Skip to main content

SOC 2 Checklist

A checklist for achieve SOC 2 within Drata

Updated over 2 weeks ago

We recommend completing the following checklist in sequential order as you work towards your SOC 2 audit. The items listed below are applicable after you have successfully connected your systems in Drata:

  1. Fill in your Company Information

  2. Ensure all relevant policies for SOC 2 are drafted, reviewed and approved in your Policy Center

  3. Invite your employees to Drata to complete their onboarding process:

    1. Device Compliance

    2. Background Check (SOC 2 Background Check FAQs)

    3. Policy Acknowledgment (Policy Acknowledge Grouping)

    4. Security Awareness Training

  4. Scope out your Trust Services Criteria (SOC 2 Trust Services Categories Overview)

    1. You should scope your TSC before beginning working on controls. As you mark TSCs in and out of scope, the controls mapped to those TSCs will be moved in and out of scope accordingly.

  5. Complete Risk Assessment / Risk Management sections.

    1. Risk Assessment

      1. Streamlined Risk Assessment set up - resource that you can use to simplify the risk assessment setup process.

      2. Risk Assessment Overview

    2. Risk Management - this is an add-on feature in Drata to allow you to track Risks within the platform

  6. Download the Risk Assessment Report and ensure to modify the applicable tables and sections to accurately reflect your risk assessment process, and upload to Evidence Library and map to the following controls:

    1. DCF-16: Annual Risk Assessment

    2. DCF-17: Remediation Plan

  7. Get Monitoring Tests to 100% (Please note: All Monitoring Tests have a Learn More button that will take you to a Help Article which will give you more information and provide remediation steps)

  8. Upload Evidence for Not Monitored Controls referencing our suggested Example Evidence for Not Monitored Controls (SOC 2)

    1. SOC 2 Type 1 - we recommend to upload evidence before your actual audit date

    2. SOC 2 Type 2 - we recommend verifying with your auditor when you can upload evidence. More than likely, your auditor will prefer you upload evidence during your observation period.

    3. Note: Please ensure that evidence are uploaded to controls that may show as ready while only linked to an approved policy in Drata (Example Evidence for Not Monitored Controls Linked to Policies)

    4. Ensure you have reviewed controls that may require additional evidence (Are Your Controls Ready? Understanding the Link Between Policies, Evidence, and Controls)

  9. Include all Key Vendors in your Vendors module (How to Determine Key Vendors to include in Drata)

    1. Perform Vendor Compliance Report Review by following our guidance on Reviewing Your Vendors' SOC 2 Reports Using Drata

    2. If your vendor does not have a SOC 2 Report, but provided their ISO 27001 Certificate, you can use our alternate ISO 27001 Certification Review Template

    3. If your vendor does not have any Compliance Reports, you can send them a Vendor Security Questionnaire

  10. Select your SOC 2 Auditor via Drata’s Auditor Directory. You can interview your potential SOC 2 Auditor using our guidance on what Questions to ask a potential SOC 2 auditor

    1. Important Note: You can engage at any point with an auditor and is a step we recommend as most control-specific questions are better answered by the auditor Optional: You can discuss a Readiness Assessment with your SOC 2 Auditor to provide extra assurance before the actual audit.

  11. Select your Audit Date

  12. Reach out to your Customer Success Manager to schedule a Pre-Audit Check-in

  13. Set up Audit Hub and invite your Auditors

  14. Complete your SOC 2 Audit

  15. Reach out to your Customer Success Manager and let us know the great news!

Did this answer your question?