SOC Planning and Preparation
Documentation to Review
There's a good amount of documentation available to help an organization prepare to undergo a SOC 2 review. A good starting point is to review the 2017 Trust Services Criteria (TSC). You can visit the AICPA website at www.aicpa.org to download a copy. The trust services criteria provides control criteria for security, availability, processing integrity, confidentiality or privacy.
​
Other supporting guidance includes:
-
Statement on Auditing Standards No. 18 (SSAE-18)
-
COSO's Internal Control Framework
-
SOC 2 Guide - SOC for service organizations
​
The above documents are used by service auditors for guidance in performing the SOC 2 assessment.
Steps to compliance
-
Determine the scope of the system and/or service to be included in the SOC review.
-
Document the infrastructure, systems, software, data, and people involved in the system.
-
Perform a formal Risk Assessment, update policies and procedures to satisfy TSC control requirements
-
Design and implement controls to meet controls for the specific criteria for the assessment (security, availability, processing integrity, confidentiality, or privacy). At this step a SOC 2 type 1 report may be issued.
-
Maintain controls and ensure they operate effectively throughout the year. A SOC 2 type 2 report may be issued for a specified period of time.