Calimatic
Back to blog
Compliance
9 min read

SOC 2 Compliance for Identity Systems: A Practical Checklist

A checklist of SOC 2 requirements that directly impact identity management — authentication, access control, audit logging, and security policies.

SOC 2 (System and Organization Controls 2) is the gold standard for demonstrating that your SaaS platform handles customer data securely. A significant portion of SOC 2 requirements map directly to identity management. Here's what you need to know.

What SOC 2 Covers

SOC 2 evaluates five Trust Service Criteria:

  1. Security — Protection against unauthorized access
  2. Availability — System uptime and reliability
  3. Processing Integrity — Data processing accuracy
  4. Confidentiality — Protection of sensitive information
  5. Privacy — Personal data handling

For identity management, Security and Confidentiality are the most relevant. Here's a practical checklist of controls your identity system needs.

Authentication Controls

Strong Password Policies — Enforce minimum length (12+ characters recommended), complexity requirements, and prevent password reuse. Calimatic Identity supports configurable password policies with all of these options.

Multi-Factor Authentication — MFA should be available for all users and mandatory for administrators. SOC 2 auditors look for MFA enforcement, not just availability. Calimatic Identity supports TOTP-based MFA with enforcement at the organization and role level.

Secure Login Flows — Use PKCE for all OAuth authorization code flows. Enforce HTTPS everywhere. Implement account lockout after repeated failed attempts. All of these are default behaviors in Calimatic Identity.

Session Management — Define maximum session lifetimes. Implement idle timeouts. Provide the ability to terminate sessions remotely. Log all session creation and termination events.

Access Control Requirements

Least Privilege — Users should have the minimum access needed for their role. Auditors will ask: "How do you ensure users don't have excessive permissions?" Role-based access control with documented role definitions answers this question.

Role Documentation — Each role should have a documented description of its permissions and purpose. Calimatic Identity's admin panel provides this for every custom role.

Access Reviews — Conduct periodic reviews of user access. Auditors expect at least quarterly reviews for high-privilege access and annual reviews for standard access. Calimatic Identity's user and role management interfaces support this workflow.

Timely Deprovisioning — When an employee leaves or changes roles, their access must be updated promptly. Define SLAs for deprovisioning (e.g., within 24 hours of termination). Automated directory sync with your HR system helps meet this requirement.

Segregation of Duties — Ensure no single user can perform conflicting operations (e.g., creating and approving their own access changes). Org-scoped admin roles in Calimatic Identity enforce this naturally — admins manage users within their organization but can't modify platform-level settings.

Audit Logging Requirements

Comprehensive Coverage — Log all authentication events (login, logout, failed attempts), authorization events (role changes, permission grants), and administrative events (user creation, settings changes). Calimatic Identity captures all of these automatically.

Immutability — Audit logs must be tamper-proof. Auditors will verify that logs cannot be modified or deleted. Calimatic Identity stores logs in append-only tables with no modification or deletion API.

Retention — Maintain audit logs for at least one year, with the most recent three months immediately accessible. The Enterprise plan provides unlimited retention with export capabilities.

Monitoring and Alerting — Implement alerting for security-relevant events: multiple failed logins, privilege escalation, access from unusual locations. Configure alerts to notify the appropriate team immediately.

Encryption and Data Protection

Encryption at Rest — All sensitive data (passwords, API keys, OAuth secrets, SSO certificates) must be encrypted at rest. Calimatic Identity uses AES-256-GCM encryption for all secrets.

Encryption in Transit — All communications must use TLS 1.2 or higher. This includes API calls, database connections, and SSO protocol exchanges.

Key Management — Encryption keys must be managed securely with rotation policies. Document your key management procedures for auditors.

Vendor Management

If you're using Calimatic Identity (or any third-party identity platform), your SOC 2 auditor will ask about vendor security. Key questions:

  • Does the vendor have their own SOC 2 report?
  • How is data isolated between tenants?
  • What is the vendor's incident response process?
  • Where is data stored geographically?

Document your vendor evaluation process and keep evidence of due diligence.

The Audit Process

SOC 2 audits examine both the design of your controls (Type I) and their operating effectiveness over time (Type II). For a Type II audit, the auditor reviews evidence over a 6-12 month period.

Start collecting evidence now:

  • Screenshots of password policy configurations
  • Exports of role definitions and permission matrices
  • Audit log samples showing login events, access changes, and admin actions
  • Access review records showing periodic review of user permissions
  • Deprovisioning evidence showing timely removal of access for departed users

Getting Started

SOC 2 compliance doesn't require perfection — it requires documentation, consistency, and evidence. Start by mapping the checklist above to your current identity setup. Identify gaps, implement controls, and begin collecting evidence. Calimatic Identity provides many of these controls out of the box, giving you a significant head start on your SOC 2 journey.

Ready to get started?

Create a free account and start managing identities in minutes.

Get Started FreeRead the Docs