SOC2
Introduction
SOC2 is an assessment program ran by the AICPA
| SOC | Focus | Restricted Use | Report Content |
|---|---|---|---|
| SOC1 | Internal Controls for financial reporting | Restricted Use, Stakeholders require NDA | Specific detail on controls relevant to financial reporting |
| SOC2 | Internal Controls for Security, Availability, Confidentiality, Process Integrity, Privacy | Restricted Use, Stakeholders require NDA | Specific detail on each controls for the "Trust Criteria" in scope. |
| SOC2 | Internal Controls for Security, Availability, Confidentiality, Process Integrity, Privacy | Can be shared publicly unrestricted | General description |
Available assessments
There is three different SOC assessments :
-
SOC for Service Organizations : Internal report on controls provided by the organization allowing users to assess risks.
-
SOC for Cybersecurity : Reporting framework allowing organizations communicate effectiveness of cybersecurity risk management.
-
SOC for Supply Chain : Internal controls report of controls for producing, manufacturing or distribution of goods.
Report types
Type 1 Report
- Focus on control design
- Shorter time to undertake assessment
- Can be undertaken prior to Type 2
- Costs less than Type 2 report
Type 2 Report
- Focus on operational effectiveness
- Longer time to undertake assessment
- Must have at least 6 months evidence
- Costs more than Type 1 report
Benefits of Being Certified
- Customer demand
- Independent security assurance
- Competitive advantage
- Regulatory compliance
- Feedback on operational effectiveness
Example
SOC Trust Criterias
The first 5 Common Criterias come from the COSO framework which represents 17 principles. The 4 other Common Criterias (which are all mandatories) are SOC2 specific. Additionally, Additional Criterias can be covered if chosen by the company requesting the audit.
Common criterias (CC)
CC1 - Control Environment
- CC1.1 - Demonstrate commitment to integrity & ethical values
- CC1.2 - Exercise oversight of internal controls
- CC1.3 - Establish structures & responsibility to meet objectives
- CC1.4 - Demonstrate commitment to competence
- CC1.5 - Enforce accountability
CC2 - Communication & Information
- CC2.1 - Use quality information to support controls
- CC2.2 - Communicate internally regarding controls
- CC2.3 - Communicate externally regarding controls
CC3 - Risk Assessment
- CC3.1 - Specify clear objectives
- CC3.2 - Identify and assess risk
- CC3.3 - Consider fraud risk
- CC3.4 - Identify and assess significant change
CC4 - Monitoring Activities
- CC4.1 - Evaluate components of internal controls
- CC4.2 - Communicate deficiencies in a timely manner
CC5 - Control Activities
- CC5.1 - Select control activities to mitigate risk
- CC5.2 - Select general controls over technology
- CC5.3 - Deploy controls through policies
CC6 - Logical & Physical Access
- CC6.1 - Protect information assets with logical access security controls
- CC6.2 - Authorize users before granting access, remove promptly
- CC6.3 - Apply least privilege and segregation of duties
- CC6.4 - Restrict physical access to authorized personnel
- CC6.5 - Remove sensitive data before relaxing physical controls
- CC6.6 - Implement logical access security measures
- СС6.7 - Restrict removal of information and protect in transit
- CC6.8 - Protect against installation of malicious software
CC7 - System Operations
- CC7.1 - Identify changes in configuration and vulnerabilities
- CC7.2 - Monitor system for anomalies
- CC7.3 - Evaluate Security incidents
- CC7.4 - Respond to security incidents using a defined plan
- CC7.5 - Identify and implement activities to recover from incidents
CC8 - Change management
- CC8.1 - Authorize, design, test, approves changes to meet objectives
CC9 - Risk Mitigation
- CC9.1- Identify and selects risk mitigation activities.
- CC9.2 - Assess and manage risk from vendors/partners
Additional criterias (AC)
- Availability
- Confidentiality
- Process Integrity
- Privacy