Compare /

A Definitive Guide to SOC 2 Policies

SOC 2 Policies: Definitive GuideSOC 2 Policies: Definitive Guide

If this is your first time pursuing SOC 2 certification, you will quickly find that documentation is the cornerstone of a successful audit.  Writing clear, concise policies is especially critical, and if you don’t currently have a policy structure in place, it can be difficult to figure out which policies you need.  

In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual policy and links to more information.

  • Access Onboarding and Termination Policy - this policy aims to minimize the risk of data exposure by enforcing the principle of least privilege.
  • Business Continuity Policy - a business continuity policy defines a plan employees need to follow to keep the business running after a disruptive event.  Specifically, the policy details the infrastructure, backup strategy and recovery procedures you need to address potential threats.
  • Change Management Policy - this policy ensures that key system changes are properly logged, documented and communicated across your organization so you can more effectively debug issues and respond to incidents as they arise.
  • Confidentiality Policy - the confidentiality policy defines how you will handle confidential information - whether it be pertaining to your clients, partners or the company itself.  Because your clients and partners will expect you to keep their data secure, a confidentiality policy will demand the same of your employees as well.
  • Cyber Risk Management Policy - this policy helps you identify security incidents that could occur based on incidents that have already happened, and then create a plan to prevent and remediate those incidents.  
  • Data Center Security Policy - the data center security policy details measures you will take to prevent unauthorized physical access to your company’s data centers and equipment.
  • Data Classification Policy - this policy ensures sensitive data is handled appropriately according to the risk it poses to the organization.  
  • Disaster Recovery Policy - both this policy and the business continuity policy help prepare your company to endure - and recover from - a disaster.  Specifically, the disaster recovery policy details the minimum necessary functions your business needs to survive.
  • Encryption Policy - this policy dictates the proper use of encryption in your organization.
  • Information Security Policy - the information security policy answers many of the big questions people may ask, such as, “Why are we becoming so structured and process-focused on everything related to security?”
  • IT Vendor Management Policy - this policy identifies which vendors put your business at risk and then defines controls to minimize those risks.
  • Log Management and Review Policy - the log management and review policy defines what logs you will collect, what details are captured in the logs, and what systems will be configured for logging.
  • Office Physical Security Policy - this policy defines the controls, monitoring and removal of physical access to your company’s facilities.
  • Password Policy - the password policy establishes the requirements of user account passwords, and also the way your organization will select and securely manage them.
  • Remote Access Policy - this policy will define who can work remotely, the type of connectivity used, and how that connectivity will be protected, logged and monitored.
  • Removable Media / Cloud Storage / BYOD Policy - this policy lays out expectations around the use of removable media, cloud storage and BYOD - including PIN/password requirements and how devices will be handled when employees leave the organization.
  • Software Development Lifecycle Policy - the SDLC policy ensures your software is built as securely as possible, is tested regularly, and that all development work complies with regulatory guidelines and business needs.
  • Workstation Security Policy - the workstation security policy defines rules that help reduce your organization’s risk of data loss through workstation use.

SOC 1, SOC 2, and SOC 3 reports should be seen as an annual investment into your company.  Aside from the numerous security benefits, a SOC audit will improve your organization’s performance and productivity, and build trust with clients as well.  All of these benefits will make your company stand out - especially over competitors who are not SOC certified.  

strongDM logo
💙 this post?
Then get all that SDM goodness, right in your inbox.
Email icon
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

You May Also Like