We recommend completing the following checklist in sequential order as you work towards your SOC 2 audit. The items listed below are applicable after you have successfully connected your systems in Drata:
Fill in your Company Information
Ensure all relevant policies for SOC 2 are drafted, reviewed and approved in your Policy Center
Invite your employees to Drata to complete their onboarding process:
Device Compliance
Background Check (SOC 2 Background Check FAQs)
Policy Acceptance (Policy Acceptance Grouping: Who needs to accept what policy?)
Security Awareness Training
Scope out your Trust Services Criteria (SOC 2 Trust Services Categories Overview)
You should scope your TSC before beginning working on controls. As you mark TSCs in and out of scope, the controls mapped to those TSCs will be moved in and out of scope accordingly.
Complete Risk Assessment / Risk Management sections.
Risk Assessment
Streamlined Risk Assessment set up - resource that you can use to simplify the risk assessment setup process.
Risk Management - this is an add-on feature in Drata to allow you to track Risks within the platform
Download the Risk Assessment Report and ensure to modify the applicable tables and sections to accurately reflect your risk assessment process, and upload to Evidence Library and map to the following controls:
Get Monitoring Tests to 100% (Please note: All Monitoring Tests have a Learn More button that will take you to a Help Article which will give you more information and provide remediation steps)
Upload Evidence for Not Monitored Controls referencing our suggested Example Evidence for Not Monitored Controls (SOC 2)
SOC 2 Type 1 - we recommend to upload evidence before your actual audit date
SOC 2 Type 2 - we recommend verifying with your auditor when you can upload evidence. More than likely, your auditor will prefer you upload evidence during your observation period.
Note: Please ensure that evidence are uploaded to controls that may show as ready while only linked to an approved policy in Drata (Example Evidence for Not Monitored Controls Linked to Policies)
Include all Key Vendors in your Vendors module (How to Determine Key Vendors to include in Drata)
Perform Vendor Compliance Report Review by following our guidance on Reviewing Your Vendors' SOC 2 Reports Using Drata
If your vendor does not have a SOC 2 Report, but provided their ISO 27001 Certificate, you can use our alternate ISO 27001 Certification Review Template
If your vendor does not have any Compliance Reports, you can send them a Vendor Security Questionnaire
Select your SOC 2 Auditor via Drata’s Auditor Directory. You can interview your potential SOC 2 Auditor using our guidance on what Questions to ask a potential SOC 2 auditor
Important Note: You can engage at any point with an auditor and is a step we recommend as most control-specific questions are better answered by the auditor Optional: You can discuss a Readiness Assessment with your SOC 2 Auditor to provide extra assurance before the actual audit.
Select your Audit Date
Reach out to your Customer Success Manager to schedule a Pre-Audit Check-in
Set up Audit Hub and invite your Auditors
Complete your SOC 2 Audit
Reach out to your Customer Success Manager and let us know the great news!