What are SOC 2 controls?

SOC 2 Controls List

A SOC 2 report is based on the Trust Services Criteria deemed applicable to your organization. The report focuses on non-financial controls related to security, availability, confidentiality, processing integrity, and privacy. Modeled around policies, communications, procedures, and monitoring, Trust Services Criteria each have corresponding controls.

Background

What are SOC 2 requirements?

SOC 2 requirements change according to the type of information a business needs to secure.

An organization should select the Trust Services Criteria requirements relevant to their business and the commitments they make to their customers. However, Security is required, and referred to as “Common Criteria.”

SOC 2 Controls List

While there are many controls associated with each of the five TSCs, controls associated with the common criteria include common IT general controls. See below for more.

Control Environment

Controls related to a commitment to integrity and ethical values.

  • Involvement of the board of directors and senior management’s oversight relating to the development and performance of internal control.
  • Hold individuals accountable for their internal control responsibilities in the pursuit of objectives.

Communication and Information

Controls related to the internal and external use of quality information to support the functioning of internal control.

Risk Assessment

Controls related to the identification and assessment of risk relating to objectives, including fraud.

Monitoring Activities

Controls related to the performance of ongoing and separate evaluations to determine deficiencies of controls and communicate those to the correct parties.

Control Activities

Controls related to the control activities that contribute to the mitigation of risks and establishment of policies and procedures.

Logical and Physical Access Controls

Controls related to the implementation of logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet its objectives.

  • Issuing of credentials to new internal and external users
  • Authorization, modification, or removal of access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design
  • Restriction of physical access to facilities and protected information assets to authorized personnel to meet its objectives.
  • Implementation of controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet its objectives.

System Operations

Controls related to the use of detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities and (2) susceptibilities to newly-discovered vulnerabilities.

  • Monitoring of system components and the operation of those components for anomalies indicative of malicious acts, natural disasters, and errors
  • Response to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.

Change Management

Controls related to the authorization, design, development, testing, approval, and implementation of changes to infrastructure, data, software, and procedures to meet its objectives.

Risk Mitigation

Identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

Additional Criteria for Privacy, Processing Integrity, Confidentiality, Availability

In addition to the requirements attached to Security, businesses should fulfill the controls for other relevant categories based on the commitments they make to their customers. Below are some examples of the additional categories, as well as the types of controls that satisfy the trust services criteria in these categories.

Privacy

Provides notice of privacy practices to relevant parties.

The notice is updated and communicated in a timely manner, including changes in the use of personal information.

Processing Integrity

Obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing.

This includes definitions of processed data, and product and service specifications, to support the use of products and services.

Confidentiality

Identifies and maintains confidential information to meet objectives related to confidentiality.

Retention and Classification

Identifies and maintains confidential information to meet its objectives related to confidentiality.

Disposal of Information

Dispose of confidential information to meet EMSI’s objectives related to confidentiality.

Availability

Maintains, monitors, and evaluates current processing capacity and use of system components like infrastructure, data, and software.

System Capacity

Maintaining processing capacity and use of system components (infrastructure, data, and software) to manage demand and enable the implementation of additional capacity to help meet objectives.

Backups and Environmental Controls

Environmental protection, software, data backup processes, and recovery infrastructure to meet objectives.

Recovery Controls

Testing of recovery plan procedures supporting system recovery to meet objectives.

How does my business fulfill SOC 2 controls?

While there isn’t one path to fulfilling SOC 2 controls and prepping for audit, the process should include the implementation of policies and technical and operational procedures.

Policies

For SOC 2 Type 1, auditors ask to examine authored policies, who they’ve been distributed to, and the procedures put in place to execute the policy.

In a Type 2 audit, auditors examine the functionality of controls over a 6-12 month time period. A comprehensive report is written based on the evidence provided.

Technical Procedures

SOC 2 primarily focuses on policies and procedures instead of technical tasks. However, the implementation of technical procedures typically involves building or managing new tools, like endpoint security. These procedures are monitored over time for effectiveness and relayed to audit teams while pursuing a SOC 2 report.

Operational Procedures

Just as important as technical processes, operational procedures involve managing vendors and due diligence, creating uniform onboarding and termination procedures, and collecting evidence on their effectiveness.

These procedures are crucial to creating a risk assessment for auditors and understanding the business’ risk appetite.

Icon

SOC 2 Audit

Keep Reading
Jump to a section:
08 SOC 2 Report 09 SOC 2 Checklist
Icon

SOC 2 Report

This chapter will help you make sense of your SOC 2 report, providing you with an overview of what each section means.

Icon

SOC 2 Checklist

This section runs you through a checklist to better organize all the tasks needed to get SOC 2 certified and assess your readiness for an audit.

Shape
Jump to a section:
08 SOC 2 Report
Icon

SOC 2 Report

This chapter will help you make sense of your SOC 2 report, providing you with an overview of what each section means.

Learn more
09 SOC 2 Checklist
Icon

SOC 2 Checklist

This section runs you through a checklist to better organize all the tasks needed to get SOC 2 certified and assess your readiness for an audit.

Learn more
Shape Shape

Enterprise-ready compliance that never slows you down

Request a Demo Background

Sign up for our newsletter