SOC 2 Type 2 Evidence Collection
Hello everyone,
I am currently in the process of building policies and starting to collect evidence manually, due to the high cost of GRC tools.
I would like to ask if there is any checklist or any guidance that can help in collecting evidence for the following TSC:
(Security, Confidentiality, and Availability).
Also, what is the expected frequency for providing these evidences over a 6-month period?
For context, we are ISO/IEC 27001 and ISO 22301 certified, and we already have SIEM and PAM in place. All our operations are running on cloud platforms (AWS and Azure).
Additionally, if some controls are managed through workflows in a ticketing system, is this considered sufficient evidence from an audit perspective?
Thank you in advance for your support.