SOC Cheat Sheet 2026

The 30 highest-yield SOC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

  1. In SOC practice, what is a needs assessment? A systematic process to identify gaps between current conditions and desired outcomes
  2. Which phase comes immediately after evidence gathering in an audit process? Evaluation and reporting
  3. What does MTTR measure in the context of disaster recovery and system reliability? The average time required to restore a failed system to normal operation
  4. In SOC practice, what is a corrective action plan? A documented strategy to address identified compliance deficiencies and prevent recurrence
  5. In SOC practice, what is the purpose of a standard operating procedure (SOP)? To document step-by-step instructions for routine tasks to ensure consistency and quality
  6. What is the primary goal of access control in information security? Restrict unauthorized access
  7. What does professional liability insurance protect a SOC practitioner against? Financial loss from claims of negligence, errors, or omissions in professional services
  8. Which SOC 2 Trust Services Criterion is most directly supported by business continuity planning? Availability
  9. In SOC practice, what is the purpose of a standard operating procedure (SOP)? To document step-by-step instructions for routine tasks to ensure consistency and quality
  10. Under SOC 2 availability criteria, which scenario represents a control deficiency? No documented process for restoring systems in the event of a complete data center failure
  11. Which NIST publication provides comprehensive guidance on IT contingency planning? NIST SP 800-34: Contingency Planning Guide for Federal Information Systems
  12. In SOC practice, what is the purpose of a standard operating procedure (SOP)? To document step-by-step instructions for routine tasks to ensure consistency and quality
  13. In SOC practice, what is the purpose of a standard operating procedure (SOP)? To document step-by-step instructions for routine tasks to ensure consistency and quality
  14. Which framework provides criteria for managing privacy risks? NIST Privacy Framework
  15. Which type of risk does SOC primarily aim to address? Operational and compliance risk
  16. Which organization developed the SOC reporting framework? AICPA
  17. During a SOC 2 audit, which evidence would best demonstrate effective disaster recovery controls? Documented DR test results, including identified gaps and completed remediation actions
  18. In SOC practice, what is a needs assessment? A systematic process to identify gaps between current conditions and desired outcomes
  19. A 'hot site' in disaster recovery planning is best described as: A fully equipped and operational backup facility with real-time data replication
  20. In SOC practice, what is the purpose of a standard operating procedure (SOP)? To document step-by-step instructions for routine tasks to ensure consistency and quality
  21. Which SOC report type evaluates a service organization's system and the suitability of controls at a point in time? SOC 1 Type I
  22. Which element is most essential in a business continuity communication plan? Predefined escalation paths and contact lists for notifying stakeholders during incidents
  23. Which of the following best describes inherent risk? Risk without considering controls
  24. Which of the following is considered appropriate audit evidence? System access logs
  25. What framework forms the basis for the Trust Services Criteria used in SOC 2? COSO
  26. What is the consequence of non-compliance in SOC professional practice? Potential fines, license revocation, legal liability, and reputational damage
  27. Which framework is most commonly used for identifying and evaluating risks in SOC 2 engagements? COSO
  28. Which availability monitoring control best satisfies AICPA Trust Services Criteria requirements? Tracking system uptime against documented SLAs and investigating deviations
  29. Why is risk assessment important in the context of SOC reporting? To align controls with key threats
  30. What does professional liability insurance protect a SOC practitioner against? Financial loss from claims of negligence, errors, or omissions in professional services
Turn these facts into recall: