SOC 2 Checklist

It can be challenging to understand what comes first when starting the SOC 2 process. Businesses implement and maintain SOC 2 in a variety of ways. We broke down the basic process to tackle SOC 2 compliance into a checklist below.

Objectives and Trust Service Criteria

1. Choose objectives and TSCs

The first action item on your SOC 2 checklist involves the purpose of your SOC 2. Before diving into controls, an organization will need to determine the objective of their SOC 2 report and choose relevant TSCs.

There are two types of SOC 2 reports, Type 1 and Type 2. Businesses typically start with a Type 1 and build up to a Type 2. We recommend this order for our own clients.

How do you determine which trust services principles to test for?

The type of information and data stored or transmitted by a business should determine the applicable TSCs.

SOC 2 encompasses 5 TSCs:

  • Security
  • Privacy
  • Processing Integrity
  • Confidentiality
  • Availability

The only required criteria is security.

For more information on Trust Service Criteria, click here.

Gap Analysis and Remediation

2. Perform a gap analysis and develop a remediation plan

A compliance team examines the practices and procedures a business has in place and compares the security posture to SOC 2 best practices to identify gaps. Based on the gaps found, a strategic remediation plan is set to tackle SOC 2 in the most efficient way possible.

Take a look behind the curtain at our own SOC 2 gap analysis and remediation plan here.

Controls Implementation

3. Implement stage-appropriate controls

The controls needed for a big corporation to demonstrate SOC 2 compliance are drastically different from those needed by a startup. From logging and monitoring to HR tasks and vendor management, a compliance team can identify ways to save time and money by implementing the correct tools and processes.

Risk Assessment

4. Perform a risk assessment

When control implementation is about 80% complete, the compliance team performs a risk assessment. As a crucial part of the audit, the risk assessment understands any potential risks an organization incurs through growth, geography, or outside information security best practices.

Audit Prep

5. Preparing for audit

After the risk assessment mitigation and acceptance process, the business needs to prepare for an audit.

How do you prepare for a SOC 2 audit?

While this means gathering evidence of implemented controls, it also means preparing an internal team to answer questions and work with auditors throughout the audit process.

How do you determine your company’s readiness for a SOC 2 audit?

When all the evidence has been collected and compiled for auditors and risk has been assessed and accepted, the organization is ready for audit.


6. Execute the audit

SOC 2 audits can last between 2 weeks and a couple of months, depending on the number of questions or corrections from the auditors. Though businesses cannot technically fail a SOC 2 report, many will want to correct discrepancies to avoid a poor report.

Compliance Maintenance

7. Maintain compliance over a 12-month period

Last point on the checklist: maintenance.

SOC 2 audits need to be performed on an annual basis. We recommend that our clients set up integrations to automatically collect evidence and monitor practices over time. This can help to avoid heavy time commitments from team members and continue to secure information.

Enterprise-ready compliance
that never slows you down