Proper documentation is essential for a successful SOC 2 audit. And that includes clear, concise policies. 

But if you don’t already have a policy library in place, it can be challenging to know where to start.

You might be wondering:

What are the general policies in an audit I need to comply with?

Your policies outline what you do to protect customer data — things like training employees and managing vendors. Your procedures explain how you do it — the exact steps you take and how you respond to certain trigger events.

SOC 2 Policies

All SOC 2 examinations involve an auditor review of your organization’s policies.

Policies must be documented, formally reviewed, and accepted by employees.

Each policy supports an element of your overall security and approach to handling customer data.

In general, these are the SOC 2 policy requirements your auditor will be looking for:

  • Acceptable Use Policy: Defines the ways in which the network, website or system may be used. Can also define which devices and types of removable media can be used, password requirements, and how devices will be issued and returned.
  • Access Control Policy: Defines who will have access to company systems and how often those access permissions will be reviewed.
  • Business Continuity Plan: Defines how employees will respond to a disruption to keep the business running smoothly.
  • Change Management Policy: Defines how system changes will be documented and communicated across your organization.
  • Confidentiality Policy: Defines how your organization will handle confidential information about clients, partners, or the company itself.
  • Code of Conduct Policy: Defines the policies both employees and employers must adhere to. This includes how people should interact with one another at work.
  • Data Classification Policy: Defines how you will classify sensitive data according to the level of risk it poses to your organization.
  • Disaster Recovery Policy: Defines how your company will recover from a disastrous event. It also includes the minimum necessary functions your organization needs to continue operations.
  • Encryption Policy: Defines the type of data your organization will encrypt and how it’s encrypted.
  • Incident Response Plan: Defines roles and responsibilities in response to a data breach and during the ensuing investigation.
  • Information Security Policy: Defines your approach to information security and why you’re putting processes and policies in place.
  • Information, Software, and System Backup Policy: Defines how information from business applications will be stored to ensure data recoverability.
  • Logging and Monitoring Policy: Defines which logs you’ll collect and monitor. Also covers what’s captured in those logs, and which systems will be configured for logging.
  • Physical Security Policy: Defines how you will monitor and secure physical access to your company’s location. What will you do to prevent unauthorized physical access to data centers and equipment?
  • Password Policy: Defines the requirements for using strong passwords, password managers, and password expirations.
  • Remote Access Policy: Defines who is authorized to work remotely. Also defines what type of connectivity they will use and how that connection will be protected and monitored.
  • Risk Assessment and Risk Mitigation Plan: Defines security threats that could occur and the action plan to prevent those incidents.
  • Software Development Lifecycle Policy: Defines how you will ensure your software is built securely, tested regularly, and complies with regulatory requirements.
  • Vendor Management Policy: Defines vendors that may introduce risk, as well as controls put in place to minimize those risks.
  • Workstation Security Policy: Defines how you will secure your employees’ workstations to reduce the risk of data loss and unauthorized access.

SOC 2 Policy Templates

Drafting the policies required for SOC 2 compliance can feel like a daunting task, but having the right tools can make all the difference. To help you get started, we’ve compiled a collection of free SOC 2 policy templates designed to meet key requirements and streamline your compliance efforts.

SOC 2 Information Security Policy

The SOC 2 Information Security Policy is a cornerstone document for SOC 2 compliance. It provides a high-level overview of how an organization approaches information security. Download our SOC 2 Information Security Policy template to simplify the process and ensure compliant documentation. 

Business Continuity Plan Template

A business continuity plan can help assist an organization in resuming operations and services as quickly as possible during a crisis. Use this template to begin identifying the risks, critical elements, mitigation actions, and preparedness strategies that will make up the basic components of your business continuity plan.

Change Management Policy Template

Writing and adopting a formal change management policy is crucial in helping every employee understand their role and responsibilities for protecting company and customer data during times of major change. But drafting one can be a challenge if you don’t know where to start. Instead of starting from scratch, you can use this change management policy template and customize it to your needs. 

Data Classification Policy Template

Use this auditor-approved data classification policy template to better understand, manage, and protect your data.

Incident Response Plan Template

An incident response plan is a document containing a predetermined set of instructions or procedures to detect, respond to, and limit the consequences of a security incident. Use this template to simplify the process of creating an incident response plan for your organization.

Risk Mitigation Plan Template

A risk mitigation plan refers to the documented organizational strategy for mitigating risk. Use this template to help set an organizational risk mitigation strategy and align employees and other stakeholders to it, or use it to mitigate risks for specific projects as an individual or group.

Vendor Management Policy

A vendor management policy (VMP) is a way for companies to identify and prioritize vendors that pose a risk to their business. Download this customizable vendor management policy template that's easy to tailor to your organization

How Do You Prove You’re Following Your Policies?

During your SOC 2 Type II audit, you’ll need to prove to your auditor that you’re following the policies and processes you’ve put into place.

This means presenting your auditor with the evidence you’ve collected throughout your audit period.

Collecting and organizing this evidence can be a majorly tedious and time-consuming task. It often involves taking and organizing screenshots into Dropbox or Google Drive folders. Then manually creating and updating spreadsheets to catalog evidence.

Secureframe automates the evidence collection process, saving your team hundreds of hours (and likely just as many headaches). Our platform offers 300+ deep integrations to connect with your cloud infrastructure and HRIS. We'll automatically collect evidence and continuously monitor your tech stack for continuous compliance.