Skip to content

The SOC 2 Checklist: it's time to kickstart your compliance journey

It can be challenging to understand the first steps when starting the SOC 2 process. Businesses implement and maintain SOC 2 in a variety of ways. We broke down the basic process to tackle SOC 2 compliance into a checklist below.

Start Reading

1. Choose objectives and TSCs

The first action item on your SOC 2 checklist involves the purpose of your SOC 2. Before diving into controls, an organization needs to determine the objective of their SOC 2 report and choose relevant TSCs.

There are two types of SOC 2 reports, Type 1 and Type 2. Businesses typically start with a Type 1 and build up to a Type 2. We recommend this order for our own clients.

How do you determine which trust services principles to test for?

SOC 2 TSCs are driven by the commitments you make to your customers. What are your responsible for managing and maintaining? SOC 2 encompasses 5 TSCs:

  • Security
  • Privacy
  • Processing Integrity
  • Confidentiality
  • Availability

The only required criteria is security. For more information on Trust Service Criteria, click here.

2. Perform a gap analysis and develop a remediation plan

A compliance team examines the practices and procedures a business has in place and compares the security posture to SOC 2 best practices to identify gaps. Based on the gaps found, a strategic remediation plan is set to tackle SOC 2 in the most efficient way possible. Take a look behind the curtain at our own SOC 2 gap analysis and remediation plan here.

3. Implement stage-appropriate controls

SOC 2 is a flexible framework. In light of this, a startup might have a lighter control set to meet certain requirements than an enterprise customer.

From logging and monitoring to HR tasks and vendor management, a compliance team can identify ways to save time and money by implementing the correct tools and processes.

4. Perform a risk assessment

When control implementation is about 80% complete, the compliance team performs a risk assessment. As a crucial part of the audit, the risk assessment understands any potential risks an organization incurs through growth, geography, or outside information security best practices.

5. Preparing for audit

After the risk assessment mitigation and acceptance process, the business needs to prepare for an audit.

How do you prepare for a SOC 2 audit?
While this means gathering evidence of implemented controls, it also means preparing an internal team to answer questions and work with auditors throughout the audit process.

How do you determine your company’s readiness for a SOC 2 audit?
After your team collects and compiles evidence for auditors and assesses and accepts risk, the organization is ready for audit.

6. Execute the audit

SOC 2 audits last between 2 weeks and a couple of months. This depends on the number of questions or evidence requests from the auditors.

Based on the results of your audit, you may or may not need to adjust for discrepancies identified by the auditor. 

7. Maintain and monitor compliance over a 12-month period

Best practices state that organizations should undergo a new SOC 2 Type 2 assessment every 6 to 12 months. This helps to demonstrate to customers that your controls are in place and have been operating effectively year-over-year.

We recommend that our clients set up integrations to automatically collect evidence and monitor practices over time. This helps avoid heavy time commitments from team members and continues to secure information.

Start your SOC 2 journey with Thoropass

Check off the boxes on this list with the help of powerful automation and expert guidances from Thoropass—helping you reach compliance in less time, with less manual effort.