What's Inside
This easy-to-follow SOC 2 compliance checklist will help your organization prepare for and maximize the chance of passing an audit.
SOC 2 Compliance Checklist: A Step-By-Step Guide (+ Best Practices)
This easy-to-follow SOC 2 compliance checklist will help your organization prepare for and maximize the chance of passing an audit.
Get Started With Drata
For companies that handle sensitive data, earning and maintaining customer trust hinges on one thing: strong security practices. While not a mandatory requirement, System and Organization Control 2 (SOC 2) compliance has quickly become a gold standard in data security.
Unfortunately, you can’t get a SOC 2 badge from a cereal box. Compliance is verified through a rigorous third-party audit, where an independent assessor evaluates whether your organization’s security controls meet the criteria defined by the American Institute of Certified Public Accountants (AICPA).
The end result is a detailed report that attests to the effectiveness of your security practices—giving your customers and partners confidence that you’re protecting their data, and you, a hard-earned badge to brag about.
It may seem overwhelming, but it doesn’t have to be. We’ve created this easy-to-follow checklist to help you start your journey to SOC 2 compliance.
SOC 2 compliance is a strategic investment in your organization’s credibility, security, and growth. Let’s break down its impact further.
Customers are more cautious than ever about how their data is handled. McKinsey speaks of a “privacy imperative,” after one survey revealed that 87% of customers would not do business with a company if they had concerns about its security practices. Organizations are catching up fast to meet expectations, with some increasing privacy budgets to the tune of $2.7 million in 2022.
SOC 2 compliance is one piece of the larger trust equation. It requires stringent controls that, if implemented, send a clear message to your customers: we take data protection seriously.
With data breaches making headlines on the regular, being SOC 2 compliant positions your organization as a trustworthy partner.
Unlike HIPAA or GDPR, SOC 2 isn’t a legal compliance requirement, but that’s what makes it so impactful. A SOC 2 badge is actual, tangible proof that your organization has gone above and beyond to implement and validate its security controls, even when it’s not mandated by law.
When prospects are choosing between multiple options, SOC 2 compliance can very well be the credential that tips the scales in your favor—one that sets your business apart as a safer, more reliable choice.
If the differentiator argument isn’t enough to sway you, consider what happens without it. In highly regulated industries like finance and healthcare, SOC 2 isn’t just a point in your favor. Often, its lack will be a deal breaker that disqualifies you from lucrative contracts with clients that demand strong security assurances as a baseline.
On the other hand, SOC 2 shows potential partners that your organization meets the rigorous compliance standards necessary to handle sensitive data. It unlocks new markets and larger opportunities that would otherwise be out of reach completely.
The reality is that a single data breach can have devastating consequences, from financial losses to reputational damage and legal liabilities. SOC 2 compliance is one of the ways your organization steers clear of these dreaded scenarios.
SOC 2 controls are the difference between reactivity and proactivity. Rather than scrambling to respond to security incidents, they equip you to identify, assess, and mitigate risks before they escalate to full-blown catastrophes.
Along with minimizing vulnerabilities, SOC 2 compliance builds a security foundation that supports business continuity even as new threats emerge.
When preparing for a SOC 2 audit, one of the first things you’ll need to determine is which Trust Services Criteria (TSC) are relevant for your organization. The TSC, defined by AICPA, set the standard for the controls you need to manage risk and protect your organization’s data.
There are five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Every SOC 2 audit must include Security, but the other criteria can be added based on the specific needs of your business and your customers’ expectations.
Security, the only mandatory criteria, focuses on protecting systems and information from unauthorized access, disclosure, and damage. Security controls are designed to ensure the availability, integrity, and confidentiality of your data.
In 2013, the Committee of Sponsoring Organizations (COSO) introduced a framework consisting of nine control areas, known as the common criteria or CC series:
CC1 - Control environment: Involves setting the tone for security within an organization by defining security roles, responsibilities, and policies
CC2 - Information and communication: Requires that relevant information about security policies and incidents is communicated clearly across the organization
CC4 - Monitoring: Involves regularly monitoring and evaluating the performance of security controls to identify any gaps or issues
CC3 - Risk assessment: Requires the implementation of a structured process to identify, analyze, and respond to security risks that could impact the organization’s objectives
CC5 - Control activities: Entails the development of specific procedures, such as access management and system configurations, to mitigate identified security risks
CC6 - Logical and physical access: Requires organizations to restrict access to systems and data based on user roles and responsibilities, so that only authorized personnel can access sensitive information both logically (via software and networks) and physically (via secure facilities)
CC7 - Controls system operations: Focuses on verifying that systems are operating as intended, including the management of daily operations, incident response, and maintaining the availability and integrity of systems and data
CC8 - Change management: Involves controlling how changes to systems, applications, and infrastructure are implemented, so that they don't introduce new security risks or affect system performance
CC9 - Risk mitigation: Entails establishing processes and safeguards to reduce the impact of security risks that have been identified, as well as planning for and responding to security incidents effectively
This framework guides organizations in designing and assessing their internal controls. Of the nine criteria, the first five are essential for establishing a strong security posture.
Availability ensures your systems are operational and accessible as agreed upon in service-level agreements (SLAs). It focuses on maintaining system uptime and minimizing downtime.
While not mandatory, including Availability in your SOC 2 scope signals to customers that you prioritize keeping your systems reliable and that you have plans in place to handle disruptions.
It’s broken down into three criteria:
A1.1 - Involves continuously monitoring and evaluating current system capacity—including infrastructure, data, and software—so the organization can anticipate demand and scale effectively
A1.2 - Covers the design, implementation, and ongoing management of environmental protections, backup processes, and recovery systems to maintain availability under normal conditions and during unexpected events
A1.3 - Ensures regular testing of recovery procedures to verify that system restoration and data recovery processes work as intended and meet availability requirements
Processing Integrity means that your system processes data in a way that’s complete, accurate, and timely. This is an important principle if your business involves high-volume transactions, automated data processing, or complex data management.
The five Processing Integrity controls are:
PI1.1 - Establishes clear definitions and specifications for data and systems to support the accurate use and delivery of products and services.
PI1.2 - Requires policies and procedures that ensure all data inputs are complete, accurate, and meet defined integrity objectives.
PI1.3 - Ensures processing activities are well-defined, controlled, and monitored to maintain data integrity and correct any errors promptly.
PI1.4 - Mandates safeguards that ensure data outputs are complete, accurate, delivered securely, and only to authorized parties.
PI1.5 - Focuses on protecting stored data and maintaining accurate records of all inputs, processes, and outputs within the system.
The Confidentiality criteria protects sensitive data from unauthorized access or disclosure. This applies to any information classified as confidential—whether it’s trade secrets, financial information, or client data.
The Confidentiality subcriteria establish how to manage and protect confidential data:
CC1.1 - Requires identifying and classifying confidential information to apply appropriate protections, with clear accountability for managing and safeguarding the data
CC1.2 - Mandates controls that protect confidential information throughout its lifecycle, including access restrictions, encryption, secure transmission, monitoring, and secure disposal
The Privacy criteria is about protecting personal data according to your organization’s policies and applicable regulations like GDPR and CCPA.
There are several privacy controls, organized into eight categories:
Notice - Organizations must provide clear privacy notices to individuals, informing them how their personal data will be collected, used, and stored.
Choice and consent - Individuals must be given options regarding how their data will be used, and their consent must be obtained.
Collection - Only data necessary for the stated purposes should be collected, and organizations must ensure it is gathered lawfully.
Use, retention, and disposal - Personal data should only be used for its intended purpose, retained for as long as necessary, and disposed of securely when no longer needed.
Access - Individuals must be able to access and correct their personal data, and organizations must authenticate users before granting access.
Disclosure and notification - Organizations must control how personal data is shared with third parties and notify affected individuals in case of breaches.
Quality - Data must be relevant, accurate, and up-to-date for its intended use.
Monitoring and enforcement - Mechanisms must be in place to monitor compliance with privacy controls, handle complaints, and address issues.
What goes into the preparation and execution of a SOC 2 audit? These are the steps you can expect to take and more details about what to do during each part of the process:
Determine if a Type 1 is Necessary
Evaluate Your Scope
Communicate Processes Internally
Perform a Gap Assessment
Remediate Control Gaps
Update Your Customers and Prospects
Monitor and Maintain Controls
Find an Auditor
Undergo the SOC 2 Audit
To get started with SOC 2, the first step is to determine if you would like the auditor to perform a SOC 2 Type 1 audit prior to performing a more rigorous SOC 2 Type 2 audit.
When performing a SOC 2 Type 1 audit, auditors review policies, procedures, and control evidence to determine if controls are suitably designed to meet the applicable SOC 2 criteria. The Type 1 audit covers a point in time and the resulting report will state whether or not controls were suitably designed as of a specific date.
A SOC 2 Type 2 audit is much more rigorous. In addition to determining if controls were suitably designed, auditors will also review evidence to determine that controls were operating effectively over a period of time to meet the applicable SOC 2 criteria.
Because of the nature of Type 1 versus Type 2 audits, organizations will typically engage an auditor to perform a Type 1 audit prior to a Type 2 audit. However, Type 1 audits do not need to be performed prior to completing a Type 2—organizations can choose to undergo a Type 2 audit without ever undergoing a Type 1 audit.
Customers will typically accept a Type 1 report for their vendors undergoing a SOC 2 audit for the first time, but they will more than likely expect a Type 2 report moving forward.
SOC 2 audits evaluate the effectiveness of your organization’s security controls across the following components: infrastructure, data, procedures, software, and people. The first step is to define which system components are in scope.
You’ll also need to decide which Trust Services Criteria (TSC) to include in your audit. As discussed earlier, security is mandatory for all SOC 2 audits, but the other criteria—Confidentiality, Availability, Processing Integrity, and Privacy—should be selected based on the nature of your business and customer expectations. For example:
Include Availability if your customers rely on your systems or services to be accessible around the clock (e.g., SaaS platforms or cloud service providers).
Include Processing Integrity if your systems are responsible for processing transactions or data where accuracy and authorization are critical (e.g., payment processing systems).
Include Privacy if your business collects and manages personally identifiable information (e.g., healthcare or HR data).
Communicating internally with key players is imperative throughout your SOC 2 audit planning process. Your organization’s executive management and department leaders (human resources, engineering, DevOps, security, IT, etc.) will be responsible for implementing your SOC 2 controls and providing evidence to the auditor.
Explaining the who, what, when, where, why, and how of the audit is crucial to preparing employees for their obligations.
One of the first steps on your SOC 2 journey will be to perform a gap assessment, also known as a readiness assessment. Look at your existing procedures, policies, and controls to help better understand your current security posture and which controls you still need to implement to meet the applicable criteria of the Trust Services Criteria.
Once your gap assessment has been completed, it can take time to remediate and ensure SOC 2 control mandates are being achieved.
You will need to work with your team to:
Review policies.
Formalize procedures.
Make necessary alterations to software.
Address any additional steps like integrating new tools and workflows.
This will allow you to close gaps before the audit takes place.
In the spirit of transparency and building trust, discuss with your team a few ways to promote your security practices with customers and prospects. Although you don’t have to announce that you’re pursuing SOC 2, you can still outline the processes you have in place to keep their data safe.
On your website, social media, or Trust Center, consider outlining a high-level overview of:
Any continuous security control monitoring you have in place.
Employee training.
Penetration testing you’ve conducted.
Data encryption procedures.
Now that you’ve made remediations and added controls to reach SOC 2 compliance, establish processes that help you and your team continuously monitor and maintain those controls. If you haven’t already, implement a tool that can automate control monitoring and evidence collection.
Before you begin looking for an audit firm, it’s important to determine what you’re looking for in an auditor. The right auditor can do much more than conduct your audit—they can help you understand and improve your compliance programs, streamline the process, and ultimately achieve a clean SOC 2 audit report.
Look for someone who:
Answers your questions intelligently and in a way your team understands.
Understands your industry.
Collaborates well with you and your team and has strong references.
For more tips, head to our article on how to find the right auditor.
At this stage, you’re ready to begin the audit process. Once you provide all the necessary information to your auditor, they will review evidence for each in-scope control, verify information, schedule walkthroughs, and provide you with the final audit report.
We’ve created a helpful SOC 2 checklist PDF to reference as you begin the SOC 2 compliance journey. You can download it at the link below.
Below we outline a few steps to tackle before you undergo the formal SOC 2 audit.
Before diving into the audit process, ensure you have a solid compliance team in place. This team will comprise a mix of technical roles (engineers, IT specialists) and non-technical roles (HR specialists, administrative staff).
Compliance lead: You can assign this role to a CISO, CTO, or IT department manager. The key is to tap someone who can speak to your current security processes and will be able to serve as a liaison between your team and the SOC 2 auditor.
IT and security personnel: These team members will be charged with providing your organization's security and carrying out incident responses.
Legal team: You’ll also want to loop in members of your legal team to help you draft documentation and contracts and communicate with vendors as needed.
HR and administrative staff: Since these team members grant employees access to sensitive data via access keys and login credentials, you’ll be working closely with them to document their processes and identify any security concerns. They can also help with the development and distribution of security policies.
It can be easy to treat SOC 2 like a series of steps to be checked off in order to achieve compliance. While a checklist like the one we’ve outlined above can be helpful in achieving SOC 2 compliance, this can lead some companies to think of compliance as a one-and-done event rather than something to continuously maintain.
Instead of looking at SOC 2 as the extent of your security program, view it as a baseline upon which you can tailor processes to not only meet SOC 2 requirements, but further fortify them when possible. For example, you might invest in a newer ransomware protection software or implement passwordless authentication to further improve your access management.
To comply with SOC 2 requirements, you’ll need to invest in a few tools (if you haven’t already). Keep in mind that the types of tools and the features required will vary depending on your industry and the TSC you’re measuring against.
Below are a few general tools you’ll likely need to add to your tech stack:
Password manager
Web app firewall
Vulnerability scanner
Background check provider
Look for tools that integrate well with your current tools, work within your budget, and feature easy-to-use dashboards to improve company-wide adoption.
As you can see, preparing for a SOC 2 audit requires quite a bit of work on your part. Knocking out these crucial steps will set you up for success during the audit process and help improve your chances of achieving a clean SOC 2 report.
Still have lingering questions about SOC 2 compliance? Below we answer some of the most common queries.
Organizations that store, process, or manage customer data often need SOC 2 compliance. It’s especially important for SaaS companies, cloud providers, and technology firms that handle sensitive or regulated information.
SOC 2 proves your organization’s commitment to security and assures clients that you have strong controls in place to protect their data. Even if it’s not legally required, many companies pursue SOC 2 to build trust and meet customer demands.
The SOC 2 compliance process consists of nine steps to prepare your organization for the audit:
Determine if a Type 1 is necessary: Decide whether to start with a SOC 2 Type 1 audit, which assesses controls at a single point in time, or go directly to a Type 2, which reviews controls over a period.
Determine your scope: Identify which Trust Services Criteria (TSC) to include and outline the in-scope system components, such as infrastructure, data, procedures, software, and people.
Communicate processes internally: Make sure all key stakeholders understand the scope, objectives, and their roles throughout the compliance process.
Perform a gap assessment: Review your current controls against SOC 2 requirements to identify where you fall short.
Remediate control gaps: Implement missing controls, update policies, and formalize procedures to meet SOC 2 standards.
Update your customers and prospects: Highlight the measures you have in place to keep their data safe.
Monitor and maintain controls: Establish continuous monitoring processes to ensure that your controls are operating effectively and remain aligned with SOC 2 requirements.
Find an auditor: Select a qualified auditor who understands your industry and can guide you through the audit process.
Undergo the SOC 2 audit: Provide documentation for each control, participate in walkthroughs, and respond to any questions from the auditor to finalize the audit.
The main differences between SOC 2 Type 1 and Type 2 are timing and scope. A SOC 2 Type 1 report evaluates whether your controls are suitably designed to meet the applicable Trust Services Criteria at a specific point in time.
In contrast, a SOC 2 Type 2 report tests whether those controls are operating effectively over a period of time (typically three to 12 months). Because Soc 2 Type 2 compliance requires ongoing evidence and monitoring, it’s more comprehensive and is often considered the gold standard for demonstrating compliance.
The timeline for SOC 2 compliance depends on your organization’s readiness and the type of audit you’re pursuing. A SOC 2 Type 1 audit can take up to six months.
A SOC 2 Type 2 audit can take anywhere from three to 12 months to complete. The process can be faster if you already have mature controls in place or are using compliance automation tools to streamline evidence collection and monitoring.
The Trust Services Criteria (TSC), as defined by AICPA, are the five key areas used to evaluate SOC 2 compliance: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Each criteria outlines specific controls needed to safeguard systems and data.
Organizations choose which criteria to include based on their services and customer needs, with Security always being a requirement.
Keep Reading
Take Your Learning Further
Discover research, playbooks, checklists, and other resources on SOC 2 compliance.