SOC 2 Compliance Checklist The SOC 2 audit is based on a set of criteria that are used in evaluating controls relevant to the security, availability, processing integrity, confidentiality, or privacy of a system. What system components are evaluated during a SOC 2 audit? • Infrastructure (physical, IT, or other hardware such as mobile devices) • Software (application programs and IT system software that supports application programs, such as OS and utilities) • People (all personnel involved in the use of the system) • Processes (all automated and manual procedures) • Data (transmission streams, files, databases, tables, and output used or processed by a system) What are your auditors looking for? • Fairness of the presentation of a description of a service organization’s system relevant to one or more of the Trust Services Criteria • Design and operating effectiveness of a service organization’s controls over a system relevant to one or more of the Trust Services Criteria What are the Trust Services Criteria? Security Confidentiality Availability Processing Integrity Privacy Compliance Checklist Do you have a defined organizational structure? Designate authorized employees to develop and implement policies and procedures What are your background screening procedures? Do you have established workforce conduct standards? Do your clients and employees understand their role in using your system or service? Are system changes effectively communicated to the appropriate personnel in a timely manner? Perform a Risk Assessment Have you identified potential threats to the system? Have you analyzed the significance of the risks associated with each threat? What are your mitigation strategies for those risks? Perform regular vendor management assessments Develop policies and procedures that address all controls Annual policy and procedure review Do you have physical and logical access controls in place? Is access to data, software, functions, and other IT resources limited to authorized personnel based on roles? Restrict physical access to sensitive locations to authorized personnel only. Have you implemented an access control system and implemented monitoring to identify intrusions? Develop and test incident response procedures Is software, hardware, and infrastructure updated regularly as necessary? Do you have a change management process to address deficiencies in controls? What are your backup and recovery policies? How are you addressing environmental risks? Has your disaster recovery plan been tested and documented? How are you ensuring data is being processed, stored, and maintained accurately and timely? How are you protecting confidential information against unauthorized access, use, and disclosure? Do you have a fully documented data retention policy?