If this is your first time pursuing SOC 2 certification, you will quickly find that documentation is the cornerstone of a successful audit. Writing clear, concise policies is especially critical, and if you don’t currently have a policy structure in place, it can be difficult to figure out which policies you need.
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual policy and links to more information.
- Access Onboarding and Termination Policy - this policy aims to minimize the risk of data exposure by enforcing the principle of least privilege.
- Business Continuity Policy - a business continuity policy defines a plan employees need to follow to keep the business running after a disruptive event. Specifically, the policy details the infrastructure, backup strategy and recovery procedures you need to address potential threats.
- Confidentiality Policy - the confidentiality policy defines how you will handle confidential information - whether it be pertaining to your clients, partners or the company itself. Because your clients and partners will expect you to keep their data secure, a confidentiality policy will demand the same of your employees as well.
- Cyber Risk Management Policy - this policy helps you identify security incidents that could occur based on incidents that have already happened, and then create a plan to prevent and remediate those incidents.
- Data Center Security Policy - the data center security policy details measures you will take to prevent unauthorized physical access to your company’s data centers and equipment.
- Data Classification Policy - this policy ensures sensitive data is handled appropriately according to the risk it poses to the organization.
- Disaster Recovery Policy - both this policy and the business continuity policy help prepare your company to endure - and recover from - a disaster. Specifically, the disaster recovery policy details the minimum necessary functions your business needs to survive.
- Encryption Policy - this policy dictates the proper use of encryption in your organization.
- Information Security Policy - the information security policy answers many of the big questions people may ask, such as, “Why are we becoming so structured and process-focused on everything related to security?”
- IT Vendor Management Policy - this policy identifies which vendors put your business at risk and then defines controls to minimize those risks.
- Log Management and Review Policy - the log management and review policy defines what logs you will collect, what details are captured in the logs, and what systems will be configured for logging.
- Office Physical Security Policy - this policy defines the controls, monitoring and removal of physical access to your company’s facilities.
- Password Policy - the password policy establishes the requirements of user account passwords, and also the way your organization will select and securely manage them.
- Remote Access Policy - this policy will define who can work remotely, the type of connectivity used, and how that connectivity will be protected, logged and monitored.
- Removable Media / Cloud Storage / BYOD Policy - this policy lays out expectations around the use of removable media, cloud storage and BYOD - including PIN/password requirements and how devices will be handled when employees leave the organization.
- Software Development Lifecycle Policy - the SDLC policy ensures your software is built as securely as possible, is tested regularly, and that all development work complies with regulatory guidelines and business needs.
- System Changes Policy - this policy ensures that key system changes are properly logged, documented and communicated across your organization so you can more effectively debug issues and respond to incidents as they arise.
- Workstation Security Policy - the workstation security policy defines rules that help reduce your organization’s risk of data loss through workstation use.
SOC 1, SOC 2, and SOC 3 reports should be seen as an annual investment into your company. Aside from the numerous security benefits, a SOC audit will improve your organization’s performance and productivity, and build trust with clients as well. All of these benefits will make your company stand out - especially over competitors who are not SOC certified.