Security Controls: What to Verify (Not Just Believe)
Baseline controls to request evidence for
- Encryption at rest and in transit
- Access controls, least privilege, and MFA
- Audit logging and retention
- Pen testing / vulnerability management cadence
- Incident response plan + breach notification
- Backup and disaster recovery
Evidence examples
- SOC 2 Type II report (latest period)
- ISO 27001 certificate + statement of applicability
- Security architecture overview and data flow diagram
