A cloud security & compliance checklist for ISO 27001 and SOC 2

Security & compliance · 7 min read · Updated May 2026

Most organisations don't fail audits because they lack controls. They fail — or scramble — because the controls aren't applied consistently and the evidence isn't ready. The fix isn't a heroic pre-audit sprint; it's making security and compliance part of how the cloud runs every day. Here's a practical checklist of the controls that carry the most weight, organised the way we'd actually implement them.

1. Identity and access

Enforce multi-factor authentication on every account, no exceptions for admins.
Apply least-privilege IAM — no standing broad permissions.
Use conditional access policies based on device, location and risk.
Put privileged access behind just-in-time elevation and review it regularly.
Remove dormant accounts and rotate access keys on a schedule.

2. Configuration and posture

Run continuous cloud security posture management (CSPM) to catch misconfigurations.
Block public access to storage by default; flag any exceptions.
Enforce encryption at rest and in transit across all services.
Baseline network controls — segmentation, security groups, no open management ports.

3. Logging, monitoring and response

Centralise logs and retain them in line with your framework's requirements.
Enable cloud-native threat detection and route alerts to a monitored channel.
Maintain documented incident response runbooks — and test them.
Define and track response-time targets so detection leads to action.

4. Data protection

Classify data and apply controls proportionate to sensitivity.
Manage encryption keys properly, with rotation and access controls.
Verify backup integrity — a backup you can't restore isn't a backup.
Map data residency against UK GDPR and contractual obligations.

5. Evidence and continuous compliance

This is where ISO 27001 and SOC 2 efforts most often come unstuck. The controls might be in place, but assembling evidence at audit time becomes a fire drill.

Map each control to the relevant framework clause once, then maintain the mapping.
Automate evidence collection wherever the cloud platform allows it.
Monitor compliance continuously so you know your posture between audits, not just during them.
Keep policies, runbooks and review records current and version-controlled.

ISO 27001 vs. SOC 2 — a quick note

ISO/IEC 27001 certifies that you operate an information security management system (ISMS) — it's about the system of managing risk. SOC 2 is an attestation by an auditor against the Trust Services Criteria, often what US customers ask for. The underlying technical controls overlap heavily; the difference is largely in how they're assessed and evidenced. If your customers ask for one, build for it specifically, but the cloud controls above serve both.

The real lesson: continuous beats point-in-time

Every item on this list is easier to maintain than to retrofit. Posture that's checked continuously, with evidence collected as you go, turns audits from an event into a formality. That's the whole premise of building security into operations rather than bolting it on.

Want a read on where your cloud stands against this checklist? Book a security review and we'll assess your posture against best practice and the frameworks your customers care about.