A Definitive Guide to SOC 2 Policies

If this is your first time pursuing SOC 2 certification, you will quickly find that documentation is the cornerstone of a successful audit.  Writing clear, concise policies is especially critical, and if you don’t currently have a policy structure in place, it can be difficult to figure out which policies you need.  

In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual policy and links to more information.

• Access Onboarding and Termination Policy - this policy aims to minimize the risk of data exposure by enforcing the principle of least privilege.
• Business Continuity Policy - a business continuity policy defines a plan employees need to follow to keep the business running after a disruptive event.  Specifically, the policy details the infrastructure, backup strategy and recovery procedures you need to address potential threats.
• Change Management Policy - this policy ensures that key system changes are properly logged, documented and communicated across your organization so you can more effectively debug issues and respond to incidents as they arise.
• Confidentiality Policy - the confidentiality policy defines how you will handle confidential information - whether it be pertaining to your clients, partners or the company itself.  Because your clients and partners will expect you to keep their data secure, a confidentiality policy will demand the same of your employees as well.
• Cyber Risk Management Policy - this policy helps you identify security incidents that could occur based on incidents that have already happened, and then create a plan to prevent and remediate those incidents.  
• Data Center Security Policy - the data center security policy details measures you will take to prevent unauthorized physical access to your company’s data centers and equipment.
• Data Classification Policy - this policy ensures sensitive data is handled appropriately according to the risk it poses to the organization.  
• Disaster Recovery Policy - both this policy and the business continuity policy help prepare your company to endure - and recover from - a disaster.  Specifically, the disaster recovery policy details the minimum necessary functions your business needs to survive.
• Encryption Policy - this policy dictates the proper use of encryption in your organization.
• Information Security Policy - the information security policy answers many of the big questions people may ask, such as, “Why are we becoming so structured and process-focused on everything related to security?”
• IT Vendor Management Policy - this policy identifies which vendors put your business at risk and then defines controls to minimize those risks.
• Log Management and Review Policy - the log management and review policy defines what logs you will collect, what details are captured in the logs, and what systems will be configured for logging.
• Office Physical Security Policy - this policy defines the controls, monitoring and removal of physical access to your company’s facilities.
• Password Policy - the password policy establishes the requirements of user account passwords, and also the way your organization will select and securely manage them.
• Remote Access Policy - this policy will define who can work remotely, the type of connectivity used, and how that connectivity will be protected, logged and monitored.
• Removable Media / Cloud Storage / BYOD Policy - this policy lays out expectations around the use of removable media, cloud storage and BYOD - including PIN/password requirements and how devices will be handled when employees leave the organization.
• Software Development Lifecycle Policy - the SDLC policy ensures your software is built as securely as possible, is tested regularly, and that all development work complies with regulatory guidelines and business needs.
• Workstation Security Policy - the workstation security policy defines rules that help reduce your organization’s risk of data loss through workstation use.

🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Course.

SOC 1, SOC 2, and SOC 3 reports should be seen as an annual investment into your company.  Aside from the numerous security benefits, a SOC audit will improve your organization’s performance and productivity and build trust with clients as well. All of these benefits will make your company stand out - especially over competitors who are not SOC certified.

To learn more about how StrongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.