1. Choose objectives and TSCs
The first action item on your SOC 2 checklist involves the purpose of your SOC 2. Before diving into controls, an organization needs to determine the objective of their SOC 2 report and choose relevant TSCs.
There are two types of SOC 2 reports, Type 1 and Type 2. Businesses typically start with a Type 1 and build up to a Type 2. We recommend this order for our own clients.
How do you determine which trust services principles to test for?
The type of information and data stored or transmitted by a business should determine the applicable TSCs. SOC 2 encompasses 5 TSCs:
- Processing Integrity
The only required criteria is security. For more information on Trust Service Criteria, click here.
2. Perform a gap analysis and develop a remediation plan
A compliance team examines the practices and procedures a business has in place and compares the security posture to SOC 2 best practices to identify gaps. Based on the gaps found, a strategic remediation plan is set to tackle SOC 2 in the most efficient way possible. Take a look behind the curtain at our own SOC 2 gap analysis and remediation plan here.
3. Implement stage-appropriate controls
Enterprises need drastically different controls to demonstrate SOC 2 compared to startups. From logging and monitoring to HR tasks and vendor management, a compliance team can identify ways to save time and money by implementing the correct tools and processes.
4. Perform a risk assessment
When control implementation is about 80% complete, the compliance team performs a risk assessment. As a crucial part of the audit, the risk assessment understands any potential risks an organization incurs through growth, geography, or outside information security best practices.
5. Preparing for an audit
After the risk assessment mitigation and acceptance process, the business needs to prepare for an audit.
How do you prepare for a SOC 2 audit? While this means gathering evidence of implemented controls, it also means preparing an internal team to answer questions and work with auditors throughout the audit process.
How do you determine your company’s readiness for a SOC 2 audit? After your team collects and compiles evidence for auditors and assesses and accepts risk, the organization is ready for audit.
6. Execute the audit
SOC 2 audits last between 2 weeks and a couple of months. This depends on the number of questions or corrections from the auditors. Though businesses cannot technically fail a SOC 2 report, many will want to correct discrepancies to avoid a poor report.
7. Maintain and monitor compliance over a 12-month period
SOC 2 audits need to be performed on an annual basis. We recommend that our clients set up integrations to automatically collect evidence and monitor practices over time. This helps avoid heavy time commitments from team members and continues to secure information.