How do I organize my SOC 2 evidence library before the audit?
March 6, 20261 min readFirst-Time SOC 2
How to Structure Your Evidence Library
Option A: By Control Criteria (Recommended)
SOC2-Evidence/
├── CC1 - Control Environment/
│ ├── info-security-policy.pdf
│ ├── org-chart.png
│ └── security-training-records.csv
├── CC6 - Access Controls/
│ ├── CC6.1-mfa-enforcement.png
│ ├── CC6.1-user-list-google.png
│ ├── CC6.1-user-list-github.png
│ ├── CC6.1-access-review-Q1.pdf
│ └── CC6.1-access-review-Q2.pdf
├── CC7 - Monitoring/
│ ├── CC7.2-cloudwatch-alarms.png
│ ├── CC7.2-sentry-config.png
│ └── CC7.3-incident-response-plan.pdf
├── CC8 - Change Management/
│ ├── CC8.1-branch-protection.png
│ ├── CC8.1-ci-pipeline.png
│ └── CC8.1-sample-prs/
Option B: By Evidence Type (Less Ideal)
Organizing by type (screenshots, policies, logs) makes it harder for auditors to find what they need for each control.
The Evidence Index
Create a spreadsheet mapping each piece of evidence to its control:
| Control | Evidence Description | File Name | Date Captured |
|---|---|---|---|
| CC6.1 | MFA enforcement - Google Workspace | CC6.1-mfa-google.png | 2026-03-01 |
| CC6.1 | GitHub org member list | CC6.1-github-members.png | 2026-03-01 |
| CC8.1 | Branch protection settings | CC8.1-branch-protection.png | 2026-03-01 |
File Naming Convention
Use a consistent naming pattern: [Control]-[Description]-[Date].[ext]
Examples:
CC6.1-mfa-enforcement-google-2026-03.pngCC8.1-branch-protection-main-2026-03.pngCC7.3-incident-response-plan-v2.pdf
Tips
- Use Google Drive or Notion, not scattered local folders. The auditor needs access.
- Version your policies. Include version number and last review date in the filename.
- Timestamp everything. Every screenshot should have a visible date.
- Pre-share with the auditor. Give them read access to your evidence library before the audit starts. This saves time during walkthroughs.
- Keep it current. Remove outdated evidence and replace with fresh captures before the audit.