SOC Planning and Preparation

Documentation to Review

There's a good amount of documentation available to help an organization prepare to undergo a SOC 2 review. A good starting point is to review the 2017 Trust Services Criteria (TSC). You can visit the AICPA website at www.aicpa.org to download a copy. The trust services criteria provides control criteria for security, availability, processing integrity, confidentiality or privacy.

Other supporting guidance includes:

Statement on Auditing Standards No. 18 (SSAE-18)
COSO's Internal Control Framework
SOC 2 Guide - SOC for service organizations

The above documents are used by service auditors for guidance in performing the SOC 2 assessment.

Steps to compliance

Determine the scope of the system and/or service to be included in the SOC review.
Document the infrastructure, systems, software, data, and people involved in the system.
Perform a formal Risk Assessment, update policies and procedures to satisfy TSC control requirements
Design and implement controls to meet controls for the specific criteria for the assessment (security, availability, processing integrity, confidentiality, or privacy). At this step a SOC 2 type 1 report may be issued.
Maintain controls and ensure they operate effectively throughout the year. A SOC 2 type 2 report may be issued for a specified period of time.