The SOC 2 Requirements Checklist
Obtaining a System and Organization Controls (SOC) 2 report is one of the most popular and effective ways for cloud-based and hybrid businesses to prove that cybersecurity is among their top priorities.
Issued by an accredited third-party auditor, a SOC 2 report offers customers, partners, and stakeholders a closer look at the internal controls that you’ve established to ensure your services remain secure and accessible, and whether those controls are designed, implemented, and maintained according to widely accepted best practices. In fact, you may find that some prospects require you to provide a SOC 2 report before they'll sign any contracts. But where do you start?
Trust Services Criteria
All SOC 2 exams are performed in the U.S. under the standards defined by SSAE 18 and leverage the Trust Services Criteria outlined by the American Institute of Certified Public Accountants (AICPA).
The Trust Services Criteria are divided into five categories, which vary widely in scope. You’ll work with your auditor to select one or a combination of these categories to include in your SOC 2 report:
1. Security
Required for all SOC 2 reports, this category examines how your data and systems are protected against unauthorized access, use, and disclosure. Auditors will take a close look at access controls, firewall configurations, and intrusion detection systems to assess whether adequate measures have been taken to prevent and detect system failure, theft, or other unauthorized data removal.
Unlike security, the next four categories of Trust Services Criteria are not required to be included in a SOC 2 report, but may help paint a clearer picture of the steps you’ve taken to ensure your organization’s services are provided safely and reliably:
2. Availability
This category of Trust Services Criteria examines controls established to ensure an organization’s information and systems remain accessible and available for use as agreed. Auditors will assess controls related to network performance, incident handling, and disaster recovery plans.
If customers ask you about accessibility, downtime service-level agreements, and uptime guarantees, this category can be useful to include in your SOC 2 report.
3. Processing Integrity
Controls related to system processing and data validation fall under Processing Integrity. If your customers rely on you for data processing—for example, if your company offers a payment system—you may want to include this category in your SOC 2 report. Auditors will report on whether system processing is complete, valid, accurate, timely, and authorized to meet your organization’s objectives.
4. Confidentiality
Organizations that want to demonstrate that the controls they have established governing the protection of sensitive or classified data are designed and operating effectively should include this category of Trust Services Criteria in their SOC 2 report. It’s also a good idea to include this category if your customers:
Have private information stored within your systems;
Require non-disclosure agreements (NDAs) during the course of business; or,
Expect you to delete their data when their contract ends.
Auditors will examine encryption, access controls, and confidentiality policies to assess whether confidential information is protected as agreed.
5. Privacy
The final category of Trust Services Criteria examines whether personal information is collected, used, retained, disclosed, and disposed of in accordance with the organization’s policies. Among other things, this category covers access controls, the collection and use of personal information, and how you have communicated your privacy objectives.
If your organization collects and stores data from customers, like financial account details and personal health information, this category might be a good fit to include in your SOC 2 report.
With so many moving parts, the SOC 2 examination process can get complicated. Simplify it with our SOC 2 requirements checklist. Download now.
Preparing for Your Audit
Now that you have a better understanding of SOC 2 requirements, the next step is selecting an accredited CPA firm to conduct the audit. They can help you gather necessary documentation and complete a pre-audit readiness review. This may include:
Drafting your system description, which provides an overview of your organization’s operations and control environment;
Reviewing control wording and modifying controls as needed to ensure they paint an accurate picture of your organization's processes and procedures; and,
Responding to information requests so your auditor can gain a better understanding of your control environment.
Throughout this process, your auditor can also help your team determine which SOC 2 Trust Services Criteria are relevant to your organization and what period of time should be covered by the audit.
Typically, the reporting period for a SOC 2 examination spans between six and 12 months. However, organizations pursuing SOC 2 exams for the first time might also consider a SOC 2 Type 1 report, which examines the design of an organization’s controls at a single point in time, rather than over a period of several months.
While SOC 2 Type 1 reports are limited in scope, they serve as valuable stepping stones to the more comprehensive and detailed SOC 2 Type 2.
After the Audit
Upon the completion of their examination, your auditor will issue your SOC 2 report, which will be divided into up to five distinct sections:
Section 1: Auditor’s Report. If your auditor finds that a control was not designed or operating effectively, they'll note it in this section as a “qualified opinion.”
Section 2: Management Assertion. In this section, you'll affirm that you did, in fact, design and implement the controls as outlined in your system descriptions.
Section 3: System Descriptions. This section provides a comprehensive overview of your organization’s services and systems as well as the controls you've put in place to secure them. Companies frequently write this section themselves—after all, you know your business better than anyone.
Section 4: Description of Criteria. The most detailed section of a SOC 2 report, this section includes a list of all the controls tested by the auditor and their test results, if applicable.
Section 5: Other Information. This section is optional, but may be included to provide additional context.
Once you’ve reviewed the results of your latest SOC 2 examination, you can then work with your auditor to address any gaps or deficiencies that were identified during the audit and develop a plan to maintain continuous compliance.
The Bottom Line
Completing a SOC 2 examination helps you demonstrate to current and potential customers that your organization prioritizes cybersecurity and is taking actionable steps to maintain a strong security posture. But jumping into a SOC 2 without a plan is like leaving for a road trip without a map.
Following along with our SOC 2 compliance checklist Excel download will set your organization up for success during the audit and help you stay on course from start to finish.
Get started now by downloading our SOC 2 requirements checklist template.
Ready to dive into your SOC 2 exam? Book a demo today to learn how Audora bridges gaps to create a more streamlined experience for both you and your auditor.