What's Inside
This easy-to-follow SOC 2 compliance checklist will help your organization prepare for and maximize the chance of passing an audit.
SOC 2 Compliance Checklist: 9 Key Steps To Take
Get Started With Drata
Contents
A System and Organization Control 2 (SOC 2) audit is an in-depth examination of your organization’s processes, systems, and controls as they relate to security, availability, confidentiality, processing integrity, and privacy.
It may seem overwhelming, but it doesn’t have to be. We’ve created this easy-to-follow checklist to help you start your journey to SOC 2 compliance.
SOC 2 Compliance Checklist
What goes into the preparation and execution of a SOC 2 audit? These are the steps you can expect to take and more details about what to do during each part of the process:
Determine if a Type 1 Is Necessary
Determine Your Scope
Communicate Processes Internally
Perform a Gap Assessment
Remediate Control Gaps
Update Your Customers and Prospects
Monitor and Maintain Controls
Find an Auditor
Undergo the SOC 2 Audit
1. Determine if a Type 1 Is Necessary
To get started with SOC 2, the first step is to determine if you would like the auditor to perform a SOC 2 Type 1 audit prior to performing a more rigorous SOC 2 Type 2 audit.
When performing a SOC 2 Type 1 audit, auditors review policies, procedures, and control evidence to determine if controls are suitably designed to meet the applicable SOC 2 criteria. The Type 1 audit covers a point in time and the resulting report will state whether or not controls were suitably designed as of a specific date.
A SOC 2 Type 2 audit is much more rigorous. In addition to determining if controls were suitably designed, auditors will also review evidence to determine that controls were operating effectively over a period of time to meet the applicable SOC 2 criteria.
Because of the nature of Type 1 versus Type 2 audits, organizations will typically engage an auditor to perform a Type 1 audit prior to a Type 2 audit. However, Type 1 audits do not need to be performed prior to completing a Type 2—organizations can choose to undergo a Type 2 audit without ever undergoing a Type 1 audit.
Customers will typically accept a Type 1 report for their vendors undergoing a SOC 2 audit for the first time, but they will more than likely expect a Type 2 report moving forward.
2. Determine Your Scope
SOC 2 audits cover a system which includes the following components as defined by the AICPA’s attestation standards: infrastructure, data, procedures, software, and people. As part of scoping, you will need to determine the system components that are in scope.
Beyond that, you’ll also need to determine which Trust Services Criteria (TSC) to include.
The five TSC are:
Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Availability: Information and systems are available for operation and used to meet the entity’s objectives.
Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
You don’t have to include all five Trust Services Criteria. Security is the only mandatory category, however, Availability and Confidentiality are frequently included.
The Trust Services Criteria are broken down into specific sub-criteria. For example, specific controls for Confidentiality include encryption and identity and access management. Privacy controls include privacy policies and consent management mechanisms.
3. Communicate Processes Internally
Communicating internally with key players is imperative throughout your SOC 2 audit planning process.
Your organization’s executive management and department leaders (human resources, engineering, DevOps, security, IT, etc.) will be responsible for implementing your SOC 2 controls and providing evidence to the auditor. Explaining the who, what, when, where, why, and how of the audit is crucial to preparing employees for their obligations.
4. Perform a Gap Assessment
One of the first steps on your SOC 2 journey will be to perform a gap assessment, also known as a readiness assessment. Look at your existing procedures, policies, and controls to help better understand your current security posture and which controls you still need to implement to meet the applicable criteria of the Trust Services Criteria.
5. Remediate Control Gaps
Once your gap assessment has been completed, it can take time to remediate and ensure SOC 2 control mandates are being achieved.
You will need to work with your team to:
Review policies.
Formalize procedures.
Make necessary alterations to software.
Address any additional steps like integrating new tools and workflows.
This will allow you to close gaps before the audit takes place.
6. Update Your Customers and Prospects
In the spirit of transparency and building trust, discuss with your team a few ways to promote your security practices with customers and prospects. Although you don’t have to announce that you’re pursuing SOC 2, you can still outline the processes you have in place to keep their data safe.
On your website or social media, consider outlining a high-level overview of:
Any continuous security control monitoring you have in place.
Employee training.
Penetration testing you’ve conducted.
Data encryption procedures.
7. Monitor and Maintain Controls
Now that you’ve made remediations and added controls to reach SOC 2 compliance, establish processes that help you and your team continuously monitor and maintain those controls. If you haven’t already, implement a tool that can automate control monitoring and evidence collection.
8. Find an Auditor
Before you begin looking for an audit firm, it’s important to determine what you’re looking for in an auditor. The right auditor can do much more than conduct your audit—they can help you understand and improve your compliance programs, streamline the process, and ultimately achieve a clean SOC 2 report.
Look for someone who:
Answers your questions intelligently and in a way your team understands.
Understands your industry.
Collaborates well with you and your team.
Has good references.
For more tips, head to our article on how to find the right auditor.
9. Undergo the SOC 2 Audit
At this stage, you’re ready to begin the audit process. Once you provide all the necessary information to your auditor, they will review evidence for each in-scope control, verify information, schedule walkthroughs, and provide you with the final report.
Download Drata's SOC 2 Audit Checklist
We’ve created a helpful SOC 2 checklist PDF to reference as you begin the SOC 2 compliance journey. You can download it at the link below.
3 Tips To Help You Prep for a SOC 2 Audit
Below we outline a few steps to tackle before you undergo the formal SOC 2 audit.
1. Build a Compliance Team
Before diving into the audit process, ensure you have a solid compliance team in place. This team will comprise a mix of technical roles (engineers, IT specialists) and non-technical roles (HR specialists, administrative staff).
Compliance lead: You can assign this role to a CISO, CTO, or IT department manager. The key is to tap someone who can speak to your current security processes and will be able to serve as a liaison between your team and the SOC 2 auditor.
IT and security personnel: These team members will be charged with providing your organization's security and carrying out incident responses.
Legal team: You’ll also want to loop in members of your legal team to help you draft documentation and contracts and communicate with vendors as needed.
HR and administrative staff: Since these team members grant employees access to sensitive data via access keys and login credentials, you’ll be working closely with them to document their processes and identify any security concerns. They can also help with the development and distribution of security policies.
2. Avoid the Check-the-Box Mentality
It can be easy to treat SOC 2 like a series of steps to be checked off in order to achieve compliance. While a checklist like the one we’ve outlined above can be helpful in achieving SOC 2 compliance, this can lead some companies to think of compliance as a one-and-done event rather than something to continuously maintain.
Instead of looking at SOC 2 as the extent of your security program, view it as a baseline upon which you can tailor processes to not only meet SOC 2 requirements, but further fortify them when possible. For example, you might invest in a newer ransomware protection software or implement passwordless authentication to further improve your access management.
3. Build Out Your Security Tech Stack
To comply with SOC 2 requirements, you’ll need to invest in a few tools (if you haven’t already). Keep in mind that the types of tools and the features required will vary depending on your industry and the TSC you’re measuring against.
Below are a few general tools you’ll likely need to add to your tech stack:
Password manager
Web app firewall
Vulnerability scanner
Background check provider
Look for tools that integrate well with your current tools, work within your budget, and feature easy-to-use dashboards to improve company-wide adoption.
How Drata Can Help You Streamline Your SOC 2 Compliance
As you can see, preparing for a SOC 2 audit requires quite a bit of work on your part. Knocking out these crucial steps will set you up for success during the audit process and help improve your chances of achieving a clean SOC 2 report.
Keep Reading
Take Your Learning Further
Discover research, playbooks, checklists, and other resources on SOC 2 compliance.
