Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first
Hicomply I
Hicomply app

Aligning with the AICPA’s SOC 2 framework shows your clients and potential clients that your organisation focuses on five key trust principles: security, availability, processing integrity, confidentiality, and privacy.

While there aren’t mandatory SOC 2 policies and procedures, the standard does have ‘focus points’ your organisation needs to address if you’re working towards compliance – and these focus points include specific policies and procedures.

In this article we look at the policies and procedures your organisation may need to implement, their relevant clauses within the certification framework and the purpose behind each document.

What Are SOC 2 Policies and Procedures?

In the context of information security, policies are a set of guidelines that determine how your organisation’s information assets and resources should be applied, managed, and safeguarded. These policies address a risk or several related risks and define your strategy and approach to mitigating that risk, which should be applied across your organisation.

Procedures are used to define how your SOC 2 policies are enforced. They outline the steps that need to be taken to protect your organisation’s information assets, address potential threats and vulnerabilities, and respond to incidents.

SOC 2 Policies


Clause Reference


Acceptable Use Policy


To outline the acceptable and unacceptable use of your organisation’s information and IT assets.

Access Control Policy

CC5.2.3, CC6.1 , CC6.1.2, CC6.1.3, CC6.1.5, CC6.1.6, CC6.1.7, CC6.1.8, CC6.2.1, CC6.2.2, CC6.3, CC6.3.1, CC6.3.2, CC6.3.3, CC6.5, CC6.6, CC6.6.1, CC6.6.2

To define and implement a formal process governing access control, which prevents unauthorised access to your organisation’s information and protects it from unauthorised disclosure, deletion or modification.

Anti-bribery and Corruption Policy

CC2.2.3, CC2.3.4, CC3.3, CC3.3.1, CC3.3.2, CC3.3.3, CC3.3.4, CC3.3.5

To ensure that the organisation’s rules related to anti-bribery and corruption are defined, understood, and implemented by staff.

Asset Management and Information Classification Policy

CC3.2.6, CC6.1.1, CC6.1.6, CC6.7, CC6.7.1, CC6.7.3, CC6.7.4, C1.1, C1.1.1, C1.1.2, C1.2, C1.2.1, C1.2.2, PI1.1, PI1.1.1, PI1.1.2, PI1.2, PI1.2.1, PI1.2.2, PI1.2.3, PI1.3, PI1.3.1, PI1.3.2, PI1.3.3, PI1.3.5, PI1.4, PI1.4.1, PI1.4.2, PI1.4.3, PI1.4.4, PI1.5, PI1.5.1, PI1.5.2, PI1.5.3, PI1.5.4, PI1.5.4, P4.3, P4.3.1, P4.3.2, P4.3.3

The purpose of this policy is to outline how assets are managed, including the information classification and asset handling of your organisation’s information and IT assets.

Business Continuity Management Policy

A1.2, A1.2.7, A1.2.8, A1.2.9, A1.3.2

To define the objectives and rules for business continuity management. Business continuity management aims to identify possible threats to critical assets in your organisation and the impact they may have on its operations, implementing a framework of organisational resilience, plans and actions to effectively respond.

Change Management Policy

CC3.4, CC3.4.2, CC3.4.3, CC3.4.4, CC3.4.5, CC6.8.3, CC8.1, CC8.1.1, CC8.1.2, CC8.1.3, CC8.1.4, CC8.1.5, CC8.1.6, CC8.1.7, CC8.1.8, CC8.1.9, CC8.1.10, CC8.1.11, CC8.1.13, CC8.1.14, CC8.1.15, CC8.1.13

To establish management direction and high-level objectives for change management and the related controls. To ensure that changes to information resources are managed and executed according to a formal change control process.

Code of Conduct Policy (includes Whistleblowing policy).

CC1.1, CC1.1.4

To ensure that there is a clear code of conduct in place for our staff and that they understood how it is to be applied in your organisation.

Compliance Policy

CC3.1, CC3.1.15

To detail how your organisation ensures compliance with the relevant legislative, contractual and policy requirements and provides the context for the Compliance Framework which provides guidelines and structures.

Cryptographic Controls Policy

CC6.1 , CC6.1.2, CC6.1.3, CC6.1.6, CC6.1.9, CC6.1.10, CC6.7.2, CC6.7.3, CC6.7.4

To provide appropriate levels of protection to sensitive information whilst ensuring compliance with statutory, regulatory, and contractual requirements.

Data Protection and Privacy Policy

P1.1, P1.1.1, P1.1.2, P1.1.3, P1.1.4, P2.1, P2.1.1, P2.1.2, P2.1.3, P2.1.3, P2.1.4, P2.1.5, P2.1.6, P3.1, P3.1.1, P3.1.2, P3.1.3, P3.1.4, P3.2, P3.2.1, P3.2.2, P4.1, P4.1.1, P4.2, P4.2.1, P4.2.2, P4.2.2, P4.3, P4.3.1, P4.3.2, P4.3.3, P5.1, P5.1.1, P5.1.2, P5.1.3, P5.1.4, P5.2, P5.2.1, P5.2.2, P5.2.3, P6.1, P6.1.1, P6.1.2, P6.1.3, P6.1.4, P6.2, P6.2.1, P6.3, P6.3.1, P6.4, P6.4.1, P6.5, P6.7, P8.1, P8.1.1, P8.1.2, P8.1.3

To define the principles and practices to follow in protecting all PI. That commitment includes ensuring the accuracy, confidentiality, and availability of PI and allowing your employees, clients, customers and partners to request access to enable correction of their PI.

Disposal of IT Assets Policy

CC6.5.1, CC6.5.2, C1.2, C1.2.1, C1.2.2, P4.3, P4.3.1, P4.3.2, P4.3.3

To ensure that your organisation has fully thought through, evaluated and responded to legislation and other constraints surrounding the disposal of IT assets.

Employee Handbook

CC1.1, CC1.1.4, CC1.1.2, CC1.1.5

To set out the terms and conditions of staff employment with your organisation.

Human Resources Policy

CC1.1, CC1.1.1, CC1.1.3, CC1.5, CC1.5.2, CC1.4, CC1.4.3, CC4.1.4, CC1.4.5, CC7.4.13

To ensure that employees and contractors understand their responsibilities (including privacy and security) and are suitable for the roles for which they are considered and that HR protect the organisation’s and employees' interests from preemployment checks to during and changing or terminating employment.

Incident Management Policy

CC2.2.3, CC2.2.6, CC2.3.4, CC2.3.11, CC7.3, CC7.4.1

To design and implement a consistent and effective incident management process to ensure the timely and appropriate response to security attacks, incidents and breaches. The primary goal of the incident management process is to restore normal service operation as quickly as possible and minimise the adverse impact on business operations, thus ensuring that the optimal levels of information security and service quality are maintained.

Information Management Policy

CC1.5.1, CC5.3.6, P4.3, P4.3.1, P4.3.2, P4.3.3

To ensure that information collected in various ways within your organisation is secured in a manner which provides and maintains a competitive advantage to the organisation.

The purpose of this policy is also to ensure that information transfers take place via secure, authorised mechanisms and that sensitive information is protected from unauthorised access or disclosure.

Information Security Policy


To provide the framework to ensure the protection of information assets. This policy governs the usage, access and disclosure of such information in accordance with appropriate standards, laws and regulations.

Logging and Monitoring Policy

CC6.8.2, CC7.1, CC7.1.2, CC7.1.3, CC7.1.5, CC7.2, CC7.2.1, CC7.2.2, CC7.2.3, CC7.2.4, PI1.3.3, PI1.3.4, PI1.3.4, PI1.3.5, PI1.4, PI1.4.1, PI1.4.2, PI1.4.3, PI1.4.4, PI1.5

To establish a consistent expectation of security logging and monitoring practices across the systems to ensure early identification and effective investigation of security events.

Mobile Device Policy


To ensure that the information stored on mobile devices is securely managed and protected and that the risks of working with mobile devices across environments are managed.

Network Security Policy

CC6.6.3, CC6.6.4, CC6.7

To ensure that networks are effectively and securely managed and maintained and that staff understand their role regarding the acceptable use and security of the network infrastructure.

Password Policy

CC.5.3, CC.6.1, CC.6.1.7 & CC.6.1.8

To protect your organisation’s systems from a breach of security, to limit unnecessary interruptions in service and to prevent the corruption of company data.

Physical & Environmental Security Policy

CC6.1 , CC6.4, CC6.4.1, CC6.4.2

To mandate the physical and environmental security requirements for the protection of the information and the related assets of your organisation.

The objective is to prevent unauthorised physical access, damage and interference to the organisation’s information and facilities.

Risk Management Policy

CC3.1, CC3.1.15

To define the principles managing how your organisation identifies potential information security threats to the organisation, minimises their impact and effectively monitors and evaluates the risk management strategy.

Secure Development Policy (Systems Development Lifecycle)

PI1.2, PI1.2.1, PI1.2.2, PI1.2.3, CC6.1.8

To describe the requirements for developing and/or implementing new software and systems your organisation and to ensure that all development work is compliant with standards and regulatory requirements and secure.

This policy sets out the principles to be followed during the software, project management and system development lifecycle to ensure that the development process is effective and manages the risks related to quality, compliance and information security threats to the organisation and your customers.

Supplier Security management Policy

CC1.1, CC1.4.2, CC5.2.4, CC3.2, CC3.2.1, CC3.2.2, CC3.2.3, CC3.2.4, CC3.2.5, CC3.2.6, CC3.2.7, CC3.2.8, CC9.2, CC9.2.1, CC9.2.2, CC9.2.3, CC9.2.4, CC9.2.5, CC9.2.6, CC9.2.7, CC9.2.8, CC9.2.9, CC9.2.10, CC9.2.11, CC9.2.12, P6.4, P6.4.1, P6.5 , CC3.4.5, CC6.1.8

To protect your organisation’s business and information assets that are accessible to or affected by suppliers through the deployment of adequate and appropriate supplier-related risk and security controls.

Vulnerability Management and Penetration Testing Policy

CC4.1, CC4.1.1, CC4.1.2, CC4.1.5, CC4.1.6, CC4.1.7, CC4.1.8, CC7.1, CC7.1.5

To define Vulnerability Management and Penetration Testing and establish a framework for security reviews, testing and verifications of system updates to mitigate vulnerabilities in the IT environment and risks associated with them.

SOC 2 Procedures


Clause Reference


Awareness and Education Programme

CC2.2.7, CC2.2.8, CC2.2.10, CC2.2.11

To define how the security awareness and education programme is implemented and managed at your organisation.

Business Continuity Management Procedure

CC1.4.4, A1.2, A1.2.7, A1.2.8, A1.2.9

To ensure the continuation of the business during and following any incident that results in disruption to the normal operational capability.

The main objective of Business Continuity Management is to minimise/eliminate the loss to your organisation’s business in terms of revenue loss, loss of reputation, loss of productivity and customer satisfaction and to ensure the continuation of the business during and following any incident that results in disruption to the normal operational capability.

Communications Plan


To ensure that relevant issues of information security and privacy are communicated to relevant individuals with clarity and consistency to ensure they have the necessary knowledge to carry out their responsibilities.

Communications Procedure

CC2.2.7, CC2.2.8, CC2.2.10, CC2.2.11, CC2.3.1, CC2.3.2, CC2.3.3, CC2.3.5, CC2.3.6, CC2.3.7, CC2.3.8, CC2.3.9, CC2.3.10, CC7.4.12, CC7.4.13, CC9.1.1

To ensure there are formal processes in place for both employees and external parties to ensure effective communications.

Cryptographic Controls Procedure

CC6.1 , CC6.1.2, CC6.1.3, CC6.1.6, CC6.1.9, CC6.1.10, CC6.7.2, CC6.7.3, CC6.7.4

To ensure there are formal processes in place for both employees and external parties to ensure effective communications.

Data Loss Prevention Procedures


To define the Data Loss Prevention Procedures for your organisation’s computers, networks, and technology systems.

Data Retention and Disposal Procedure

CC6.5, CC6.5.1, CC6.5.2

To ensure that there are formal data retention and disposal processes in place for both employees and external parties to ensure effective communications and compliance.

This is done by setting the required retention periods for specified categories of Information (including Personal Information) and the minimum standards to be applied when disposing of data and information within your organisation.

Device Hardening Standards Servers

CC6.1.6, CC6.1.7, CC6.6.1, CC6.6.2, CC6.6.3, CC6.6.4, CC6.7, CC6.7.1, CC6.7.3, CC6.7.4, CC6.8.1, CC7.1.1, CC6.7.2, CC8.1.12, PI1.3, PI1.3.1, PI1.3.2, PI1.5.1, PI1.5.2, PI1.5.3, PI1.5.4

To define the Device Hardening rules to be implemented for all servers.

Disclosure and Subject Access Request Procedure

P5.1, P5.1.1, P5.1.2, P5.1.3, P5.1.4, P5.2, P5.2.1, P5.2.2, P5.2.3, P6.7

To define the procedure for managing subject access requests (SAR) are made by stakeholders.

Documents and Records Management Procedure

CC1.5.1, CC5.3.6

To ensure that documents and records are appropriately created, captured, accessed, managed and stored in a manner that reflects business, corporate information security, risk and regulatory compliance requirements.

Human Resources Procedures

CC1.1.1, CC1.1.3, CC1.4.4, CC1.4.5, CC2.2.3, CC2.3.4, CC6.1 , CC6.1.2, CC6.1.3, CC6.1.8, CC6.3.1, CC5.2.3, CC6.1 , CC6.1.2, CC6.1.3, CC6.2, CC6.2.1, CC6.2.2, CC6.3, CC6.3.2, CC6.2 , CC6.2.3, CC6.4.3

To define the HR procedures required throughout the employment lifecycle.

Incident Management Procedure

CC2.2.3, CC2.3.4, CC2.2.6, CC2.3.11, CC7.3, CC7.3.1, CC7.3.2, CC7.3.3, CC7.3.4, CC7.3.5, CC7.4, CC7.4.1, CC7.4.2, CC7.4.3, CC7.4.4, CC7.4.5, CC7.4.6, CC7.4.7, CC7.4.13, CC4.2, CC4.2.2, CC7.5, CC7.5.1, CC9.1.1, P6.4.2, P6.5.1, P6.5.2, P6.6, P6.6.1, P6.6.2

To ensure a consistent and effective approach identifying and responding to the lifecycle of incidents, events and weaknesses.

This procedure aims to minimise the disruption or reduction in quality of IT service within your organisation’s infrastructure, and to prevent the recurrence of incidents related to those errors.

Internal Audit Programme Procedure

CC4.1, CC4.1.1, CC4.1.2, CC4.1.5, CC4.1.6, CC4.1.7, CC4.1.8, CC7.2.4, P8.1.4, CC6.4.3, P8.1.5, CC4.1.3

To establish a system for managing internal audits which aims to independently verify the implementation of controls (including the ISMS and other compliance requirements) through a controlled method for planning, scheduling, coordinating, and performing internal audits and related activities.

Malware Protection Procedure

CC6.6.4 CC6.8 CC6.8.4 CC6.8.5

To define the malware protection controls in place to prevent malware infections and reduce the impact of successful infections to your organisation’s computers, networks, and technology systems

Malware Response Procedure

CC6.6.4, CC6.8, CC6.8.4, CC6.8.5

To define the best and most cost-effective response to malicious software.

Management of Non-Conformities and Corrective and Preventative Action Procedure

CC4.2, CC4.2.2, CC7.4.7, CC7.5.2, CC7.5.3, CC2.2.3, CC2.3.4

To ensure that problems, non-conformities, and improvements are dealt in an efficient and effective manner, minimising the chances of any recurrence.

This procedure aims to ensure that processes, services and controls that do not conform to specified requirements are corrected.

Monitoring and Measurement Procedure

CC1.5.2, CC6.8.2, CC7.1, CC7.1.2, CC7.1.3, CC7.1.5, CC7.2, CC7.2.1, CC7.2.2, CC7.2.3, CC7.2.4, A1.2.2, A1.2.4, A1.2.6, CC1.1.1

To evaluate the performance and effectiveness of the information security programme defined within the ISMS or similar.

Operating Procedures

CC5.2, CC5.2.2, CC5.2.4, CC6.8.2, CC7.1, CC7.1.2, CC7.1.3, CC7.1.5, CC7.2, CC7.2.1, CC7.2.2, CC7.2.3, CC7.2.4, A1.2.2, A1.2.4, A1.2.6, A1.1, A1.1.1, A1.1.2, A1.1.3, A1.2, A1.2.7, A1.2.8, A1.2.9

To ensure the operations of information processing facilities are defined in a secure manner.

Risk Management Procedure


To define a systematic procedure for assessing and treating risks related to the organisation’s information assets and information processing facilities.

Information Security Risk Assessments need to be planned and conducted to determine the level of risk related to your organisation’s information assets and then to develop a treatment plan to reduce the likelihood of the risk materialising and harming the organisation’s information, assets and facilities.

Final thought

Not all of the SOC 2 policies and procedures outlined above will be focus points for your business, depending on the trust service principle you’re focusing on. Discover more about the standard in our SOC 2 Hub.

Looking to achieve SOC 2 certification for your business? The process is quick, easy and pain-free with Hicomply.