SOC 2 Compliance Checklist

For outsourced systems and processes, the burden of ensuring appropriate security controls are in place to manage IT risks is often passed onto those service providers. To provide formal assurance to their customers, service organizations try to obtain SOC 2 (Service Organization Control 2) reports. Use this post to help you understand what SOC 2 is, why you might need/want a SOC 2 report, and some steps to prepare for your SOC 2 audit.

What is SOC 2?

The American Institute of Certified Public Accountants (AICPA) established three SOC reports to assess the controls of service organizations: SOC 1, 2, and 3. SOC 1 deals with financial controls, while SOC 2 and 3 cover non-financial and operational controls.

The SOC 2 report is intended to provide assurance to the customers of service organizations around controls pertaining to security, availability, processing integrity, confidentiality and/or privacy. It is not a one and done report; it is a continuous commitment to uphold the stringent audit standards.

Benefits of Obtaining a SOC 2 Report

Because the auditing process is so rigorous, service organizations with positive SOC 2 reports are seen as capable of operating with efficiency and security and have a competitive advantage. In addition, they are able to win contracts with organizations that require their service providers to provide annual SOC 2 reports.

SOC 2 Compliance Checklist: How to Prepare for the SOC 2 Audit

  1. Define your organization’s goals and select an auditor.

Start by asking why you want to obtain a SOC 2 report. Is it because of a contractual requirement or is it for your organization’s business strategy? 

Remember, SOC 2 covers non-financial and operational controls. These include vendor management, corporate governance, risk management, and regulatory activities. 

Once you’ve determined your goals and objectives, engage with SOC 2 service auditors and select one.

  1. Define the scope. 

The SOC 2 audit examines a service organization’s compliance based on five trust services criteria (TSCs): security, availability, processing integrity, confidentiality, and privacy. 

Not all five TSCs, though, may apply to your organization. For one, AICPA only requires security for SOC 2 audits; the other four are optional. Therefore, choose the TSCs that apply to your organization, your industry, and/or your customers. This will determine which processes and/or systems are within scope for your audit.

For more on the 5 TSCs, check out our post on SOC 2 compliance

  1. Choose the type of SOC 2 report.

There are two types of SOC 2 reports, so choose the one that’s specific to your goals and requirements.

SOC 2 Type 1 checks your organization’s controls at a particular point in time. It’s a fast and efficient means to secure data and communicate the results to your customers.

SOC 2 Type 2 covers SOC 2 Type 1, but it also examines the controls’ effectiveness over time, say, for an entire year. Expect to have better assurance with SOC 2 Type 2 than SOC 2 Type 1.

  1. Prepare, assess, remediate.

Once you have determined the goals, scope, and report type, it’s time to prepare for your audit. Here are a few tips:

  • Based on the chosen TSCs, evaluate your current controls and produce any existing documentation such as policy and procedure docs or anything from past audits or self-assessments. 
  • Once you’ve gathered documentation around your existing controls, you should perform a readiness assessment to find the gaps your organization may have in your existing control framework. For example, for the Privacy TSC, do you restrict access to sensitive customer data to only those who need access? Can you prove it? Or for the Security TSC, do you encrypt data?
  • Now that you’ve identified the gaps in your control framework, it’s time to put together a remediation plan to close those gaps. Depending on your gaps, you might need to update your processes and procedures or your policy documentation, you might need to invest in new technology or hire someone. 
  • Remediation is not the last step. It is important to conduct another readiness assessment to ensure that your remediation efforts were sufficient enough to close the gaps in your control framework. Once controls and operating effectiveness have been deemed sufficient, you can move forward and schedule the SOC 2 audit with accredited auditors.

Zeguro’s Cyber Safety Platform offers several capabilities designed to simplify and accelerate SOC 2 compliance for small and medium-sized businesses, including employee security awareness training, web app monitoring, and security policies. For more information, visit or sign up for a 30-day free trial.

Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

Start My Free Trial
Ellen Zhang
Written by

Ellen Zhang

Digital Marketing Manager

Enthusiastic and passionate cybersecurity marketer. Short-story writer. Lover of karaoke.

Sign up for the latest news

Oops! Please make sure your email is valid and try again.