Monthly Compliance Checklist Template

Use this checklist to ensure ongoing compliance with HIPAA, SOC 2, and other regulatory frameworks. Assign each task to a team member and track completion monthly.

Week 1: Monitoring & Detection

Security Monitoring

• [ ] Review centralized security logs (authentication, data access, system changes)
• [ ] Verify no unauthorized access attempts or suspicious patterns
• [ ] Confirm all security alerts were investigated and resolved
• [ ] Test intrusion detection/prevention systems are operational
• [ ] Verify firewall rules are current and appropriate

System Health

• [ ] Verify all systems are operational with 99.5%+ uptime
• [ ] Review system performance metrics for anomalies
• [ ] Confirm automated backups completed successfully
• [ ] Test at least one backup restore (monthly minimum)

Access Control

• [ ] Verify MFA is enabled for all critical systems
• [ ] Review active user accounts; remove unused accounts
• [ ] Verify role-based access is still appropriate (no privilege creep)
• [ ] Review third-party access; confirm all third parties still need access

Week 2: Access & Authorization Review

Workforce Audit

• [ ] List all current employees and contractors with system access
• [ ] Confirm each person's role matches their access level
• [ ] Verify terminated employees' access has been disabled
• [ ] Review any recent role changes; confirm access was updated

Vendor & Third-Party Review

• [ ] Verify all vendors/SaaS services have active Business Associate Agreements (BAAs) or Data Processing Agreements
• [ ] Confirm vendors are maintaining their own security certifications (SOC 2, HIPAA, etc.)
• [ ] Review any new vendors for security requirements before integration
• [ ] Verify vendor access logs show normal activity

API & Integration Audit

• [ ] Review API access logs; confirm only authorized applications have access
• [ ] Verify API credentials are rotated regularly (at least quarterly)
• [ ] Check for any deactivated integrations that are still requesting access
• [ ] Confirm data flowing through integrations is encrypted

Week 3: Data Protection & Encryption

Encryption Verification

• [ ] Confirm all data in transit uses TLS 1.2+ encryption
• [ ] Verify data at rest is encrypted in all storage systems (databases, backups, archives)
• [ ] Review encryption keys; confirm they're managed securely (not hardcoded, regular rotation)
• [ ] Test data recovery from encrypted backup to verify encryption doesn't block recovery

Data Classification & Handling

• [ ] Verify data is classified correctly (public, internal, confidential, restricted)
• [ ] Confirm confidential/restricted data has appropriate access controls
• [ ] Review data retention policies; ensure old data is securely disposed
• [ ] Confirm secure deletion process is working (verify disposed data cannot be recovered)

Sensitive Data Audit

• [ ] Search systems for any hardcoded credentials, API keys, or passwords (use automated tools)
• [ ] Review code repositories for accidentally committed secrets
• [ ] Verify PII (personally identifiable information) is properly masked in non-production environments
• [ ] Confirm payment card data (if applicable) follows PCI-DSS requirements

Week 4: Incident Response & Policies

Policy & Documentation Review

• [ ] Verify security policies are current and reflect actual practices
• [ ] Review incident response plan; confirm all team members know their roles
• [ ] Update employee handbook with current security expectations
• [ ] Confirm all security policies are signed and acknowledged by current staff

Incident & Change Log

• [ ] Review incidents from the past month; verify they were resolved appropriately
• [ ] Document any security changes made during the month
• [ ] Verify all changes were reviewed and approved before implementation
• [ ] Confirm no unapproved or emergency changes remain undocumented

Training & Awareness

• [ ] Verify all new hires completed security training during onboarding
• [ ] Review security training completion rates; follow up with any staff who haven't completed training
• [ ] Distribute monthly security awareness message (e.g., phishing alert, password security tip)
• [ ] Track security training completion and maintain records

Additional Quarterly Tasks (Every 3 Months)

Vulnerability & Patch Management

• [ ] Audit all systems for security patches; apply critical patches immediately
• [ ] Review third-party software versions; ensure all are current
• [ ] Run vulnerability scans on infrastructure and applications
• [ ] Address any vulnerabilities found; document remediation or risk acceptance

Backup & Disaster Recovery

• [ ] Execute full disaster recovery test (restore from backup to alternate environment)
• [ ] Measure recovery time objective (RTO) and recovery point objective (RPO); verify they meet business requirements
• [ ] Update disaster recovery plan if needed
• [ ] Document results and any issues found

Third-Party Security Assessment

• [ ] Request updated SOC 2 reports from critical vendors
• [ ] Review any security assessments or penetration tests from critical vendors
• [ ] Identify any new security risks introduced by vendors
• [ ] Address or mitigate identified risks

Annual Tasks (Yearly)

Full Security Audit

• [ ] Conduct comprehensive security audit or engage third party
• [ ] Review all five SOC 2 trust service criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy)
• [ ] Identify any gaps or areas for improvement
• [ ] Create action plan to address findings

Compliance Assessment

• [ ] Assess compliance with all applicable regulations (HIPAA, GDPR, CCPA, industry-specific requirements)
• [ ] Review compliance status with legal/compliance team
• [ ] Update compliance documentation and evidence
• [ ] Plan for any upcoming compliance audits

Policy Review & Update

• [ ] Review all security policies for completeness and accuracy
• [ ] Update policies to reflect changes in business or regulations
• [ ] Distribute updated policies to all staff
• [ ] Obtain acknowledgment of updated policies

Working Checklist Format

Use this page as the working checklist, then copy the sections into your internal ticketing, project management, or spreadsheet system. Keep one owner, one due date, and one evidence location attached to each recurring task so compliance work does not depend on memory.

How to Use This Checklist

1. Assign Responsibility: Assign each week's tasks to a specific team member (usually IT manager or security officer).
2. Track Completion: Mark tasks as complete as they're finished.
3. Document Evidence: For audit purposes, maintain records of completed tasks (logs, reports, screenshots).
4. Escalate Issues: If any task reveals a problem, immediately escalate to management.
5. Monthly Review: At the end of each month, review all tasks completed and any outstanding issues.
6. Quarterly Deep Dive: Every three months, conduct the additional quarterly tasks.
7. Annual Audit: Once per year, conduct the annual security audit and compliance review.

Common Issues & How to Handle Them

Issue: Finding a system that hasn't been patched recently

• Immediately assess severity of available patches
• Apply critical patches within 48 hours
• For other patches, prioritize by severity and test before deployment
• Document reason for any patches not applied

Issue: Discovering unauthorized access to confidential data

• Immediately isolate affected systems
• Begin forensic investigation
• Notify affected parties as required by law
• Document incident and review security controls to prevent recurrence

Issue: Backup recovery test fails

• Immediately address the issue (don't assume backups are working)
• Verify backup integrity and restore process
• Test restoration multiple times to ensure it's reliable
• Update disaster recovery plan if needed

Issue: Employee no longer needs access but hasn't been disabled

• Immediately disable access
• Verify all systems where employee had access
• Review what data may have been accessible
• Update access controls to prevent similar issues

Next Steps

Ready to implement this checklist?

• Copy the sections into your internal tracking system
• Assign the first week's tasks to your team
• Start tracking compliance systematically

Need help setting up compliance processes?
Schedule a consultation to review your current compliance posture and customize this checklist for your specific needs.

Schedule Compliance Consultation