← Back to docs
Compliance Recipe

SOC2 Readiness Checklist

A pragmatic walkthrough for shipping a SOC2 Type II audit-ready posture on Meridian. This recipe collapses the usual 90-day scramble into a reproducible policy bundle, evidence collector, and continuous monitor wired to your Meridian workspace.

1. Map the Trust Service Criteria

Start by pinning every TSC control to a concrete owner and a piece of evidence Meridian can collect automatically. Most teams over-scope here, which is what makes SOC2 feel impossible. You only need Security; the other four criteria are optional.

  • CC1 — Control environment & org chart
  • CC6 — Logical access & encryption
  • CC7 — System operations & monitoring
  • CC8 — Change management

2. Wire the evidence collector

Meridian ships a SOC2 collector that scrapes GitHub, AWS, Okta, and your HRIS on a 24-hour cadence. Drop the snippet below in your workspace settings and the dashboard will start filling in the control matrix within an hour.

// meridian.config.ts
import { defineCompliance } from '@meridian/sdk';

export default defineCompliance({
  framework: 'soc2-type-ii',
  scope: ['security'],
  collectors: {
    github: { org: 'your-org', prCoverage: true },
    aws:    { regions: ['us-east-1'], cloudtrail: true },
    okta:   { domain: 'your-org.okta.com', mfaAudit: true },
  },
  cadence: '24h',
});

3. Run the readiness review

Once the collector has 30 days of evidence, schedule a readiness review with your auditor. Meridian generates the SOC2 system description, control narratives, and evidence index as a single tarball, which most Big Four auditors accept directly. Expect zero findings if the dashboard is fully green for at least three weeks.

Pro tip: Keep your observation window above 90 days. Type II audits weigh sustained operation, not one-shot fixes.