A SOC 2 report is based on the Trust Services Criteria deemed applicable to your organization. The report focuses on non-financial controls related to security, availability, confidentiality, processing integrity, and privacy. Modeled around policies, communications, procedures, and monitoring, Trust Services Criteria each have corresponding controls.
SOC 2 requirements change according to the type of information a business needs to secure.
An organization should select the Trust Services Criteria requirements relevant to their business and the commitments they make to their customers. However, Security is required, and referred to as “Common Criteria.”
While there are many controls associated with each of the five TSCs, controls associated with the common criteria include common IT general controls. See below for more.
Controls related to a commitment to integrity and ethical values.
Controls related to the internal and external use of quality information to support the functioning of internal control.
Controls related to the identification and assessment of risk relating to objectives, including fraud.
Controls related to the performance of ongoing and separate evaluations to determine deficiencies of controls and communicate those to the correct parties.
Controls related to the control activities that contribute to the mitigation of risks and establishment of policies and procedures.
Controls related to the implementation of logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet its objectives.
Controls related to the use of detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities and (2) susceptibilities to newly-discovered vulnerabilities.
Controls related to the authorization, design, development, testing, approval, and implementation of changes to infrastructure, data, software, and procedures to meet its objectives.
Identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
In addition to the requirements attached to Security, businesses should fulfill the controls for other relevant categories based on the commitments they make to their customers. Below are some examples of the additional categories, as well as the types of controls that satisfy the trust services criteria in these categories.
Provides notice of privacy practices to relevant parties.
The notice is updated and communicated in a timely manner, including changes in the use of personal information.
Obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing.
This includes definitions of processed data, and product and service specifications, to support the use of products and services.
Identifies and maintains confidential information to meet objectives related to confidentiality.
Identifies and maintains confidential information to meet its objectives related to confidentiality.
Dispose of confidential information to meet EMSI’s objectives related to confidentiality.
Maintains, monitors, and evaluates current processing capacity and use of system components like infrastructure, data, and software.
Maintaining processing capacity and use of system components (infrastructure, data, and software) to manage demand and enable the implementation of additional capacity to help meet objectives.
Environmental protection, software, data backup processes, and recovery infrastructure to meet objectives.
Testing of recovery plan procedures supporting system recovery to meet objectives.
While there isn’t one path to fulfilling SOC 2 controls and prepping for audit, the process should include the implementation of policies and technical and operational procedures.
For SOC 2 Type 1, auditors ask to examine authored policies, who they’ve been distributed to, and the procedures put in place to execute the policy.
In a Type 2 audit, auditors examine the functionality of controls over a 6-12 month time period. A comprehensive report is written based on the evidence provided.
SOC 2 primarily focuses on policies and procedures instead of technical tasks. However, the implementation of technical procedures typically involves building or managing new tools, like endpoint security. These procedures are monitored over time for effectiveness and relayed to audit teams while pursuing a SOC 2 report.
Just as important as technical processes, operational procedures involve managing vendors and due diligence, creating uniform onboarding and termination procedures, and collecting evidence on their effectiveness.
These procedures are crucial to creating a risk assessment for auditors and understanding the business’ risk appetite.
This chapter will help you make sense of your SOC 2 report, providing you with an overview of what each section means.
This section runs you through a checklist to better organize all the tasks needed to get SOC 2 certified and assess your readiness for an audit.