Proper documentation is essential for a successful SOC 2 audit. And that includes clear, concise policies. 

But if you don’t already have a policy library in place, it can be challenging to know where to start.

You might be wondering:

What are the general policies in an audit I need to comply with?

Your policies outline what you do to protect customer data — things like training employees and managing vendors. Your procedures explain how you do it — the exact steps you take and how you respond to certain trigger events.

SOC 2 Policies

All SOC 2 examinations involve an auditor review of your organization’s policies.

Policies must be documented, formally reviewed, and accepted by employees.

Each policy supports an element of your overall security and approach to handling customer data.

In general, these are the SOC 2 policy requirements your auditor will be looking for:

  • Acceptable Use Policy: Defines the ways in which the network, website or system may be used. Can also define which devices and types of removable media can be used, password requirements, and how devices will be issued and returned.
  • Access Control Policy: Defines who will have access to company systems and how often those access permissions will be reviewed.
  • Business Continuity Policy: Defines how employees will respond to a disruption to keep the business running smoothly.
  • Change Management Policy: Defines how system changes will be documented and communicated across your organization.
  • Confidentiality Policy: Defines how your organization will handle confidential information about clients, partners, or the company itself.
  • Code of Conduct Policy: Defines the policies both employees and employers must adhere to. This includes how people should interact with one another at work.
  • Data Classification Policy: Defines how you will classify sensitive data according to the level of risk it poses to your organization.
  • Disaster Recovery Policy: Defines how your company will recover from a disastrous event. It also includes the minimum necessary functions your organization needs to continue operations.
  • Encryption Policy: Defines the type of data your organization will encrypt and how it’s encrypted.
  • Incident Response Policy: Defines roles and responsibilities in response to a data breach and during the ensuing investigation.
  • Information Security Policy: Defines your approach to information security and why you’re putting processes and policies in place.
  • Information, Software, and System Backup Policy: Defines how information from business applications will be stored to ensure data recoverability.
  • Logging and Monitoring Policy: Defines which logs you’ll collect and monitor. Also covers what’s captured in those logs, and which systems will be configured for logging.
  • Physical Security Policy: Defines how you will monitor and secure physical access to your company’s location. What will you do to prevent unauthorized physical access to data centers and equipment?
  • Password Policy: Defines the requirements for using strong passwords, password managers, and password expirations.
  • Remote Access Policy: Defines who is authorized to work remotely. Also defines what type of connectivity they will use and how that connection will be protected and monitored.
  • Risk Assessment and Mitigation Policy: Defines security threats that could occur and the action plan to prevent those incidents.
  • Software Development Lifecycle Policy: Defines how you will ensure your software is built securely, tested regularly, and complies with regulatory requirements.
  • Vendor Management Policy: Defines vendors that may introduce risk, as well as controls put in place to minimize those risks.
  • Workstation Security Policy: Defines how you will secure your employees’ workstations to reduce the risk of data loss and unauthorized access.

How Do You Prove You’re Following Your Policies?

During your SOC 2 Type II audit, you’ll need to prove to your auditor that you’re following the policies and processes you’ve put into place.

This means presenting your auditor with the evidence you’ve collected throughout your audit period.

Collecting and organizing this evidence can be a majorly tedious and time-consuming task. It often involves taking and organizing screenshots into Dropbox or Google Drive folders. Then manually creating and updating spreadsheets to catalog evidence.

Secureframe automates the evidence collection process, saving your team hundreds of hours (and likely just as many headaches). Our platform offers 100+ deep integrations to connect with your cloud infrastructure and HRIS. We'll automatically collect evidence and continuously monitor your tech stack for continuous compliance.