Code Review Checklist Guide

Security, testing, and approval checks before merge to protected branches.

code review checklist template preview (SOC-012)
.docx SOC-012

Code Review Checklist Template

Security, testing, and approval checks before merge to protected branches.

Get SOC 2 Phase 2 Implementation Kit
How to Fill Out This Code Review Checklist

Attach to PR templates or use as a release gate. Evidence is PR history plus this completed checklist for sampled changes.

Recommended Owner: Engineering Lead | Security for secure coding items

What this file is for

Document purpose

Code review security checklist (CC8.1 evidence).

In your program: Attach to PR template or release checklist.

Before you start

Getting Started

  • Enable Editing in Word; replace `[` placeholders and delete gray examples.
  • Cross-check names and vendors with SOC-002, SOC-004, and Phase 1 COR policies.

Document tour

Fill out the file section by section

Work through the sections below in order. Each block matches a heading or tab in the downloaded SOC-012 file.

A. General & Process
  • Complete for every prod-bound PR — attach to ticket or PR template.
  • Mark N/A with a short note when an item does not apply to this change.
B. Security
  • AuthN/AuthZ, injection, session, crypto — core CC8.1 items.
  • After editing B. Security, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
C. Data Handling
  • PII/classification per COR-009; no sensitive data in logs.
  • After editing C. Data Handling, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
D. Infrastructure Changes (skip if not applicable)
  • IaC, security groups, IAM — items 18–21 in checklist.
  • After editing D. Infrastructure Changes (skip if not applicable), search for `[` placeholders and gray sample names — auditors flag incomplete templates.
E. Sign-Off
  • Reviewer initials or checkbox — two-person rule for sensitive merges.
  • After editing E. Sign-Off, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Reviewer Notes & Findings
  • Document deferrals; reference COR-014 ticket if risk accepted.
  • After editing Reviewer Notes & Findings, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Approval Sign-Off
  • Named reviewer and date — auditors sample PRs with this checklist.
  • After editing Approval Sign-Off, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Related Documents
  • SOC-007, SOC-011, COR-009, COR-014.
  • After editing Related Documents, search for `[` placeholders and gray sample names — auditors flag incomplete templates.

Quality check

Before You Finalize

  • Checklist items match languages you use (API auth, injection, secrets).

Evidence

Where to Store It

  • Store the completed file in your compliance evidence folder (signed PDF for policies).
  • Register the document in COR-013 with version, owner, and next review date.
  • Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.

Next Steps

After customizing Code Review Checklist:

  1. 1Complete the file: Finish every section or tab in SOC-012.
  2. 2Register: Add version and owner to COR-013.
  3. 3Operationalize: Train owners listed in the document.
  4. 4Evidence: Keep exports auditors can sample during fieldwork.
Get SOC 2 Phase 2 Implementation Kit See what’s included