I actually created a checklist [which the auditors seem to like mainly because it creates consistency] mostly because there isn't one 'gold standard' that I ever found.
The main thing for that, though, is to ask a few questions:
What is the main purpose of the review? [Mine is data security mostly]
What are the most important things in a SOC report that you want to see covered?
One technique I used in the beginning was to use a 'strong' SOC as a model. [By strong, I mean from a company that you just feel is doing things right.]
Some categories I found useful:
Qualified or Unqualified report
New Hire Background checks
Staff Confidentiality/Code of Ethics
Firewalls
Malware protection
Physical Security
Environmental Security
Disaster testing
Penetration Testing
IDP/IDS
These are just top-of-mind categories that I find good to tag/make note of in a SOC report review. Your mileage may vary.
Thanks,
Dave
David Howe
Chief Information Officer