SOC 2 Audit Process and Best Practices

Wondering what to expect as you go through your first SOC 2 Audit?  This post covers each step of the process.  At every step, keep in mind that the entire goal of the SOC 2 audit is to measure how well your organization handles its business processes, users, data (proprietary, customer, etc.). A SOC 2 security audit can help your company demonstrate it has applied the best control mechanism to assure security, availability, processing integrity, confidentiality, and privacy of client data. This then generates trust and confidence from inquiring vendors and prospective customers.




Create a scope of the audit/Quantify Risk

  1. In this preliminary phase you will identify what Trust Service Principles (security, availability, processing integrity, confidentiality and privacy) the auditor should look specifically for in your company and set a target readiness date for the audit
    1. Organizations like financial/e-commerce services are more geared forward processing integrity as a key criterion than a healthcare organization
  2. Organizations are responsible for developing the scope of the SOC report
    1. To maximize the audits usefulness, consider factors such as: 
      1. What are the mission critical services your organization provides?
        1. Take inventory of the critical systems that deliver your services
          1. If "abc" goes down, then "xyz" happens
          2. In this step you will build a portfolio to quantify the revenue at risk or the ramifications a particular assets exposure to danger
          3. Methodologies like FAIR (Factor Analysis of Information Risk) are great for establishing information risk in financial terms
      2. What systems do you use to deliver core services?
      3. Who are the third parties your organization leverages to deliver its services?
      4. Do you need to comply with any regulatory requirements?
        A key to a successful SOC 2 certification requires just delegating the SOC 2 process to your IT team.
        1. SOC 2 auditing projects require several individuals outside of the IT world, such as legal and HR who play a large role in your business processes
        2. Can be done internally, but typically completed with the help of a consultant.

Gap Identification and Assessment

  1. Here you will assess your environment in its current state and complete a checklist against the SOC 2 compliance Trust Service Principles.
    1. This often looks like mapping existing controls to the SOC 2 framework and then documenting them
    2. It also looks for documentation that day-to-day tasks implement your key policies
    3. The documentation serves as a method to formalize the foundation for how you govern employees, vendors, etc. to achieve security

  2. This analysis will reveal areas lacking practical and useful security controls as well as identifying a remediation plan
      1. Examples of items found on this SOC readiness assessment
        1. Lack of asset inventory
        2. Inconsistency in on boarding process such as skipping background checks
        3. Lack of policies that define how your organization is protecting internal and customer data such as
          1. Information Security Policy
          2. Access Control Policy
            1. Administrative, service accounts, etc.
          3. Password Policy
            1. Complexity, when multi-factor authentication is used, etc.
          4. Change Management Policy
          5. Risk Assessment and Mitigation Policy
          6. Incident Response Policy
          7. Logging and Monitoring Standards
          8. Vendor Management Policy
          9. Data Classification Policy
          10. Acceptable Use Policy
          11. Information, Software and System Backup Policy
          12. Business Continuity and Disaster Recovery Plan
          13. (See SOC 2 Documentation Structure diagram below)

  3. Policies are foundational to the overarching security of your company and customer data as they serve to define not only how you execute security, but also that you have documented proof supporting your claims

Remediation Time

  1. In this phase your team will allocate resources to closing the uncovered gaps
  2. You will also re-evaluate audit readiness date and either continue or set a more feasible time. Silent Sector understands the importance of remaining rigid with this date so that you can meet your goals.
  3. Depending on the results of your readiness assessment, this period could take anywhere between 2 to 9 months
    1. There should be periodic meetings to track and motivate remediation progress
    2. Test readiness to ensure controls are effective and work as intended
    3. After readiness testing, most managers feel confident enough to engage with the SOC 2 audit


Engage with Audit firm

  1. It is important when completing this step that you enlist in a CPA certified audit firm such as our subsidiary, Keystone Audit, as results from a non-CPA auditing firm are invalid by AICPA, the organization responsible for setting audit standards
  2. In this step your chosen firm will send a length list of expected deliverables
  3. Within this phase there will be requests for items that do not apply to your organization. In which case, you will need to explain why they do not apply.
  4. The auditor will take 1-5 weeks before issuing the report
  5. The four common features of a SOC 2 Assessment:
    1. Management’s Assertion
    2. Description of Services
    3. Auditor’s Opinion
    4. Results of Testing


Post SOC 2 Audit

  1. Your organization will now have a 3rd party opinion on how your organization is employing the Trust Services Principles
  2. Your organization will have a comprehensive disclosure of security gaps
  3. Clients will see how seriously your organization takes the confidentiality, integrity and availability of their data.
  4. Congratulations, you will be differentiated from competitors who have not ventured into SOC 2


Frequently Asked Questions

  • Why is SOC 2 important?
    • Systems and Organization Controls (SOC) 2 audits are designed to meet the vast range of client expectations and provide assurance that an organization has infused the vital controls not only protect their clients’ data from the ever-growing landscape of threat actors, but also the systems that house irreplaceable data.
  • How to attain SOC 2 compliance?
    • SOC 2 essentially requires that businesses develop security policies and procedures that are not only written, but woven into the organization in such a way that they are followed by everyone
  • Who needs a SOC 2 report?
    • No industry requires a SOC 2 report, but they provide the endorsement from a reputable auditor that you can be trusted as a service organization
  • How often are SOC 2 reports required
    • Typically, every 12 months, but depends on client preference and concerns within their operating landscape
  • How much does a SOC 2 cost?


Traditional Approach

Silent Sector’s Approach

“SOC 2 is just a sticker”

Security is inserted into processes and culture thereby eliminating the false sense of security generated from automated reporting tools

Ultimately not really that secure

Evidence of improved security generated from ongoing processes and annual refreshes

Audit hectic and disruptive

Audit is smooth and flows conservatively


Contact Silent Sector for an initial consultation to prepare for your SOC 2 audit. 

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.