The SOC 2 workbook contains several pages of recommendations to help guide you through the SOC 2 program implementation.
​

The SOC 2 workbook can be found here

Obtaining a SOC 2 Type 2 report is a comprehensive and often lengthy process. For early-stage organizations new to compliance, it can take well over a year, as the work required to produce the report is both daunting and laborious.

Hyperproof aims to minimize the stress of obtaining a SOC 2 Type 2 report. Hyperproof comes with a tailored SOC 2 template put together by our team of experts. It’s designed to help your organization hit the ground running with significantly less time and effort. This template provides a framework within Hyperproof to help you document controls more quickly and gather all the compliance artifacts needed to pass your SOC 2 assessment. Our platform is also designed to help your organization manage all the work needed to maintain your controls on an ongoing basis, efficiently and effectively.

In addition to the template, Hyperproof provides a workbook with recommendations for reusing evidence across multiple controls, managing the health of your controls, and performing these tasks in Hyperproof. We based the workbook on the experiences of multiple Hyperproof customers who have gone through the SOC 2 process. The workbook is best suited for organizations just beginning their compliance journey or planning to use Hyperproof’s SOC 2 template with limited modifications. Even if you modify the template, the workbook can still be a valuable reference.

There are many ways to manage your SOC 2 program. The attached workbook provides one approach and is intended as a recommendation of best practices for using Hyperproof to achieve your SOC 2 compliance. It’s important to note that the workbook may or may not be a good fit for your organization. Keep in mind that your SOC 2 auditor will review your controls in the context of your business during a gap analysis. Depending on the results of the gap analysis, your SOC 2 auditor may suggest modifications or expansions to some of your controls.
​

The SOC 2 workbook contains six sheets:

The SOC 2 workbook is meant to be followed chronologically. Before you do anything with SOC 2, you’ll need to set up your SOC 2 program. Next, you’ll import the label CSV file into Hyperproof. Labels help you keep your evidence organized and are mapped to the most common illustrative controls needed to satisfy SOC 2 requirements. After the CSV of labels is imported into Hyperproof, you’ll begin to manage your SOC 2 controls. The Control Management sheet outlines the controls you need to adhere to, their corresponding requirements, and the recommended methods for managing them. Managing your controls is crucial in becoming SOC 2 compliant. Taking the time to set them up now saves you time in the long run.

The first step to take towards achieving your SOC 2 Type 2 report is to set up your organization’s SOC 2 program. To get the most out of the SOC 2 workbook, you’ll need to include the controls provided by Hyperproof. Once your program is up and running, you’ll import the label CSV file.

Labels in Hyperproof allow you to easily reuse evidence across multiple controls. This means that you don’t have to upload the same piece of evidence 10 times and link it to 10 different controls. Instead, you’ll upload the evidence once and link it to the appropriate label. You’ll then link the label to the relevant controls in a one-time

exercise.

The workbook includes a list of 19 suggested labels commonly used in many of our customers’ SOC 2 programs. The labels in the CSV already have the corresponding controls linked, so there’s no additional work needed. How you upload evidence is up to you, but the easiest and most efficient way is via Hypersync or LiveSync.

For information about importing labels into Hyperproof, see Importing labels.

To pass your assessment and obtain a SOC 2 Type 2 report, you need to demonstrate that your controls were implemented and have been operating effectively over a period of time; a typical time frame for controls evaluation is over a six to twelve-month window for SOC 2 Type 2. Taking the time now to set up continuous control management drastically reduces your workload and the time it takes to obtain the SOC 2 Type 2 report. Hyperproof offers several ways to manage your control health.

You can use the concept of freshness to manage control status and track whether they are up to date and in compliance with the requirements in your SOC 2 program. When you turn on freshness for a control, you define its expiration period, after which its freshness status will automatically change from Fresh to Expired.

A note about freshness: For extra assurance, you can use freshness alongside another control management method, e.g., a repeating task on the same control.

Example: You might use the Freshness feature to manage SOC2-CC7.5.3 (annually test incident response plan) by turning on freshness and setting it to expire in one year. All members of the control will receive an email notification 24 hours prior to the expiration date. Additionally, the Needs Attention section of the Hyperproof dashboard notifies control members a month prior to the expiration date.

See Control Freshness.

You may want to set up a repeating task for actions you have to perform repeatedly. For example, if you have to manually review a particular control each month, you can set up a repeating task to remind you to perform the review.

Example: You might schedule a repeating task to manage SOC2-CC1.5.2 (monthly performance review meetings for departments with internal control responsibilities) because it is a monthly task you need to perform.

See Creating a repeating task.

LiveSync is a great option if the evidence you want to collect is in the format of an ongoing document, such as a Google Doc. Evidence must be stored in an external cloud management platform, such as Drive or Dropbox, for LiveSync to work. Once you’ve connected your external cloud management platform to Hyperproof, you

can link evidence stored there to controls, labels, or tasks.

Example: You might use the LiveSync feature to manage SOC2-CC3.2.3 (respond to risks via meetings with IT personnel) because the meeting notes are maintained in an ongoing Google Doc.

See Using LiveSync.

Evidence generated by an external cloud-based service or app, such as AWS or Azure, can be linked to Hyperproof via a Hypersync. Instead of continuously uploading new evidence whenever it changes, you can create a Hypersync to automate the process. Hypersyncs can be set up on controls or labels.

Example: You might use a Hypersync to manage SOC2-CC6.4.2 (annually review access to data centers) because the evidence you need to satisfy the control’s requirement is maintained and stored in an external service app such as AWS.

See Hypersync overview.