top of page

SOC Planning and Preparation

Documentation to Review

There's a good amount of documentation available to help an organization prepare to undergo a SOC 2 review.  A good starting point is to review the 2017 Trust Services Criteria (TSC).  You can visit the AICPA website at to download a copy.  The trust services criteria provides control criteria for security, availability, processing integrity, confidentiality or privacy.  

Other supporting guidance includes:

  • Statement on Auditing Standards No. 18 (SSAE-18)

  • COSO's Internal Control Framework

  • SOC 2 Guide - SOC for service organizations

The above documents are used by service auditors for guidance in performing the SOC 2 assessment.

Steps to compliance

  1. Determine the scope of the system and/or service to be included in the SOC review. 

  2. Document the infrastructure, systems, software, data, and people involved in the system.

  3. Perform a formal Risk Assessment, update policies and procedures to satisfy TSC control requirements

  4. Design and implement controls to meet controls for the specific criteria for the assessment (security, availability, processing integrity, confidentiality, or privacy).  At this step a SOC 2 type 1 report may be issued.

  5. Maintain controls and ensure they operate effectively throughout the year.  A SOC 2 type 2 report may be issued for a specified period of time.

Steps to PCI DSS Certification.jpg
  • Linkedin
bottom of page