What type of background checks are required for SOC2
At a minimum, a criminal background check should be performed for all new hires as a condition of employment. What needs to be checked by the criminal background check is up to each individual organization to determine. SOC2 requirements do not specify the type of checks that need to be performed.
Do I need to perform background checks on existing employees to meet SOC2 requirements?
As a best practice, we recommend that all employees and contractors complete a background check.
However, since the control for background checks is only specific to new hires and new contractors, your SOC2 auditor will most likely only check to make sure that new hires and new contractors have a background check completed.
Do I need to perform background checks on contractors?
If you are hiring contractors as 1099 employees, we recommend performing background checks. If you do not want to perform background checks on contractors, we recommend talking with your SOC 2 auditor to determine if contractors are in scope for the background check control.
If you are hiring contractors from a third party organization, we recommend ensuring that the third party organization is performing background checks for the contractors working with your organization.
What do I do if country-specific laws prohibit me from performing background checks?
In this situation, SOC 2 would still require that you evaluate and consider the new hires’ background and technical competency prior to hiring them. You can manually upload evidence of how you evaluated the new hires’ background and technical competency for each employee that falls into this category.