SOC 2 Ongoing Compliance SOP

Sub-procedure of soc2-gap-sop.md

Overview

Detailed procedures for maintaining SOC 2 compliance after initial certification, including continuous monitoring, annual audit preparation, control maintenance, and compliance program maturation. This sub-procedure ensures sustained compliance posture between audit periods.

Scope

Parent SOP: SOC 2 Gap Assessment Pillar: Protect (Security & Compliance) Service Area: SOC 2 Ongoing Compliance

Prerequisites

• Parent SOP requirements met
• Initial SOC 2 audit completed (Type I or Type II)
• Control owners assigned for ongoing maintenance
• Compliance calendar established
• Monitoring processes implemented
• Next audit timeline planned

Procedure

Step 1: Continuous Monitoring Program

Objective: Maintain visibility into control effectiveness

Monitoring Frequency by Control Type:

Control Type	Monitoring Frequency	Method
Automated Controls	Continuous/Real-time	Automated alerting
IT General Controls	Weekly/Monthly	Dashboard review
Process Controls	Monthly/Quarterly	Sampling and review
Management Controls	Quarterly/Annual	Attestation and evidence

Key Monitoring Activities:

Control Area	Monitoring Activity	Frequency	Owner
Access Control	Access review completion	Quarterly	IT Security
Access Control	MFA enrollment status	Weekly	IT Security
Access Control	Termination timeliness	Weekly	HR/IT
Change Management	Change approval rates	Weekly	IT Ops
Vulnerability Mgmt	Scan completion	Weekly	IT Security
Vulnerability Mgmt	Remediation SLA compliance	Monthly	IT Security
Incident Response	Incident metrics	Monthly	IT Security
Vendor Management	Vendor review status	Quarterly	Procurement
Training	Completion rates	Monthly	HR

Control Effectiveness Dashboard:

Metric	Target	Yellow Threshold	Red Threshold
Access Reviews Completed	100%	<95%	<90%
MFA Enrollment	100%	<98%	<95%
Terminated User Deprovisioning	<24 hours	>48 hours	>72 hours
Change Approval Rate	100%	<95%	<90%
Critical Vulnerability Remediation	<7 days	>14 days	>30 days
High Vulnerability Remediation	<30 days	>45 days	>60 days
Security Training Completion	100%	<95%	<90%

Step 2: Control Maintenance

Objective: Keep controls operating effectively

Annual Control Review Cycle:

Quarter	Focus Area	Activities
Q1	Access Controls	User access reviews, privilege audit
Q2	Technical Controls	Configuration validation, vulnerability assessment
Q3	Process Controls	Change management, incident response review
Q4	Management Controls	Policy review, vendor assessments, risk assessment

Control Change Management:

Change Type	Process
New Control	Document, implement, test, add to control matrix
Modified Control	Update documentation, test effectiveness, update matrix
Retired Control	Document rationale, remove from matrix, archive evidence
New System	Scope assessment, control mapping, evidence integration

Policy and Procedure Maintenance:

Activity	Frequency	Owner
Policy review	Annual	Policy Owner
Procedure review	Annual	Process Owner
Policy approval	After changes	Executive Sponsor
Distribution and acknowledgment	After changes	Compliance

Step 3: Evidence Collection Rhythm

Objective: Collect evidence throughout the audit period

Monthly Evidence Collection:

Evidence Type	Collection Activity	Retention
Access Reviews	Export quarterly access reviews	3 years
Vulnerability Scans	Export scan reports	3 years
Change Records	Export change tickets	3 years
Incident Records	Update incident log	3 years
Training Records	Export completion reports	3 years

Quarterly Evidence Collection:

Evidence Type	Collection Activity	Retention
Access Reviews	Complete and document access reviews	3 years
Vendor Reviews	Update vendor assessment status	3 years
Risk Register	Review and update risk register	3 years
Configuration	Capture configuration baselines	3 years

Annual Evidence Collection:

Evidence Type	Collection Activity	Retention
Risk Assessment	Complete annual risk assessment	3 years
DR Testing	Complete and document DR test	3 years
Penetration Testing	Complete penetration test	3 years
Policy Acknowledgments	Collect annual acknowledgments	3 years

Step 4: Exception and Issue Management

Objective: Track and remediate control exceptions

Exception Categories:

Category	Definition	Required Action
Control Failure	Control did not operate as designed	Immediate remediation, root cause analysis
Deviation	Intentional departure from control	Approval, documentation, compensating control
Gap	Missing control or evidence	Remediation plan, POA&M if needed
Observation	Improvement opportunity	Track for future implementation

Exception Tracking Process:

1. Identification - Exception identified through monitoring or testing
2. Documentation - Log in exception register with details
3. Root Cause - Analyze why exception occurred
4. Remediation Plan - Define actions, owners, timelines
5. Approval - Obtain appropriate approval for plan
6. Remediation - Execute remediation actions
7. Validation - Verify exception is resolved
8. Closure - Close exception with evidence of resolution

Exception Register Fields:

Field	Description
Exception ID	Unique identifier
Date Identified	When exception was discovered
Control	Affected control reference
Description	What happened
Root Cause	Why it happened
Risk Level	High/Medium/Low
Remediation Plan	Actions to resolve
Owner	Person responsible
Target Date	Expected resolution date
Status	Open/In Progress/Closed
Evidence	Documentation of resolution

Step 5: Annual Audit Preparation

Objective: Prepare for next SOC 2 audit cycle

Pre-Audit Timeline (90 days):

Timeframe	Activities
T-90 days	Confirm audit window with auditor
T-60 days	Complete all outstanding access reviews
T-45 days	Resolve all open exceptions
T-30 days	Finalize evidence package
T-14 days	Update system description
T-7 days	Pre-audit readiness check
T-0	Audit kickoff

Year-Over-Year Considerations:

Consideration	Action Required
New Systems	Add to scope, document controls
Acquisitions	Integrate controls, update boundaries
System Retirements	Remove from scope, update documentation
Organizational Changes	Update org chart, control owners
New Auditor Requests	Review prior management letter, address findings
Prior Findings	Demonstrate remediation

Step 6: Compliance Program Maturation

Objective: Continuously improve compliance program

Maturity Assessment Dimensions:

Dimension	Level 1	Level 2	Level 3	Level 4
Monitoring	Manual, periodic	Scheduled, semi-automated	Automated, real-time	Predictive
Evidence	Manual collection	Scheduled collection	Automated collection	Continuous attestation
Remediation	Reactive	Planned	Proactive	Preventive
Integration	Standalone	Partially integrated	Fully integrated	Unified

Improvement Initiatives:

Initiative	Benefit	Typical Timeline
GRC Platform Implementation	Automated evidence, continuous monitoring	3-6 months
Policy Automation	Consistent enforcement, reduced exceptions	2-4 months
Control Automation	Reduced manual effort, improved consistency	Ongoing
Integrated Risk Management	Holistic view, efficient reporting	6-12 months

Compliance Metrics:

Metric	Target	Trend Goal
Audit Findings	0	Maintain
Open Exceptions	<5	Decrease
Evidence Collection Time	<2 hours/control	Decrease
Control Test Pass Rate	100%	Maintain
Audit Duration	Stable	Decrease

Deliverables

Deliverable	Format	Owner
Compliance Dashboard	Dashboard/Report	Compliance Manager
Exception Register	Excel/GRC Tool	Compliance Manager
Monthly Evidence Package	Organized folders	Control Owners
Annual Compliance Report	Executive summary	Compliance Manager
Audit Readiness Checklist	Checklist	SBK/Compliance
Maturity Assessment	Report	SBK

Quality Gates

• Continuous monitoring active for all key controls
• Evidence collection on schedule
• Open exceptions <5 and trending downward
• All access reviews completed quarterly
• Annual risk assessment completed
• DR testing completed annually
• Policies reviewed within 12 months
• Audit readiness validated 30 days before audit

Related Documents

• Parent SOP: SOC 2 Gap Assessment
• SOC 2 Readiness SOP
• SOC 2 Evidence Collection SOP
• vCISO Engagement SOP
• Cross-Pillar SOPs

---

Last Updated: February 2026 Parent SOP: soc2-gap-sop.md