SOC 2: Starting your audit process
SOC 2: Starting your audit process

SOC 2: Starting your audit process

Maintain the security of your customer’s data with a globally recognized compliance standard.


clock4 Min Read

Featured Image

SOC 2 is a voluntary compliance standard that companies should meet when managing customer data. Based on a set of trust service criteria, SOC 2 outlines the minimum requirements needed to maintain the security of your customers.

Below, we cover the major steps in scoping and selecting a SOC 2 auditor:

  • Determine your trust services criteria 
  • Get internal buy-in
  • Select an external auditor
  • Perform a readiness assessment
  • Build a SOC report 

Determine your trust services criteria

The Trust Services Criteria (TSC) was developed by the ASEC Trust Integrity Task Force used to evaluate and report on the information and system controls in attestation or consulting engagements. The five main criteria are:

  • Security
  • Availability
  • Processing integrity 
  • Confidentiality
  • Privacy

Out of the five criteria, the only one required to meet SOC 2 compliance is security. If the other criteria are relevant to a company’s services, a company can opt to include them in its audit. 

Discuss the criteria and any contractual obligations with internal stakeholders and verify compliance with your auditor to determine the best approach.

Get internal buy-in

When embarking on any type of audit, it’s necessary to get internal buy-in from key stakeholders. Multiple individuals in an organization will contribute throughout the SOC 2 audit, from scoping to collecting evidence, which makes it critical for everyone to be on the same page. 

Streamline your SOC 2 compliance by informing internal stakeholders about what’s needed from them and at what stages they will be involved.

Define the audit scope

SOC 2 audits are tailored to a company’s specific needs. For example, an audit can be performed on the entire company level or a specific area of operations. 

An audit scope also outlines the period covered by the audit and any existing security controls and systems. Use the following questions to set the stage for your audit:

  • Will physical offices be included in the audit? 
  • Where is your client’s collected data hosted (i.e., public or private cloud)?
  • How are system capacity requirements monitored?
  • Do you maintain external digital storage media that stores client data? 
  • Where do you maintain system backups and records?
  • Are there any intrusion detection or prevention systems (IDS/IPS)?

Select an external auditor 

Once your company is aligned on the upcoming SOC 2 compliance audit, the next step is to select an external auditor to facilitate the process. There are four key factors to consider when deciding on the right auditor:

  • Quality: Evaluate the auditor’s background, as well as any client testimonials
  • Experience: Look for an auditor with experience in your industry and with similar companies
  • Cost: While cost depends on the company size and scope, establish a baseline by getting quotes from a few providers
  • Personality fit: Find an auditor that aligns with your company and workflow, and makes it easier to perform routine audits in the following years

Perform a readiness assessment

Auditors will start by guiding your company through a readiness assessment, which provides a top-down overview of audit requirements and collects details about your current security process. 

The readiness assessment also reveals any gaps or other information that should be prepared for your final SOC 2 audit report.

Note that companies, not auditors, are responsible for the policies, processes, and controls implemented throughout the audit process. 

Build a SOC report 

At the end of an audit, which can take as long as several months, your company will receive a detailed SOC 2 report. The report typically comprises five main parts:

  • Control environment
  • Risk assessment
  • Information and communication 
  • Monitoring
  • Control activities

A company’s SOC 2 compliance report may be required by potential vendors or customers. For this reason, it’s recommended to schedule a SOC 2 audit once a year to include any significant security changes.

This ensures your compliance reports are aligned with your current operations and helps increase trust between your company and the target market.

Learn more about gaining compliance by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.

You Might Also Be Interested In

JANUARY 25, 2023

Your guide to celebrating Data Privacy Day 2023

JANUARY 17, 2023

Speak-up culture toolkit: Leveraging disclosure data to drive a speak-up culture

JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

Onetrust All Rights Reserved