# SOC 2 Style Controls (Quick-Start)

**CC1—Control Environment**
- Code of conduct & WISP accepted by staff; access reviews quarterly

**CC2—Communication & Information**
- Security announcements documented; incident comms in playbook

**CC3—Risk Assessment**
- Track top 10 risks (rules misconfig, key leakage, IAM drift)

**CC4—Monitoring**
- Audit logs captured (auth/admin/Stripe); weekly review with checklist

**CC6—Access Controls**
- Least-privilege IAM; MFA; periodic user access review (GCP, Stripe)

**CC7—Change Management**
- PRs require review; CI runs tests and lint; tag releases

**CC8—System Ops**
- Backups daily; restore test monthly; capacity monitored

**CC9—Incident Management**
- Breach-Response Playbook; postmortems with follow-ups

**CC10—Confidentiality**
- Data classification; restrict Storage/RTDB reads; tokenization (Stripe IDs only, no PANs)

**Evidence to Collect**
- Screenshots of IAM roles
- Export of audit logs
- Backup & restore logs
- Training attestation
- PR review evidence