CSV
SOC 2 Readiness Checklist
A control-area-by-control-area gap assessment to run before you pay an auditor: requirement, status, owner, and evidence notes.
Free resources
Free Templates & Resources
The spreadsheets, policy starters, and diagrams we actually use — free to download, edit, and ship. Original work, no sign-up required.
Spreadsheet templates
Open in Excel or Google Sheets. Built to be filled in, not admired — each one maps to a real step in getting audit-ready.
CSV
Vendor Risk Assessment Questionnaire
An original security questionnaire to send vendors, scaled by tier — access, data handling, certifications, sub-processors, and incident response.
CSV
Vendor Risk Register
Track every vendor in one sheet: data accessed, risk tier, evidence on file, last review, and status.
CSV
Information Security Risk Register
Log risks with likelihood, impact, a calculated score, treatment decision, and owner — the backbone of an ISMS.
CSV
User Access Review Tracker
Run periodic access reviews: user, system, role, last activity, decision (keep/revoke), and reviewer sign-off.
CSV
Asset & Data Inventory
Catalog systems and data stores with classification, owner, hosting location, and business criticality.
Policy & plan starters
Editable Markdown documents. Fill the bracketed fields, delete what doesn't apply, and you've got a defensible first draft instead of a blank page.
DOC
Information Security Policy
A concise top-level security policy covering scope, roles, acceptable use, access, and review cadence.
DOC
Incident Response Plan
Roles, severity levels, the detect-contain-eradicate-recover flow, and a communications and post-incident review structure.
DOC
Access Control Policy
Least privilege, provisioning and deprovisioning, periodic reviews, and privileged-access rules.
DOC
Data Classification Policy
A simple four-tier classification scheme with handling rules for each level.
DOC
Business Continuity & DR Plan
Recovery objectives (RTO/RPO), backup approach, roles, and a tabletop-test structure.
Diagrams
Original, royalty-free diagrams. Download the SVG (scales to any size with no quality loss) and reuse them in decks, docs, or your own posts.
SVG
The SOC 2 Journey
The path from "we need SOC 2" to a report in hand: scope, gap assessment, remediation, observation window, audit.
SVG
Vendor Risk Tiering
How to sort vendors into low / medium / high / critical tiers by data access, and how much review each tier earns.
SVG
Cloud Shared Responsibility
Who secures what between you and your cloud provider — the line that trips up most vendor reviews.
SVG
Incident Response Lifecycle
The continuous loop: prepare, detect, contain, eradicate, recover, and learn.
SVG
Which Security Framework?
A quick map of SOC 2, ISO 27001, HIPAA, PCI DSS, and GDPR by who needs them and what they cover.