Whether you're preparing for your first SOC 2 or you simply need a refresher, the resources below will guide you through the preparation process to ensure you're 100% ready for your SOC 2 audit.

Starting with the basics, the resources below will help build a foundational understanding of key compliance terms, the SOC 2 journey, and getting started with your Strike Graph account.

Recommended Resources:

Once your team has created their Strike Graph credentials, it's time to build your control set. This step can be completed in your Control Library by either customizing Strike Graph's suggested controls to fit your organization, or adding custom controls based on existing practices and procedures. If you're using suggested controls, be sure to customize control language to match your company's specific processes.

Recommended Resources:

Your team is encouraged to complete a Risk Assessment at any point that is most productive for your organization. In fact, the Risk Assessment should be re-performed at least annually, or when significant changes occur. However, for those pursuing SOC 2 for the first time, this is a great point in the process to complete an initial assessment while continuing to revise your selections as your compliance program evolves.

Recommended Resources:

After your Control Library is solidified to reflect your organization's practices and your initial Risk Assessment is complete, it's time to begin collecting evidence items.

Recommended Resources:

While all evidence items are key to a strong compliance program, some items in particular may require some additional guidance.

Recommended Resources:

Now that your compliance program is nearing completion, it's time to draft your organization's System Description. The System Description document is your organization's narrative of your product or service in scope and the security practices in place to secure it. Many auditors will refer to it as "Section III," as it comprises the third part of your organization’s eventual SOC 2 report. This document is what most customers or prospects will read when you give them your SOC 2 report, so keep in mind that it will eventually be client-facing as you draft it.

Recommended Resources:

Once an appropriate amount of controls and evidence are satisfied within your Strike Graph account, it's time to schedule your assessment services. Strike Graph advises scheduling any assessment services with advanced notice of your desired start date and informing the assessment team of any potential deadlines or contractual agreements. These steps will ensure that the team has both the capacity and capability to meet your desired timeline.

Recommended Resources:

Once all controls and evidence items have been satisfied, your team is ready to enter audit. Once your audit begins, it's important to remain available to respond to any auditor requests or clarifying questions. After the audit team tests and verifies your provided materials, they will compile their findings into a final report and your organization will be considered SOC 2 certified.

Recommended Resources:

Finally, once your audit is complete, you'll celebrate your successful SOC 2 certification and begin preparing for next year's audit. As SOC 2 compliance is ongoing, it’s important to maintain the program you’ve built to maintain compliance and guarantee seamless audits in the future.

Recommended Resources: