SOC2

The below diagram does not depict all processes in an audit however it provides you with a high-level overview of what high level steps are involved in going through a SOC2 audit. Every auditing firm, consultant, and lead implementer will have its own processes and techniques for completing the audit.

📄️ Required Documents for SOC2 Audit

There are three documents you’ll need for your SOC 2 audit: a management assertion, a system description, and a controls matrix.

📄️ Audit Principles and Concepts

There are quite a few auditing principles and concepts that might seem foreign to management or perhaps even an inexperienced service auditor.

📄️ Audit Procedures

Testing will occur for different criteria and controls that have been implemented by the service organization. For example the testing and evidence for availability will be different than that of privacy.

📄️ Bridge Letters

Your SOC 2 is only valid for a year after your audit. If you’re behind on renewing your SOC 2 report and it falls past the date in which it’s valid, you may need a SOC 2 bridge letter. In this guide, we’ll explain what a SOC 2 bridge letter is and the role it plays in maintaining trust with your customers as you renew your report.

📄️ FAQ

No, a SOC 2 is not legally required by any organization. However, your customer may require you to obtain one in order to do business with you.

📄️ Conducting a SOC2 Audit

Communication During An Audit

📄️ SOC2 Framework Details

You should always refer to the published standard for details regarding the prescribed controls or implementation guidance. At the time of writing, the most current SOC 2 version is the 2017 with revised points of focus 2022. However, the below tables provide a high-level overview of the common criteria for each Trust Services Criteria (TSC) and the points of focus that should be used as guidance for convenience and easier readability.

📄️ Security Management Procedures

Passwords and MFA

📄️ Overview

📄️ Planning and Preparation