July 19, 2023

How Do You Document Your Systems and Controls for a SOC 2 Audit?

Devon Lane
Content writer
at Flowbase

Ready to get started with your SOC 2 audit? That’s great. But now you’re probably wondering what the process looks like and what steps you’ll need to take as you go through the audit. 

You’ll start off by defining the scope of your audit and establishing which of the trust services criteria (TSC) you want to include. Remember, the security TSC is a must-have for any SOC 2 audit, but you may also want to audit controls for availability or confidentiality. Then, you’ll have to set the time period for the audit, which can span anywhere from six months to a year. 

Once those two important steps are completed, this is when you can start documenting all the systems and controls that will be reviewed as part of the audit. In this blog we’re sharing details on how to do that effectively and efficiently so that you can start your audit with the right foundation.

Policies and procedures

One of the core elements a SOC 2 audit will look at is your policy library. Whether you have one or you need to start from scratch, your policies should outline all the things you and your team members do to protect customer data, including policies around accessing that data or managing vendors. Meanwhile, your procedures will articulate how those things get done. 

Beyond the actual creation of your policies, you also need to have all of your new and existing employees review and accept the policies. This can be done with the support of a compliance tool like Drata.

In terms of the policies that will be audited in your SOC 2 audit, these typically include: 

  • Acceptable use policy: Outlines the ways in which a network, website, or system can be used. 
  • Access control policy: Establishes who has access to the company’s systems and how often those permissions are reviewed. 
  • Business continuity policy: Defines how to respond to a disruption in order to keep the business running smoothly.
  • Change management policy: Sets rules around how your organization documents and communicates systems changes. 
  • Confidentiality policy: Establishes how the organization handles confidential information regarding clients, partners, or the company itself. 
  • Code of conduct: Sets policies that employees and employers should adhere to while conducting business. 
  • Data classification policy: Outlines how to categorize sensitive data depending on the type of risk it poses to the company. 
  • Disaster recovery policy: Defines how the company recovers from a disastrous event in order to continue operations.
  • Encryption policy: Determines the type of data that should be encrypted and how.
  • Incident response policy: Clarifies roles and responsibilities in the case of a data breach and an ensuing investigation.
  • Information security policy: Establishes an approach for information security.
  • Information, software, and system backup policy: Defines how information from various business applications is stored to ensure recoverability as needed.
  • Logging and monitoring policy: Outlines which logs are collected and monitored, and the type of data that can be captured in those logs.
  • Physical security policy: Sets parameters around how to monitor and secure physical access to the company.
  • Password policy: Determines the requirements for password hygiene at the organization.
  • Remote access policy: Outlines the type of connectivity that can be used to work remotely.
  • Risk management and mitigation policy: Defines the action plan to be taken in the case of security incidents. 
  • Software development lifecycle policy: Sets guidelines and requirements for building secure, compliant software that’s tested regularly. 
  • Vendor management policy: Outlines which vendors could pose risks, and recommends controls for managing those risks. 
  • Workstation security policy: Determines how employee workstations are secured to reduce the risk of data loss and unauthorized access.

Which of these policies you need in place will depend on the type of business you run and the type of data you manage.

When it comes to proving compliance within the audit, you’ll need to gather evidence that these policies exist and that they have been reviewed and agreed to by all employees. 

Additional SOC 2 documentation

In addition to your policies, there are three other types of documentation that you’ll need to share with your SOC 2 auditor: the management assertion, system description, and control matrix.

Your management assertion is a written claim describing your systems that’s delivered to your auditor at the beginning of the audit. In other words, it explains how your system is designed to meet the service commitments your company has made to customers. It also provides an overview of how the systems meet the TSCs selected for the audit. The auditor then uses this insight to test your controls. Your auditor will then deliver the SOC 2 report as a response to the management assertion, determining whether everything works as it should to be SOC 2 compliant.

The system description outlines which parts of the organization’s infrastructure are included in the SOC 2 audit. In reviewing the system description, the auditor should be able to understand the types of risk your organization is open to and how they’re mitigated. Typically, a system description includes the following: 

  • A company overview that summarizes the company’s products and services
  • A system overview that outlines the services provided to customers
  • Principal service commitments and system requirements 
  • Components of the system, including infrastructure, software, data, processes, and people
  • Incident disclosure that speaks to whether any incidents have affected controls or service commitments
  • Criteria disclosure that details which TSCs are under review
  • Relevant aspects of the control environment, including the controls that have been implemented to meet each TSC
  • A review of the controls that are under the purview of your customers or vendors
  • Criteria exceptions
  • Changes to the system during the audit period

The control matrix is typically a spreadsheet that outlines the specific controls that sit under each SOC 2 criteria. The matrix includes details for each control including a criteria reference, control number, control activity, control owner, and risk level. 

Take a proactive approach to preparing your documentation

As you get ready for your audit, the best thing you can do is take a proactive approach to your documentation. Take the time to identify what documentation you need and start putting it together. If there are gaps in your policy library, for instance, hire someone to write up those policies. Pull in the right people to craft your system description and control matrix. Getting a head start on these tasks — and working with advisors that steer you away from any mistakes — will make the audit process much smoother.

Need help getting started with your SOC 2 audit? We can help. Get in touch to learn how.

We’re here to help.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt.

Get Started
LEARN MORE!
Responsive Components
Responsive Components
Responsive Components
Hey! Have any questions?

Frequently Asked
Questions

What type of compliance standard can you help with?

We help our clients based on their needs. The majority of our contracts involve SOC-2, HIPAA, and most recently GDPR. Feel free to ask us if we can help with your particular case. If we aren't able to, we can most likely recommend you to someone who can.

How long does a SOC 2 engagement usually take?

We move as fast as our clients are able to make progress. Our fastest client to date got their SOC-2 Type I four months after signing our engagement letter. That record is up for grab if you are up for it.

In our experience however, it takes 6-9 months to achieve a SOC-2 Type I,  and 3-6 additional months to obtain a SOC-2 Type II report.

Which standard do you follow for your security policies?

All of our security policies follow the ISO-27001 standard. The Confidentiality, Integrity, and Availability standards cover the range of standards we like to work with for SOC 2.

Why do we have to become SOC 2 compliant if we are relying on AWS which is already compliant?

SOC 2 stands for Service Organization Control, meaning your clients are interested in understanding your controls, not your hosting provider’s control. As part of your vendor assessment we recommend reviewing AWS’ SOC 2 report, but relying on their report is not enough to become SOC 2 compliant.

Who is behind SOC 2?

The American Institute of CPAs. The AICPA is an established and respected organization that provides two forms of audits to companies that demonstrate evidence of a secure data-protection infrastructure. A Type I is a point in time audit that addresses the company’s description of its system, the suitability of the system’s design, and the effectiveness of its internal data controls. A Type II report happens over a period of time and emphasizes design and also focuses on the validity of the company’s controls.

Are SOC 2 reports a legal obligation?

No, but most enterprise level organizations that engage with sensitive data (again, almost all of them) have an obligation to their stakeholders to prove due diligence regarding data security, which means they’ll want to vet their service providers using this tool. SOC 2 can help these prospective service providers set themselves apart from the competition. Just as important, a SOC 2 report represents a meaningful and respected signifier of trust.

What can happen to a company without a SOC 2 report?

A lack of a SOC 2 report won’t result in legal problems, but it can and will limit outside assessments of the company’s commitment to data security. When large-scale clients look for providers, or large-scale backers look for a likely return on their investment, they don’t want concerns about security to stand in the way. Trust is a chain made of links that have each been put the test and have proven their ability to withstand pressure and scrutiny. Company leaders are wise to let SOC 2 auditors apply this pressure so their clients and backers don’t have to.

When is it too late for a SOC 2 audit?

Never. Even companies that have been in business for years but have never obtained a SOC 2 report can—and should—take steps in this direction now. Being compliant with SOC 2 can open the door to a broader base of more significant clients and larger contract opportunities. That being said, startups in the threshold of the marketplace, and new business owners who hope for an eventual public offering, should obtain a SOC 2 report during the development and financing process. By the time the company approaches Series B and C fundraising rounds, a report should be in hand.

How complicated is the auditing process?

The auditing process can be easy, or complicated depending on your level of preparation.

Preparing for the audit can take some time, attention, and the guidance of reliable data security experts. Don’t leave any part of this process to chance. Approach SOC 2 compliance one step at a time, and start by contacting a consulting firm with track record of experience in your area of the marketplace.

Home
Resources
Contact
Raze™ All Rights Reserved, 2022.
Style Guide
Licence
Changelog