Modeled around policies, communications, procedures, and monitoring, Trust Services Criteria each have corresponding controls. Get more information on SOC 2 Trust Services Criteria.
What are SOC 2 requirements?
SOC 2 requirements change according to the type of information a business needs to secure. An organization should select the Trust Services Criteria requirements relevant to their business and the commitments they make to their customers. However, security is required and referred to as “Common Criteria.”
The SOC 2 controls we list here are an overview of those you may need to implement for your SOC 2 report. The ones that are relevant to your business should be selected by your CISO and management team.
SOC 2 Controls List
While there are many controls associated with each of the five TSCs, controls associated with the common criteria include common IT general controls.
Control Environment: These SOC 2 controls relate to a commitment to integrity and ethical values. Involvement of the board of directors and senior management’s oversight relating to the development and performance of internal control and hold individuals accountable for their internal control responsibilities in the pursuit of objectives.
Communication and Information: This includes SOC 2 controls related to the internal and external use of quality information to support the functioning of internal control.
Risk Assessment: This requests the identification and assessment of risk relating to objectives, including fraud.
Monitoring Activities: Place controls related to the performance of ongoing and separate evaluations to determine deficiencies of controls and communicate those to the correct parties.
Control Activities: These relate to the control activities contributing to risk mitigation and policy and procedure establishment.
Logical and Physical Access Controls: Related to the implementation of logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet its objectives.
- Issuing of credentials to new internal and external users
- Authorization, modification, or removal of access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design
- Restriction of physical access to facilities and protected information assets to authorized personnel to meet its objectives
- Implementation of controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet its objectives.
System Operations: SOC 2 controls related to the use of detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities and (2) susceptibilities to newly-discovered vulnerabilities.
- Response to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
- Monitoring of system components and the operation of those components for anomalies indicative of malicious acts, natural disasters, and errors
Change Management: Controls related to the authorization, design, development, testing, approval, and implementation of changes to infrastructure, data, software, and procedures to meet its objectives.
Risk Mitigation: Identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
Additional SOC 2 Criteria for Privacy, Processing Integrity, Confidentiality, Availability
In addition to the requirements attached to Security, businesses should fulfill the controls for other relevant categories based on the commitments they make to their customers.
Find examples of additional SOC 2 control categories and control types that satisfy these categories below.
Privacy: Provides notice of privacy practices to relevant parties.
The notice is updated and communicated in a timely manner, including changes in the use of personal information.
Processing Integrity: Obtains or generates, uses, and communicates relevant, quality information regarding the SOC 2 objectives related to processing. This includes definitions of processed data, and product and service specifications, to support the use of products and services.
Confidentiality: Identifies and maintains confidential information to meet SOC 2 objectives related to confidentiality.
- Retention and Classification
- Disposal of Information
Availability: Maintains, monitors, and evaluates current processing capacity and use of system components like infrastructure, data, and software.
- System Capacity
Maintaining processing capacity and use of system components (infrastructure, data, and software) to manage demand and enable the implementation of additional capacity to help meet objectives.
- Backups and environmental controls
- Recovery controls
How does my business fulfill SOC 2 controls?
There isn’t one path to fulfilling SOC 2 controls and prepping for audit. The process should include policy implementation and technical and operational procedures.
For SOC 2 Type 1, auditors ask to examine authored policies, who they’ve been distributed to, and the procedures put in place to execute the policy.
In a Type 2 audit, auditors examine the functionality of controls over a 6-12 month time period. A comprehensive report is written based on the evidence provided.
SOC 2 controls primarily focus on policies and procedures instead of technical tasks; however, the implementation of technical procedures typically involves building or managing new tools, like endpoint security. These procedures are monitored over time for effectiveness and relayed to audit teams while pursuing a SOC 2 report.
Just as important as technical processes, operational procedures involve managing vendors and due diligence, creating uniform onboarding and termination procedures, and collecting evidence on their effectiveness.
These procedures are crucial to creating a risk assessment for auditors and understanding the business’ risk appetite.