New: Manage Compliance and Risk in One Location with Drata. Learn More.

The Top 14 Security Policies Your Company Needs for SOC 2

Adam Markowitz – February 9, 2020

During a SOC 2 examination, an auditor reviews that your company has documented policies and procedures relating to your information security (“infosec”) program.

If your company has never been through a SOC 2 audit, it might not be clear what policies you’ll need to have established prior. Drata has compiled the following list of the top 14 policies you’ll need, all of which are built into its SOC 2 compliance automation platform.

Why Do We Need SOC 2?

Obtaining your SOC 2 report ensures that your customers’ data is effectively safeguarded. There are other benefits to obtaining your SOC 2 report as well:

  • Customer Demand
    Without SOC 2, you could lose existing business and lose/delay new business. Protecting customer data is top of mind for your clients.
  • Competitive Advantage
    Trust is an asset. Enhancing your reputation as trustworthy by providing a SOC 2 report that your competitors can’t gives you the edge.
  • Cost Effectiveness
    Cheaper the earlier you start. Winning more deals faster later is worth the cost now. Also, the avg. data breach in 2018 cost $3.86M.
  • Regulatory Compliance
    Attaining SOC 2 speeds up overall compliance with other frameworks such as PCI DSS and HIPAA.
  • Valuable Insights
    Gain insight into your risk and security posture, vendor management, internal governance and regulatory oversight.
  • Peace of Mind
    Assurance that your systems have controls in place to be secure and available gives your customers, partners, and YOU better peace of mind.

How Do We Prove We’re Following Our Policies?

Your company’s security policies define the requirements, processes, and procedures established to ensure specific controls are in place in order to secure company assets and information. These controls span a wide array of functions and tools across your company, from personnel operations and HR to your cloud infrastructure provider. It’s during a SOC 2 examination where your company will need to prove the operational effectiveness of these controls by providing an auditor with evidence collected throughout the audit period. How that evidence is collected is an important question that many companies struggle with today, as they manually capture screenshots and enter data into spreadsheets.

Drata was built from the ground up to streamline and automate the monitoring and evidence collection of your company’s security controls, saving companies hundreds of hours per year in manual compliance tasks. The automation is powered via deep integrations with your technology stack, from infrastructure providers to HRIS. Whether you’re pursuing SOC 2 for the first time, or are already the proud holder of a clean SOC 2 report, Drata can save your company hundreds of engineering hours per year in achieving continuous SOC 2 compliance, ensuring the audit-readiness of your organization every day of the year.

I've been doing this a long time. Drata is the slickest way of achieving SOC 2 that I've ever seen!

Michael Murray - CEO, Scope Security

Subscribe & receive the latest content.

Subscribe & receive the latest content.


Get Started Today

Close more sales and build trust faster while eliminating the hundreds of hours of manual work that used to go into maintaining your SOC 2 report and ISO 27001 certification.

Trusted by the best:
Case Study:

Learn how Iteratively used Drata to get their SOC 2 report faster than most thought possible, and now monitor their security & compliance posture…