![]() |
SOC 2 Readiness Assessment
# | Policy Questions | Yes | No | Partially In-Place | Flag for Discussion |
1 | We have up-to-date security policies and procedures that align to industry standard best practices. | ☐ | ☐ | ☐ | ☐ |
2 | We have up-to-date business continuity and disaster recovery plan. | ☐ | ☐ | ☐ | ☐ |
3 | We have up-to-date change management and SDLC policy and procedures. | ☐ | ☐ | ☐ | ☐ |
4 | We have up-to-date data classification policy and procedures. | ☐ | ☐ | ☐ | ☐ |
5 | We have up-to-date access control policies and procedures. | ☐ | ☐ | ☐ | ☐ |
6 | We have up-to-date incident management and response policies and procedures. | ☐ | ☐ | ☐ | ☐ |
7 | We have up-to-date vendor management policies and procedures. | ☐ | ☐ | ☐ | ☐ |
8 | We have up-to-date privacy and appropriate use policies and procedures. | ☐ | ☐ | ☐ | ☐ |
9 | Our policies and procedures have been communicated to employees. | ☐ | ☐ | ☐ | ☐ |
10 | Our policies and procedures have been implemented. | ☐ | ☐ | ☐ | ☐ |
11 | We have recently undergone and audit (either internal or external). | ☐ | ☐ | ☐ | ☐ |
12 | Does your organization have a CISO, security governing body, or equivalent? | ☐ | ☐ | ☐ | ☐ |
|
|||||
# | Program Review Questions | Yes | No | Partially In-Place | Flag for Discussion |
13 | We do quarterly (or more) network vulnerability scans? | ☐ | ☐ | ☐ | ☐ |
14 | We have do quarterly (or more) application vulnerability scans? | ☐ | ☐ | ☐ | ☐ |
15 | We have annual (or more) penetration tests? | ☐ | ☐ | ☐ | ☐ |
16 | We perform an annual and documented risk assessment? | ☐ | ☐ | ☐ | ☐ |
17 | Issues identified during vulnerability scans, audits, and risk assessments are prioritized and resolved in a timely manner? | ☐ | ☐ | ☐ | ☐ |
# | Technical Questions | Yes | No | Partially In-Place | Flag for Discussion |
18 | We maintain a complete and accurate list of IT Assets (infrastructure and hardware). | ☐ | ☐ | ☐ | ☐ |
19 | We maintain a complete and accurate list of IT Assets (software). | ☐ | ☐ | ☐ | ☐ |
20 | We update all IT infrastructure with manufacturer recommended updates on regularly scheduled interviews (patch management). | ☐ | ☐ | ☐ | ☐ |
21 | All changes made to IT infrastructure follow a formalized and documented change management process. | ☐ | ☐ | ☐ | ☐ |
22 | All changes made to software follow a formalized and documented change management process. | ☐ | ☐ | ☐ | ☐ |
23 | We enforce password complexity on all systems. | ☐ | ☐ | ☐ | ☐ |
24 | Administrative access to all system is limited to only appropriate individuals. | ☐ | ☐ | ☐ | ☐ |
25 | We regularly review system access (including administrative access) to validate only appropriate individuals have access to systems. | ☐ | ☐ | ☐ | ☐ |
26 | We utilize 2FA/MFA for all administrative level accounts. | ☐ | ☐ | ☐ | ☐ |
27 | We monitor, log, and review all network traffic. | ☐ | ☐ | ☐ | ☐ |
28 | We utilize Firewalls, IPS, and IDS devices. | ☐ | ☐ | ☐ | ☐ |
29 | We utilize email and spam filtering tools. | ☐ | ☐ | ☐ | ☐ |
30 | We utilize web spam and filtering tools. | ☐ | ☐ | ☐ | ☐ |
31 | We utilize antivirus/malware tools. | ☐ | ☐ | ☐ | ☐ |
32 | We utilize mobile device management tools. | ☐ | ☐ | ☐ | ☐ |
33 | We back-up all critical systems on a regular basis. | ☐ | ☐ | ☐ | ☐ |
34 | We regularly test backups to verify they have completed fully and can be restored. | ☐ | ☐ | ☐ | ☐ |
35 | We have a documented disaster recovery and/or business continuity plan. | ☐ | ☐ | ☐ | ☐ |
36 | Remote logon requires VPN to access out network. | ☐ | ☐ | ☐ | ☐ |
37 | We encrypt all end-point devices. | ☐ | ☐ | ☐ | ☐ |
38 | We disable local administrative rights on laptop and desktop computers. | ☐ | ☐ | ☐ | ☐ |
39 | We change the default settings on all wireless access points, routers and switches. | ☐ | ☐ | ☐ | ☐ |
40 | Sensitive/Business critical systems and data are systematically segregated on the network. | ☐ | ☐ | ☐ | ☐ |
41 | We utilize a central point of access for all systems (i.e., LDAP, Active Directory) | ☐ | ☐ | ☐ | ☐ |
42 | We perform formalized and documented security training at least annually for all employees. | ☐ | ☐ | ☐ | ☐ |
43 | We perform a formalized and documented risk assessment at least annually. | ☐ | ☐ | ☐ | ☐ |
44 | A process is in place to remediation issues identified during the risk assessment. | ☐ | ☐ | ☐ | ☐ |
45 | We assess our vendors for security considerations prior to doing business and on a defined frequency thereafter. | ☐ | ☐ | ☐ | ☐ |
# | HR Related Questions | Yes | No | Partially In-Place | Flag for Discussion |
46 | We do pre-employment background screening? | ☐ | ☐ | ☐ | ☐ |
47 | We have a documented employee onboarding process? | ☐ | ☐ | ☐ | ☐ |
48 | We do annual performance reviews? | ☐ | ☐ | ☐ | ☐ |
49 | We have a documented employee offboarding process? | ☐ | ☐ | ☐ | ☐ |
50 | We have an up to date employee handbook that all employees review. | ☐ | ☐ | ☐ | ☐ |
# | Other SOC 2 Considerations | Yes | No | Partially In-Place | Flag for Discussion |
51 | Have you written a SOC 2 system description? | ☐ | ☐ | ☐ | ☐ |
52 | SOC 2 allows you to customize your controls. Have you developed a custom set of controls? | ☐ | ☐ | ☐ | ☐ |
53 | Have you engaged a SOC 2 audit firm? (Hey! Risk3sixty can do your SOC 2 report!) | ☐ | ☐ | ☐ | ☐ |