Skip to main content

SOC2

Introduction

SOC2 is an assessment program ran by the AICPA

SOCFocusRestricted UseReport Content
SOC1Internal Controls for financial reportingRestricted Use, Stakeholders require NDASpecific detail on controls relevant to financial reporting
SOC2Internal Controls for Security, Availability, Confidentiality, Process Integrity, PrivacyRestricted Use, Stakeholders require NDASpecific detail on each controls for the "Trust Criteria" in scope.
SOC2Internal Controls for Security, Availability, Confidentiality, Process Integrity, PrivacyCan be shared publicly unrestrictedGeneral description

Available assessments

There is three different SOC assessments :

  • SOC for Service Organizations : Internal report on controls provided by the organization allowing users to assess risks.

  • SOC for Cybersecurity : Reporting framework allowing organizations communicate effectiveness of cybersecurity risk management.

  • SOC for Supply Chain : Internal controls report of controls for producing, manufacturing or distribution of goods.

Report types

Type 1 Report

  • Focus on control design
  • Shorter time to undertake assessment
  • Can be undertaken prior to Type 2
  • Costs less than Type 2 report

Type 2 Report

  • Focus on operational effectiveness
  • Longer time to undertake assessment
  • Must have at least 6 months evidence
  • Costs more than Type 1 report

Benefits of Being Certified

  • Customer demand
  • Independent security assurance
  • Competitive advantage
  • Regulatory compliance
  • Feedback on operational effectiveness

Example

AWS SOC Compliance

SOC Trust Criterias

The first 5 Common Criterias come from the COSO framework which represents 17 principles. The 4 other Common Criterias (which are all mandatories) are SOC2 specific. Additionally, Additional Criterias can be covered if chosen by the company requesting the audit.

Common criterias (CC)

CC1 - Control Environment

  • CC1.1 - Demonstrate commitment to integrity & ethical values
  • CC1.2 - Exercise oversight of internal controls
  • CC1.3 - Establish structures & responsibility to meet objectives
  • CC1.4 - Demonstrate commitment to competence
  • CC1.5 - Enforce accountability

CC2 - Communication & Information

  • CC2.1 - Use quality information to support controls
  • CC2.2 - Communicate internally regarding controls
  • CC2.3 - Communicate externally regarding controls

CC3 - Risk Assessment

  • CC3.1 - Specify clear objectives
  • CC3.2 - Identify and assess risk
  • CC3.3 - Consider fraud risk
  • CC3.4 - Identify and assess significant change

CC4 - Monitoring Activities

  • CC4.1 - Evaluate components of internal controls
  • CC4.2 - Communicate deficiencies in a timely manner

CC5 - Control Activities

  • CC5.1 - Select control activities to mitigate risk
  • CC5.2 - Select general controls over technology
  • CC5.3 - Deploy controls through policies

CC6 - Logical & Physical Access

  • CC6.1 - Protect information assets with logical access security controls
  • CC6.2 - Authorize users before granting access, remove promptly
  • CC6.3 - Apply least privilege and segregation of duties
  • CC6.4 - Restrict physical access to authorized personnel
  • CC6.5 - Remove sensitive data before relaxing physical controls
  • CC6.6 - Implement logical access security measures
  • СС6.7 - Restrict removal of information and protect in transit
  • CC6.8 - Protect against installation of malicious software

CC7 - System Operations

  • CC7.1 - Identify changes in configuration and vulnerabilities
  • CC7.2 - Monitor system for anomalies
  • CC7.3 - Evaluate Security incidents
  • CC7.4 - Respond to security incidents using a defined plan
  • CC7.5 - Identify and implement activities to recover from incidents

CC8 - Change management

  • CC8.1 - Authorize, design, test, approves changes to meet objectives

CC9 - Risk Mitigation

  • CC9.1- Identify and selects risk mitigation activities.
  • CC9.2 - Assess and manage risk from vendors/partners

Additional criterias (AC)

  • Availability
  • Confidentiality
  • Process Integrity
  • Privacy