April 9, 2026 ·Templates & resources

SOC 2 compliance checklist for DDQ responses

Checklist mapping SOC 2 trust service criteria to common DDQ questions. Know exactly which SOC 2 sections to cite for each answer.

Your SOC 2 Type II report is your most powerful DDQ weapon. It's an independent auditor's verification of your security controls. But most CTOs don't know how to efficiently map SOC 2 sections to DDQ questions.

This checklist solves that.

SOC 2 trust service criteria → DDQ mapping

CC1: Control environment

SOC 2 Criteria	Common DDQ Questions	What to Cite
CC1.1	"Who is responsible for security?"	Security governance structure, CISO/CTO role
CC1.2	"Does the board oversee security?"	Board oversight, audit committee
CC1.3	"How is the security org structured?"	Org chart, reporting lines
CC1.4	"Do you have written security policies?"	Policy framework, review cycle
CC1.5	"How do you hold people accountable?"	Roles & responsibilities, training

CC2: Communication and information

SOC 2 Criteria	Common DDQ Questions	What to Cite
CC2.1	"How do you communicate security to employees?"	Training program, awareness
CC2.2	"How do you communicate with external parties?"	Customer notifications, breach disclosure
CC2.3	"How do you communicate security requirements to vendors?"	Vendor management, contracts

CC3: Risk assessment

SOC 2 Criteria	Common DDQ Questions	What to Cite
CC3.1	"Do you perform risk assessments?"	Risk assessment process, frequency
CC3.2	"How do you identify risks?"	Risk identification methodology
CC3.3	"How do you assess fraud risk?"	Fraud risk factors, controls
CC3.4	"How do you handle changes that affect risk?"	Change management, risk impact

CC5: Control activities

SOC 2 Criteria	Common DDQ Questions	What to Cite
CC5.1	"How do you select and develop controls?"	Control framework, design
CC5.2	"How do you deploy technology controls?"	Technical controls implementation
CC5.3	"How do you enforce policies through technology?"	Automated controls, enforcement

CC6: Logical and physical access controls

SOC 2 Criteria	Common DDQ Questions	What to Cite
CC6.1	"How do you manage access?" "Do you enforce MFA?"	Access control, RBAC, MFA
CC6.2	"How do you handle provisioning?"	User provisioning/deprovisioning
CC6.3	"How do you manage privileged access?"	Admin access, PAM
CC6.6	"Do you have network security?"	Network segmentation, firewalls
CC6.7	"Do you encrypt data at rest and in transit?"	Encryption standards, TLS
CC6.8	"How do you prevent unauthorized software?"	Endpoint security, allowlisting

CC7: System operations

SOC 2 Criteria	Common DDQ Questions	What to Cite
CC7.1	"How do you detect anomalies?"	Monitoring, SIEM, alerting
CC7.2	"How do you detect security incidents?"	Detection mechanisms, tools
CC7.3	"How do you respond to incidents?"	Incident response plan
CC7.4	"How do you contain and remediate incidents?"	Containment, recovery
CC7.5	"How do you recover from incidents?"	Recovery procedures, post-mortem

CC8: Change management

SOC 2 Criteria	Common DDQ Questions	What to Cite
CC8.1	"Describe your SDLC" "How do you manage changes?"	Change management, SDLC, code review, testing

CC9: Risk mitigation

SOC 2 Criteria	Common DDQ Questions	What to Cite
CC9.1	"How do you mitigate identified risks?"	Risk treatment, controls
CC9.2	"How do you manage vendor risk?"	Third-party risk management

A1: Availability

SOC 2 Criteria	Common DDQ Questions	What to Cite
A1.1	"What is your uptime SLA?"	Availability commitments, SLA
A1.2	"Do you have a BCP/DR plan?"	BCP, DRP, RTO, RPO
A1.3	"How do you test recovery?"	DR testing, backup restoration

How to use this checklist

Open your SOC 2 report alongside the DDQ.
For each DDQ question, find the matching SOC 2 criteria above.
Go to that section in your SOC 2 report and extract the relevant details.
Cite the specific criteria: "Per SOC 2 Type II report (CC6.7), all data at rest is encrypted using AES-256..."

Pro tips

Always cite the criteria number. "SOC 2 CC6.7" is more credible than "SOC 2 report."
Include the audit period. "SOC 2 Type II report for the period [Jan 2025 – Dec 2025]."
If your SOC 2 doesn't cover a question, say so. "This control is not within the scope of our current SOC 2 audit. However, per our [Policy Name]..." Honesty builds trust.
SOC 2 doesn't cover everything. Privacy (GDPR specifics), physical security details, HR policies, insurance, and legal questions often need separate sources.

Automate the mapping

Manually mapping SOC 2 criteria to DDQ questions works but takes time. FillBase does this automatically — it parses your SOC 2 report, understands the structure, and maps answers to questions with source citations.

Upload your SOC 2 and auto-complete your next DDQ →