SOC 2 Requirements
SOC 2 is an auditing procedure for ensuring service providers have proper data and privacy protections in place for sensitivity data. Organizations working to achieve SOC 2 certification must implement a series of controls and go through an audit with an external auditor.
Auditors assess organization compliance with one or more of the AICPA Trust Services Criteria (TSC). Teams must have all applicable controls in place and be able to provide evidence of control effectiveness in order to achieve SOC 2 certification and receive a SOC 2 report.
SOC 2 Trust Services Criteria (TSC)
In order to achieve SOC 2 certification and meet the latest SOC 2 report framework standards, teams must implement the latest 2017 Trust Services Criteria (TSC).
The Trust Services Criteria (previously Trust Services Principles) are a set of criteria and related controls that organizations must implement across your organization and IT infrastructure. The five categories of control criteria are:
A business’s data and computing systems are fully protected against any unauthorized access, unauthorized and inappropriate disclosure of information, and any possible damage to systems that might compromise the processing integrity, availability, confidentiality or privacy of data or systems that may affect the entity’s ability to meet its objectives.
All information and computing systems are always ready and available for operation and use to meet the entity’s objectives.
All system processing is complete, accurate, valid, timely and authorized to ensure that the entity meets its objectives.
Any information designated as confidential remains secure to meet the entity’s objectives.
All personal information collected, used, retained, stored, disclosed or disposed of must meet the entity’s objectives.
Organizations may be evaluated across one or more TSC categories during a SOC 2 audit. It is up to your team to prepare for a SOC 2 audit and have an established security program in place in order to streamline assessment and achieve certification. Once a SOC 2 assessor has validated your team’s security controls, they will write a SOC 2 report for your organization.
Alignment with COSO Framework
The latest 2017 TSC standards for SOC 2 reports integrate the 2013 COSO framework. COSO provides a generally accepted framework for internal controls within the organization. SOC 2 integrates the COSO framework including the five components of internal controls:
- Exercise integrity and ethical values.
- Make a commitment to competence.
- Use the board of directors and audit committee.
- Facilitate management’s philosophy and operating style.
- Create organizational structure.
- Issue assignment of authority and responsibility.
- Utilize human resources policies and procedures.
- Create company-wide objectives.
- Incorporate process-level objectives.
- Perform risk identification and analysis.
- Manage change.
- Follow policies and procedures.
- Improve security (application and network).
- Conduct application change management.
- Plan business continuity/backups.
- Perform outsourcing.
Information and Communication
- Measure quality of information.
- Measure effectiveness of communication.
- Perform ongoing monitoring.
- Conduct separate evaluations.
- Report deficiencies.
These components have been integrated into the latest SOC 2 Trust Services Criteria and provide a foundation for sound internal controls within the organization.
SOC 2 Controls List
SOC 2 criteria and controls cover a wide number of security best practices across IT infrastructure and your organization including risk management, physical and logical access controls, and system access. Teams should establish a security program and consider working with a team like Dash to perform readiness assessment and prepare for a SOC 2 audit.
The following categories of criteria are used to assess compliance with the SOC 2 Report Framework:
(CC1) Control Environment – These controls address with how the organization sets security roles, manages oversight and deals with security as related to employees, hiring, and overall management.
(CC2) Communication and Information – These controls address how teams communicate IT and security requirements, responsibilities and overall objectives across the organization.
(CC3) Risk Assessment – These controls address how organizations manage risk analysis and identify, address and accept risk across the organization.
(CC4) Monitoring Activities – These controls address how organizations develop, monitor and ensure that internal security controls are active and functioning.
(CC5) Control Activities – These controls address how organizations establish security controls, connect controls to policies and procedures and assign duties.
(CC6) Logical and Physical Access Controls – These controls address how organizations manage physical security of devices as well as software and logical access restrictions to data.
(CC7) System Operations – These controls address how organizations handle system vulnerabilities, detect system operational issues and respond to security incidents.
(CC8) Change Management – These controls address how organizations handle development, testing, and deployment of new systems and applications.
(CC9) These controls define how organizations manage business risks, third parties, and external vendors as related to data security.
(A) Additional Criteria For Availability – These controls define additional standards for how organizations manage backups and overall system availability.
(C) Additional Criteria For Confidentiality – These controls address how confidential information is identified and protected from destruction.
(PI) Additional Criteria For Processing Integrity – These controls address how data is accurately processed and achieved.
(P) Additional Criteria For Privacy – These controls address how personal information is collected, retained and secured by the organizations.
Looking for the full set of SOC 2 controls and requirements? Download our SOC 2 Control List Excel
Preparing and Implement SOC 2 Controls
Implementing SOC 2 controls can appear overwhelming. Building a robust security program and preforming a SOC 2 readiness assessment can make your team better prepared to go through a security audit and achieve SOC 2 certification.
Learn how Dash ComplyOps can help your team prepare and achieve SOC 2 certification in the cloud.
- Utilize Dash to create custom administrative policies built around your organization and IT infrastructure.
- Enforce policy standards and SOC 2 security controls through Dash continuous compliance monitoring.
- Gather SOC 2 security evidence and create reports to simplify auditing and security evaluation
- Work with audit partner to complete a SOC 2 audit and achieve SOC 2 certification.