Backup and Recovery
Disaster Recovery Planning
Policies and Procedures
I also use the SOC to verify policies and procedures as I have found that certain vendors won't release copies of some policies (3rd party/vendor management etc) however, you can verify that they have them and get some pretty good details around allot of a vendor's policies from the SOC. Similarly, have multiple vendors that don't release BCP or similar testing or specifics on their plan however you can usually verify that they have a plan and are completing associated testing from the SOC. You can't usually tell the results of the testing but at least you can verify it was completed.Shelly
I actually created a checklist [which the auditors seem to like mainly because it creates consistency] mostly because there isn't one 'gold standard' that I ever found.
The main thing for that, though, is to ask a few questions:
What is the main purpose of the review? [Mine is data security mostly]
What are the most important things in a SOC report that you want to see covered?
One technique I used in the beginning was to use a 'strong' SOC as a model. [By strong, I mean from a company that you just feel is doing things right.]
Some categories I found useful:
Qualified or Unqualified report
New Hire Background checks
Staff Confidentiality/Code of Ethics
These are just top-of-mind categories that I find good to tag/make note of in a SOC report review. Your mileage may vary.
Chief Information Officer