Scribd
Upload
517 views1 page

SOC 2 Readiness Checklist

The document provides a checklist for organizations to prepare for a SOC 2 audit and assessment. It outlines gathering documentation on IT infrastructure, policies, controls and selecting an auditor. The checklist includes collecting cloud provider reports, vendor agreements, developing security policies, implementing controls across systems, determining the audit scope and criteria, and selecting a reputable audit firm. The document promotes Dash ComplyOps as a solution to help build and maintain a SOC 2 program.

Uploaded by

asokan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
517 views1 page

SOC 2 Readiness Checklist

The document provides a checklist for organizations to prepare for a SOC 2 audit and assessment. It outlines gathering documentation on IT infrastructure, policies, controls and selecting an auditor. The checklist includes collecting cloud provider reports, vendor agreements, developing security policies, implementing controls across systems, determining the audit scope and criteria, and selecting a reputable audit firm. The document promotes Dash ComplyOps as a solution to help build and maintain a SOC 2 program.

Uploaded by

asokan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Dash Solutions

SOC 2 Readiness Checklist

Gather IT Infrastructure/Cloud Security Documentation


Organizations should gather all relevant security documentation, attestations from their cloud
provider or infrastructure provider. Teams may consider gathering documents including:
• Cloud provider SOC Reports (SOC 1, SOC 2, SOC 3)
• Service Level Agreements (SLAs)
• Business Associates’ Agreements (BAA)

Gather Contractor and 3rd Party Vendor Agreements


In addition to gathering IT infrastructure, documentation, organizations should collect all
agreements and NDAs signed with contractors and third-party vendors and software companies.

Create Administrative Security Policies


Teams preparing for SOC 2, should develop administrative policies based around the
organization’s technologies, staff structure and security goals. Administrative policies should
provide the standard operating procedures for managing SOC 2 internal controls. Policies should
address topics including – Security Roles, System Access, Disaster Recovery (DR), Risk
Assessment & Analysis, and Security Training.

Set Technical Controls


Security team members should implement all necessary internal security controls across the
cloud environment and IT infrastructure. Teams should enforce security controls including:
• Encryption • Backup Settings
• Access Control • Intrusion Detection
• Network and Firewall • Vulnerability Scanning and Patching

Determine Scope For SOC 2 Assessment


SOC 2 reports evaluate service organizations on one or more of the five Trust Service Criteria
(TSC) – Security, Availability, Processing Integrity, Confidentiality, and Privacy. Teams should
consider what criteria will be assessed under a SOC 2 audit.
• Determine whether and audit will cover SOC 2 Type I or SOC 2 Type II report.
• Determine which Trust Service Criteria (TSC) will be evaluated in the SOC 2 report.

Select An SOC 2 Auditor


After preparing security program, organizations should select a reputable SOC 2 audit firm. A
SOC 2 audit may only be conducted by an AICPA-affiliated firm. Teams should look for a firm that
has worked with similar size/type companies and has experience conducting previous SOC 2
audits.

Learn how Dash ComplyOps provides teams with a solution for building, monitoring, and
maintaining a SOC 2 security program in the public cloud and achieve SOC 2 type 2.

[email protected] +1 267-567-3552 www.dashsdk.com

You might also like