Skip to main content

SOC 2 Checklist

A checklist for achieving SOC 2 within Drata

Updated this week

We recommend completing the following checklist in sequential order as you work towards your SOC 2 audit. The items listed below are applicable after you have successfully connected your systems in Drata:

  1. Policy Management

    Draft, review, and approve all required SOC 2 policies in the Policy Center.

    1. Policy Center Help Articles

    2. Your Quick Guide as an additional resource here: Essential Policy FAQs

  2. Employee Onboarding

    1. Invite all employees to Drata and ensure they complete the following:

      1. Device compliance

      2. Background check (see: SOC 2 Background Check FAQs)

      3. Policy acceptance (see: Policy Acceptance Grouping Guide)

      4. Security awareness training

  3. Define Your Trust Services Criteria (TSC)

    1. Define your applicable Trust Services Criteria.

    2. Reference the SOC 2 Trust Services Categories Overview for help.

  4. Complete Risk Assessment and Risk Management

    Complete the Risk Assessment section using these resources:

    1. Risk Assessment Overview - Drata’s Risk Assessment is a resource designed to streamline the entire process of evaluating and managing risk. It not only helps you learn more about risk assessment but also uses a one-time survey to automatically populate your Risk Register.

    2. 3-Part Video Series: Drata Risk Assessment - 3-part tutorial series will help you get started with Drata's Risk Assessment module.

    3. Risk Assessment Results and Treatment Plan - resource that you can use to guide you through Sections 4 and 5

    4. Risk Management - this is an add-on feature in Drata to allow you to track Risks within the platform, if you are interested, please reach out to your account manager.

  5. Download the Risk Assessment Report (and Risk Treatment document for Risk Management Module) fill in the relevant sections and upload to:

    1. DCF-16: Annual Risk Assessment

    2. DCF-17: Remediation Plan

      1. If you’ve documented your remediation plan separately, please upload a copy as evidence in DCF-17

  6. Monitoring Tests

    1. Work toward 100% completion of Monitoring Tests.

      Helpful Tip: Use the “Learn More” button on each test for help articles and remediation guidance.

  7. Evidence for Not Monitored Controls

    1. Upload supporting evidence for controls that are not automatically monitored.

      1. Reference the Example Evidence for Not Monitored Controls for SOC 2 guide.

    [Important Note: Some controls may appear as “ready” because they’re linked to an approved policy, but they still require additional evidence to be fully complete. Use the link below to help guide you through the next steps.]

    Common DCFs that will appear ready but will need additional evidence
    (Example Evidence for Not Monitored Controls Linked to Policies):

    1. Risk Assessments (DCF-16 and DCF-17): The required risk assessment reports have been successfully downloaded and attached.

    2. Vulnerability Scan Results (DCF-18): A copy of the most recent vulnerability scan results needs to be uploaded.

    3. Penetration Test (DCF-19): The results of the annual penetration test are required to be uploaded.

    4. Architecture Diagram (DCF-21): Please provide a copy of the system architecture diagram.

    5. Network Diagram (DCF-22): A copy of the network diagram should be attached.

    6. Business Continuity/Disaster Recovery (BC/DR) Test (DCF-26): Please attach the organization's Business Continuity and Disaster Recovery plan.

    7. Tabletop Exercise/Incident Response (DCF-154): Documentation from the most recent tabletop or incident response exercise should be attached.

    For SOC 2 Type 1: Ensure all control evidence is uploaded and complete before your audit date, as the audit assesses your environment at a single point in time.

    For SOC 2 Type 2: Evidence should show that your controls were working during the observation period. You can usually upload it during or after that time, but check with your auditor to confirm what they expect.

  8. Vendor Management

    1. Add all Key Vendors to your Vendors module (see: How to Determine Key Vendors in Drata).

    2. Review vendor compliance documentation:

      1. If a vendor has a SOC 2 report, follow the Reviewing Your Vendors' SOC 2 Reports guide.

      2. If a vendor provides an ISO 27001 certificate instead, use the ISO 27001 Review Template.

      3. If no reports are available, send the Vendor Security Questionnaire.

  9. Auditor Selection

    1. Select your SOC 2 Auditor from Drata’s Auditor Directory.

    2. Use our guide on Questions to Ask a Potential SOC 2 Auditor during interviews.

    3. If you would like for our Audit Alliance team to help match you with an auditor, please fill out this form: Auditor Match.

    [Important Note: You can engage at any point with an auditor and is a step we recommend as most scoping and control-specific questions can be answered by the auditor.]

    Optional: Ask your auditor about a Readiness Assessment. This optional, separate service reviews your controls and identifies gaps before the formal audit. It’s typically billed separately and helps ensure you’re fully prepared. Check with your auditor for details and pricing.

  10. Audit Logistics

    1. Select your official audit date.

    2. Reach out to your Customer Success Manager to schedule a Pre-Audit Check-in.

    3. Set up your Audit Hub and invite your auditor.

    4. Complete your SOC 2 audit.

    5. Update your Customer Success Manager.

Support Availability

Drata’s Technical Support Team is available via Live Chat 24/5, and Compliance Advisors are available from 6 AM to 6 PM PT, Monday–Friday. If you have questions at any step, don’t hesitate to reach out.

Did this answer your question?