SOC 2 Compliance Checklist: 9 Steps to Take Before Your Audit

Troy Fine

by Troy Fine

April 06, 2022
SOC 2 Compliance Checklist 9 Steps to Take Before Your Audit
This easy-to-follow SOC 2 compliance checklist will help your organization prepare for and maximize the chance of passing an audit.

System and Organization Controls 2 (SOC 2) audit is an in-depth examination of your organization’s processes, systems, and controls as they relate to security, availability, confidentiality, processing integrity, and privacy—do you know how to prepare for that? 

It may seem overwhelming, but it doesn’t have to be. We’ve created this easy-to-follow checklist to help you start your journey to SOC 2 compliance.

Reasons You May Need a SOC 2 Report

There’s a variety of reasons why your organization may need a SOC 2 report. Here’s a closer look at some of the most common ones.

You’re a Software Provider That Handles Sensitive Information

Cybersecurity concerns are top-of-mind for organizations. Global cybercrime costs are expected to grow by 15% per year over the next five years—reaching $10.5 trillion annually by 2025. With that in mind, it’s more important than ever for your enterprise customers to ensure that their information will be secure when using your services.

Therefore, having a SOC 2 report will not only help build trust with your customers but could potentially be used as a sales tool and ease a prospect’s decision of choosing your product.

An Increase in Outsourcing

As outsourcing rises in popularity, the number of organizations asking about SOC 2 compliance is rising as well. To be a trusted vendor for your industry, it’s in your best interest to pursue this attestation. 

Uncovering Value

A SOC 2 report provides valuable insights into your organization’s risk. This has the potential to help you avoid the costs associated with a breach. It also gives you a competitive advantage over companies that choose not to take this step and can’t prove compliance. 

SOC 2 Audit Checklist

What goes into the preparation and execution of a SOC 2 audit? These are the steps you can expect to take and more details about what to do during each part of the process. 

  1. Determine if a Type 1 is Necessary

  2. Determine Your Scope

  3. Communicate Process Internally

  4. Perform a Gap Assessment

  5. Remediate Control Gaps

  6. Update Your Customers and Prospects 

  7. Monitor and Maintain Controls

  8. Find an Auditor

  9. Provide Requested Evidence to Auditor

1. Determine if a Type 1 is Necessary

To get started with SOC 2, the first step is to determine if you would like an auditor to perform a SOC 2 Type 1 audit prior to the auditor performing a more rigorous SOC 2 Type 2 audit. 

When performing a SOC 2 Type 1 audit, auditors review policies, procedures, and control evidence to determine if controls are suitably designed to meet the applicable SOC 2 criteria. The audit covers a point-in-time and the resulting report will state whether or not controls were suitably designed as of a specific date. 

When performing a SOC 2 Type 2 audit, auditors perform a more rigorous audit. In addition to determining if controls were suitably designed, they will also review evidence to determine that controls were operating effectively over a period of time to meet the applicable SOC 2 criteria.

Because of the nature of a Type 1 versus a Type 2, organizations typically will engage an auditor to perform a Type 1 audit prior to a Type 2 audit. However, Type 1 audits do not need to be performed prior to completing a Type 2—organizations can choose to undergo a Type 2 audit without ever undergoing a Type 1 audit.

Customers will typically accept a Type 1 report for their vendors undergoing a SOC 2 audit for the first time, but they will more than likely expect a Type 2 report moving forward.  

2. Determine Your Scope

SOC 2 audits cover a system which includes the following components as defined by the AICPA’s attestation standards: infrastructure, data, procedures, software, and people. As part of scoping, you will need to determine the system components that are in scope.

Beyond that, you’ll also need to determine which Trust Services Categories to include.

The Trust Services Categories are:

Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.

Availability: Information and systems are available for operation and used to meet the entity’s objectives.

Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.

Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

You don’t have to include all five Trust Services Categories. Security is the only mandatory category, however, Availability and Confidentiality are frequently included.

3. Communicate Process Internally

An imperative action to execute throughout your SOC 2 audit planning process should be to communicate internally with key players.

Your organization’s executive management and department leaders (Human Resources, Engineering, DevOps, Security, IT, etc.) will be responsible for participating in implementing controls and providing evidence to the auditor. Explaining the who, what, when, where, why, and how of the audit will be crucial to preparing employees for their obligations. 

4. Perform a Gap Assessment

One of the first steps on your SOC 2 journey will be to perform a gap assessment. Look at your existing procedures, policies, and controls to help better understand your current security posture and which controls you still need to implement to meet the applicable criteria of the Trust Services Categories.

5. Remediate Control Gaps 

Once your gap assessment has been completed, it can take time to remediate and ensure that SOC 2 control mandates are being achieved. You will need to spend time with your teams reviewing policies, formalizing procedures, making necessary alterations to software, and any additional steps like integrating new tools and workflows. This will allow you to take the steps necessary to close gaps before the audit takes place.

6. Update Your Customers and Prospects

In the spirit of transparency and building trust, discuss with your team a few ways to promote your security practices with customers and prospects. Although you don’t have to announce that you’re pursuing SOC 2, you can still outline the processes you have in place to keep their data safe.

On your website or social media, consider outlining a high-level overview of: 

  • Any continuous security control monitoring you have in place. 

  • Employee training. 

  • Penetration testing you’ve conducted.

  • Data encryption procedures. 

7. Monitor and Maintain Controls

Now that you’ve made remediations and added controls to reach SOC 2 compliance, establish processes that help you and your team continuously monitor and maintain those controls. If you haven’t already, implement a tool that can automate control monitoring and evidence collection. 

8. Find an Auditor

Before you begin looking for an audit firm, it’s important to determine what you’re looking for in an auditor. The right auditor can do much more than conduct your audit—they can help you understand and improve your compliance programs, streamline the process, and ultimately achieve a clean SOC 2 report.

Look for someone who: 

  • Answers your questions intelligently and in a way your team understands.

  • Understands your industry.

  • Collaborates well with you and your team.

  • Has good references.

For more tips, head to our article on how to find the right auditor

9. Provide Requested Evidence to Auditor

At this stage, you’re ready to begin the audit process. Once you provide all the necessary information to your auditor, they will review evidence for each in-scope control, verify information, schedule any walkthroughs, and provide you with the final report.

To get an in-depth look at the entire audit process, read our article on what your organization can expect from start to finish during a SOC 2 audit.

If you’re ready to put your journey to SOC 2 on autopilot, schedule a call with our team to see how.

The Drata Newsletter

Trusted is Drata’s newsletter focused on the world of compliance, security, data privacy, and everything in between.

Secured

The Drata Community

Screen Shot 2022-07-13 at 9.45 1
Resources for you
SOC 2 policies

12 Commonly Recommended Security Policies for SOC 2

Drata + AssuranceLab

Why AssuranceLab Joined Drata’s Auditor Alliance

Asset - Compliance Uncomplicated - Nemean Services

Compliance Uncomplicated Episode 5: An InfoSec Perspective to Digital Security Success With Nemean Services

Troy Fine
Troy Fine
Director of Risk & Compliance