Resources
Everything you need to know
Company
Security and customers first
Close

Request a demo

Find out today the difference that Hicomply’s unique solution can make to your business.

Close

Thank you for your request

Success

In the meantime, connect with Hicomply for insights on authentication and fraud prevention

Close

ROI Calculator

See how much you could save with Hicomply

Hicomply feature Yearly saving
Automated scoping Easily scope your ISMS with the Hicomply platform
Asset register autogeneration A shorter learning curve for organisations and a simplified process
Risk assessment Autogenerate your risk register and risk treatment plan
Extended policy templates 90% of the essential are already written out of the box
Controls framework All controls are pre-loaded and already linked to the risks they mitigate
Task management Automate all actions, administration and setup time of your ISMS
Real time monitoring Understand status and progress across your ISMS with the Hicomply dashboard
Compliance & Training Your whole team, on the same page
Audit readiness Hicomply makes sure you have everything in place for your audit
Auditor access Give auditors a dedicated login to access and audit your ISM
Back to Resource Hub

SOC 2 Compliance Checklist (2023)

SOC 2, developed by the American Institute of Certified Public Accountants (AICPA), provides security standards for your organisation’s information security controls.

These controls address how your organisation handles customer data – successful SOC 2 compliance allows you to prove to current and prospective clients that your business has stringent measures in place to secure their data.

What are the SOC 2 criteria?

SOC 2 addresses five trust services categories:

  • Security, or common criteria
  • Additional criteria for availability
  • Additional criteria for processing integrity
  • Additional criteria for confidentiality
  • Additional criteria for privacy

You do not have to address all of the above categories. Security controls are most commonly required, but you may choose to address additional criteria in line with your organisation’s objectives.

What are the possible SOC 2 audit outcomes?

When your organisation is audited by a certified public accountant (CPA), there are three possible outcomes:

  • Unmodified opinion: Your auditor identified no material inaccuracies or flaws in systems.
  • Qualified opinion: Your auditor identified inaccuracies in system control descriptions, but they’re limited to specific areas.
  • Adverse opinion: Your auditor discovered adequate evidence that there are material inaccuracies in your controls’ descriptions, and flaws in design and operational efficacy.

A successful SOC 2 audit proves that your organisation is compliant with the trust services categories you selected.

How do I prepare my organisation for a SOC 2 compliance audit?

Naturally, there’s a lot of preparation involved in ensuring your organisation is ready for a SOC 2 Type 2 audit. We’ve condensed the process into a handy SOC 2 compliance checklist you can use to measure your organisation’s SOC 2 preparedness.

If you need a version of our checklist to keep and update, you can also download the PDF:
Download the SOC 2 Compliance Checklist

SOC 2 compliance checklist

  • Does your SOC 2 report need to address:
    • Security
    • Availability
    • Confidentiality
    • Privacy
    • Processing integrity
  • Define organisational structure
  • Designate authorised employees to develop and implement policies and procedures
  • Establish working committees
  • Implement background screening procedures
  • Establish workforce conduct standards
  • Ensure clients and employees understand their role in using your system or service
  • Effectively communicate system changes to the appropriate personnel in a timely manner
  • Define your organisation’s policies and procedures relevant to the selected Trust Services Criteria
  • Undertake SOC 2 gap analysis
  • Implement necessary policies and procedures identified by gap analysis
  • Test and validate new policies and procedures
  • Perform a risk assessment
    • Identify potential threats to the system
    • Analyse the significance of the risks associated with each threat
    • Develop mitigation strategies for those risks
  • Conduct regular fraud risk assessments
  • Perform regular vendor management assessments
  • Undertake annual policy and procedure review
  • Implement physical and logical access controls
  • Limit access to data, software, functions, and other IT resources to authorised personnel based on roles
  • Restrict physical access to sensitive locations to authorised personnel only
  • Implement an access control system
  • Implement monitoring to identify intrusions
  • Develop and test incident response procedure
  • Update software, hardware, and infrastructure regularly as necessary
  • Execute a change management process to address flaws in controls
  • Establish and identify backup and recovery policies
  • Establish and identify how are you addressing environmental risks
  • Test and record your disaster recovery plan
  • Ensure data is being processed, stored, and maintained accurately and in a timely manner
  • Protect confidential information against unauthorised access, use, and disclosure
  • Identify your documented data retention policy.

Be sure to bookmark the Hicomply blog for the latest ISMS and wider data security news and research. Alternatively, book a Hicomply demo today to find out how Hicomply can help secure your company’s vital information.

More Resource Hub

ISO27001
SOC 2 Controls: CC9 Risk Mitigation
ISO27001
SOC 2 Controls: CC8 Change Management
ISO27001
SOC 2 Controls: CC7 System Operations