS: Your Essential Compliance Tool