SOC Cheat Sheet 2026
The 30 highest-yield SOC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
- In SOC practice, what is a needs assessment? → A systematic process to identify gaps between current conditions and desired outcomes
- Which phase comes immediately after evidence gathering in an audit process? → Evaluation and reporting
- What does MTTR measure in the context of disaster recovery and system reliability? → The average time required to restore a failed system to normal operation
- In SOC practice, what is a corrective action plan? → A documented strategy to address identified compliance deficiencies and prevent recurrence
- In SOC practice, what is the purpose of a standard operating procedure (SOP)? → To document step-by-step instructions for routine tasks to ensure consistency and quality
- What is the primary goal of access control in information security? → Restrict unauthorized access
- What does professional liability insurance protect a SOC practitioner against? → Financial loss from claims of negligence, errors, or omissions in professional services
- Which SOC 2 Trust Services Criterion is most directly supported by business continuity planning? → Availability
- In SOC practice, what is the purpose of a standard operating procedure (SOP)? → To document step-by-step instructions for routine tasks to ensure consistency and quality
- Under SOC 2 availability criteria, which scenario represents a control deficiency? → No documented process for restoring systems in the event of a complete data center failure
- Which NIST publication provides comprehensive guidance on IT contingency planning? → NIST SP 800-34: Contingency Planning Guide for Federal Information Systems
- In SOC practice, what is the purpose of a standard operating procedure (SOP)? → To document step-by-step instructions for routine tasks to ensure consistency and quality
- In SOC practice, what is the purpose of a standard operating procedure (SOP)? → To document step-by-step instructions for routine tasks to ensure consistency and quality
- Which framework provides criteria for managing privacy risks? → NIST Privacy Framework
- Which type of risk does SOC primarily aim to address? → Operational and compliance risk
- Which organization developed the SOC reporting framework? → AICPA
- During a SOC 2 audit, which evidence would best demonstrate effective disaster recovery controls? → Documented DR test results, including identified gaps and completed remediation actions
- In SOC practice, what is a needs assessment? → A systematic process to identify gaps between current conditions and desired outcomes
- A 'hot site' in disaster recovery planning is best described as: → A fully equipped and operational backup facility with real-time data replication
- In SOC practice, what is the purpose of a standard operating procedure (SOP)? → To document step-by-step instructions for routine tasks to ensure consistency and quality
- Which SOC report type evaluates a service organization's system and the suitability of controls at a point in time? → SOC 1 Type I
- Which element is most essential in a business continuity communication plan? → Predefined escalation paths and contact lists for notifying stakeholders during incidents
- Which of the following best describes inherent risk? → Risk without considering controls
- Which of the following is considered appropriate audit evidence? → System access logs
- What framework forms the basis for the Trust Services Criteria used in SOC 2? → COSO
- What is the consequence of non-compliance in SOC professional practice? → Potential fines, license revocation, legal liability, and reputational damage
- Which framework is most commonly used for identifying and evaluating risks in SOC 2 engagements? → COSO
- Which availability monitoring control best satisfies AICPA Trust Services Criteria requirements? → Tracking system uptime against documented SLAs and investigating deviations
- Why is risk assessment important in the context of SOC reporting? → To align controls with key threats
- What does professional liability insurance protect a SOC practitioner against? → Financial loss from claims of negligence, errors, or omissions in professional services
Turn these facts into recall: