A black and white drawing of a rock formation.

Achieving SOC 2 compliance is a multi-step process: First you’ll determine the scope of your report, then implement the required controls, and eventually hire an auditor. But before your auditor can begin investigating your controls, you’ll need to provide them with the necessary SOC 2 documentation and evidence they need to conduct their audit. 

For a quick and efficient audit, you’ll want to prepare your SOC 2 documents ahead of time. These documents provide your auditor with details about the scope of your report, how your controls are set up, and what security practices you have in place. 

But what documents do you need to prepare for your SOC 2 audit? In this article, we’ll give you an overview of the SOC 2 compliance documents you’ll need, when to include them, and methods to help you streamline evidence collection.

What documents do you need for a SOC 2 audit?

During your SOC 2 audit, your auditor will assess your information security against five categories, called the Trust Service Criteria (TSC). The security category within the TSC is mandatory for all SOC 2 reports, while the other four — availability, confidentiality, processing integrity, and privacy — only need to be included if they apply to the products and services your organization provides. 

 

Because the criteria and controls vary for each SOC 2 report, the documents needed for each SOC 2 audit will vary as well. It will also depend on whether you’re getting a SOC 2 Type 1 or a SOC 2 Type 2, as there is additional documentation needed for a SOC 2 Type 2 audit.

Below we’ve listed out the most common documents needed for a SOC 2 audit that you’ll customize based on the scope and specifications of your SOC 2 report and the controls you have in place:

Required documents for SOC 2 compliance

There are three documents you’ll need for your SOC 2 audit: a management assertion, a system description, and a controls matrix. 

Management assertion

This document introduces your auditor to your systems. A management assertion is a statement from your organization about how your system is designed, how it operates, and how you manage it. It will give your auditor an idea of how you’ve set up your information security controls and attest that you’ve met the necessary criteria for SOC 2 compliance to the best of your knowledge. 

System description

The next document you’ll need to prepare is a system description. A system description details the components of your infrastructure that handle, manage, or process customer data — essentially anything within the scope of your SOC 2 audit. This doesn’t need to include everything about your technology or business infrastructure, just what’s relevant to your SOC 2.

There are 10 components to include in your system description:

  • Company overview: A description of the services you provide and the types of customers you work with. 
  • System overview: An explanation of how your infrastructure helps service your customers.
  • Principle service commitments and system requirements: A description of the service commitments you’ve made to clients — like uptime guarantees for example — and the system requirements needed to meet them. 
  • System components: A list of all your system components including your infrastructure, software tools, processes, data, and personnel.
  • Incident disclosure: Reports of any breaches or incidents that have impacted the commitments you’ve made to your customers. 
  • Criteria disclosure: A list of the Trust Services Criteria relevant to your audit.
  • Relevant aspects of the control environment: A list and explanation of the controls you’ve implemented to meet the necessary criteria.
  • Complementary user entity and subservice organization controls: A description of any controls that your clients or vendors are responsible for. 
  • Criteria exceptions: An explanation for why the Trust Services Criteria that weren’t included in your controls aren’t applicable to your current audit.
  • (For SOC 2 Type 2 audits) Changes to the system during the period: A notation of any changes you’ve made to your system during the audit window.

Controls matrix

Your SOC 2 controls matrix is a document that lists out all the controls applicable to the audit. This is usually created in a spreadsheet given the level of detail you’ll need to provide about your SOC 2 controls.

List each control and include the following information alongside it:

  • Criteria reference: The Trust Services Criteria that maps to the control.
  • Control number: The reference number for the control within the Trust Services Criteria.
  • Control activity: A description of what the control does.
  • Control owner: The person within your organization who is responsible for implementing and maintaining the control.
  • Risk level: The likelihood that a control might fail and the impact it will have if it does, stated as low, moderate, or high.

Additional SOC 2 compliance documentation

In addition to the core documents listed above, your auditor may request other documents during your SOC 2 audit that you’ll either need to share with your auditor or develop if they don’t already exist. This will vary based on the criteria and controls relevant to your organization and the type of SOC 2 report you need. 

Some of these additional documents include: 

  • Corporate governance manual
  • Organization code of conduct
  • Network Diagram
  • Employee handbook
  • Risk management plan
  • Map of your office
  • Organizational chart
  • Compliance program budget
  • Incident response plans/business continuity plans
  • Vendor agreements
  • Employee onboarding documentation
  • Employee termination process
  • Logs of employee security trainings
  • Inventory of all network devices
  • Maintenance records for all IT equipment
  • Data privacy and security policies, including data retention and data destruction policies, encryption policy, log management policy, access policy, password requirements policy, user unsubscribe and opt-out policies, and confidentiality policy and agreements
  • Controlled access logs
  • Logs of system updates and backups
  • Notice of privacy practices
  • Data use agreement
  • Risk assessments
  • Previous compliance reports, if applicable
  • Self-assessment questionnaires, if applicable
  • Penetration testing questionnaires, if applicable

Centralize your SOC 2 documentation

Having your documentation ready ahead of your audit can help you get your SOC 2 report faster. If your documentation is accurate, easy to find, and organized, your auditor will have exactly what they need to start your audit right away. Instead of collecting your documents and evidence manually, you can simplify this process with compliance automation

Vanta’s trust management platform can help you scope your SOC 2 and identify which criteria to include in your report, guide you in implementing the proper controls, help you find an auditor, and support you in creating, collecting, and centralizing your security documents. Our platform will collect all the documents available within your system and give you a comprehensive compliance documentation checklist for any additional documents you need. These additional docs can be uploaded to Vanta, creating an organized, secure portal for all your SOC 2 documents. 

Request a demo to learn how you can streamline your SOC 2 audit.

Preparing for a SOC 2 audit

How to prepare your SOC 2 compliance documentation

A black and white drawing of a rock formation.

Achieving SOC 2 compliance is a multi-step process: First you’ll determine the scope of your report, then implement the required controls, and eventually hire an auditor. But before your auditor can begin investigating your controls, you’ll need to provide them with the necessary SOC 2 documentation and evidence they need to conduct their audit. 

For a quick and efficient audit, you’ll want to prepare your SOC 2 documents ahead of time. These documents provide your auditor with details about the scope of your report, how your controls are set up, and what security practices you have in place. 

But what documents do you need to prepare for your SOC 2 audit? In this article, we’ll give you an overview of the SOC 2 compliance documents you’ll need, when to include them, and methods to help you streamline evidence collection.

What documents do you need for a SOC 2 audit?

During your SOC 2 audit, your auditor will assess your information security against five categories, called the Trust Service Criteria (TSC). The security category within the TSC is mandatory for all SOC 2 reports, while the other four — availability, confidentiality, processing integrity, and privacy — only need to be included if they apply to the products and services your organization provides. 

 

Because the criteria and controls vary for each SOC 2 report, the documents needed for each SOC 2 audit will vary as well. It will also depend on whether you’re getting a SOC 2 Type 1 or a SOC 2 Type 2, as there is additional documentation needed for a SOC 2 Type 2 audit.

Below we’ve listed out the most common documents needed for a SOC 2 audit that you’ll customize based on the scope and specifications of your SOC 2 report and the controls you have in place:

Required documents for SOC 2 compliance

There are three documents you’ll need for your SOC 2 audit: a management assertion, a system description, and a controls matrix. 

Management assertion

This document introduces your auditor to your systems. A management assertion is a statement from your organization about how your system is designed, how it operates, and how you manage it. It will give your auditor an idea of how you’ve set up your information security controls and attest that you’ve met the necessary criteria for SOC 2 compliance to the best of your knowledge. 

System description

The next document you’ll need to prepare is a system description. A system description details the components of your infrastructure that handle, manage, or process customer data — essentially anything within the scope of your SOC 2 audit. This doesn’t need to include everything about your technology or business infrastructure, just what’s relevant to your SOC 2.

There are 10 components to include in your system description:

  • Company overview: A description of the services you provide and the types of customers you work with. 
  • System overview: An explanation of how your infrastructure helps service your customers.
  • Principle service commitments and system requirements: A description of the service commitments you’ve made to clients — like uptime guarantees for example — and the system requirements needed to meet them. 
  • System components: A list of all your system components including your infrastructure, software tools, processes, data, and personnel.
  • Incident disclosure: Reports of any breaches or incidents that have impacted the commitments you’ve made to your customers. 
  • Criteria disclosure: A list of the Trust Services Criteria relevant to your audit.
  • Relevant aspects of the control environment: A list and explanation of the controls you’ve implemented to meet the necessary criteria.
  • Complementary user entity and subservice organization controls: A description of any controls that your clients or vendors are responsible for. 
  • Criteria exceptions: An explanation for why the Trust Services Criteria that weren’t included in your controls aren’t applicable to your current audit.
  • (For SOC 2 Type 2 audits) Changes to the system during the period: A notation of any changes you’ve made to your system during the audit window.

Controls matrix

Your SOC 2 controls matrix is a document that lists out all the controls applicable to the audit. This is usually created in a spreadsheet given the level of detail you’ll need to provide about your SOC 2 controls.

List each control and include the following information alongside it:

  • Criteria reference: The Trust Services Criteria that maps to the control.
  • Control number: The reference number for the control within the Trust Services Criteria.
  • Control activity: A description of what the control does.
  • Control owner: The person within your organization who is responsible for implementing and maintaining the control.
  • Risk level: The likelihood that a control might fail and the impact it will have if it does, stated as low, moderate, or high.

Additional SOC 2 compliance documentation

In addition to the core documents listed above, your auditor may request other documents during your SOC 2 audit that you’ll either need to share with your auditor or develop if they don’t already exist. This will vary based on the criteria and controls relevant to your organization and the type of SOC 2 report you need. 

Some of these additional documents include: 

  • Corporate governance manual
  • Organization code of conduct
  • Network Diagram
  • Employee handbook
  • Risk management plan
  • Map of your office
  • Organizational chart
  • Compliance program budget
  • Incident response plans/business continuity plans
  • Vendor agreements
  • Employee onboarding documentation
  • Employee termination process
  • Logs of employee security trainings
  • Inventory of all network devices
  • Maintenance records for all IT equipment
  • Data privacy and security policies, including data retention and data destruction policies, encryption policy, log management policy, access policy, password requirements policy, user unsubscribe and opt-out policies, and confidentiality policy and agreements
  • Controlled access logs
  • Logs of system updates and backups
  • Notice of privacy practices
  • Data use agreement
  • Risk assessments
  • Previous compliance reports, if applicable
  • Self-assessment questionnaires, if applicable
  • Penetration testing questionnaires, if applicable

Centralize your SOC 2 documentation

Having your documentation ready ahead of your audit can help you get your SOC 2 report faster. If your documentation is accurate, easy to find, and organized, your auditor will have exactly what they need to start your audit right away. Instead of collecting your documents and evidence manually, you can simplify this process with compliance automation

Vanta’s trust management platform can help you scope your SOC 2 and identify which criteria to include in your report, guide you in implementing the proper controls, help you find an auditor, and support you in creating, collecting, and centralizing your security documents. Our platform will collect all the documents available within your system and give you a comprehensive compliance documentation checklist for any additional documents you need. These additional docs can be uploaded to Vanta, creating an organized, secure portal for all your SOC 2 documents. 

Request a demo to learn how you can streamline your SOC 2 audit.

Explore more SOC 2 articles

Get started with SOC 2

Start your SOC 2 journey with these related resources.

SOC 2

The SOC 2 Compliance Checklist

Achieving SOC 2 compliance proves to your customers that you prioritize protecting their data. In fact, this proof of compliance helps your company to raise capital, sell to larger customers, and rise above the competition.

The SOC 2 Compliance Checklist
The SOC 2 Compliance Checklist
Compliance

Vanta in Action: Compliance Automation

Demonstrating security compliance with a framework like SOC 2, ISO 27001, HIPAA, etc. is not only essential for scaling your business and raising capital, it also builds an important foundation of trust.

Vanta in Action: Compliance Automation
Vanta in Action: Compliance Automation
Compliance

Coffee & Compliance: Streamlining SOC 2 compliance with Vanta and AWS

SOC 2 is a sought-after security framework for growing SaaS companies. It demonstrates your ability to safeguard the privacy and security of your customer data. But achieving it can be time-consuming and expensive.

Coffee & Compliance: Streamlining SOC 2 compliance with Vanta and AWS
Coffee & Compliance: Streamlining SOC 2 compliance with Vanta and AWS

Get compliant and
build trust, fast.

Two wind turbines on a white background.