Common Criteria 3.2

During a SOC 2 audit, auditors will validate that organizations comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.2 states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” When an auditor is assessing an organization’s compliance with this, they will observe how an organization is assessing the significance of risks found in their risk assessment. Let’s take a look at what organizations need to do to demonstrate compliance with common criteria 3.2.

Quantifying or Qualifying the Significance of Risks

In order for an organization to demonstrate that they comply with common criteria 3.2, they’ll need to show their auditor how they go about assessing the significance of risks identified in their risk assessment. This can be done by implementing processes that allow an organization to quantify or qualify the significance of risks. During the beginning stages of a risk assessment, qualifying the likelihood of a risk and the potential impact that the risk has to the organization is helpful in risk-ranking the threats. On the other hand, once an organization has qualified the likelihood and impact of each risk, quantifying them takes risk-ranking to the next level. An organization may opt to quantifiably risk-rank the threats by high, medium, or low or they may choose to use numerical values to demonstrate the level of risk. While qualifying the risks may not be as accurate as quantifying them, both options help an organization in assessing the significance of risks.

For instance, let’s say that an organization has conducted their risk assessment and they found these risks: an open door that could allow a malicious intruder to access a sensitive area and a vulnerability in the network that could allow malicious hackers to access secure data. The organization is now tasked with assessing the significance of these risks, plus they must consider the likelihood and impact. The organization decides to quantifiably risk-rank the likelihood and impact of these threats based on a scale of one to ten. They determine that the likelihood of a malicious intruder entering through the open door is a four and the impact would be a seven, whereas the likelihood of a malicious hacker infiltrating the network and accessing sensitive data would be a seven and the impact a nine. By allocating a figure to the likelihood and impact of these risks, an organization can calculate the significance or severity of the risks by multiplying the likelihood by the impact. In this case, the significance of the malicious intruder would be 28 and the malicious hacker would be 63. By assessing the significance of risks, the organization would know to prioritize the vulnerability in the network over the open door.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

A very important element in your risk assessment that you must have in place to comply with SOC 2 common criteria 3.2 (CC3.2) is a way to quantify or qualify the significance of your risk. You want to make sure that you put a figure in there for the impact of a threat to that risk. For example, if you have a risk of an open door to an area in your location and the threat is an intruder, what would the impact be if that intruder came into that sensitive area? You need to qualify that somehow. The second aspect of this is to quantify or qualify the likelihood of that happening. What would be the likelihood of an intruder coming in and doing that? You have to make sure that that is considered within the risk assessment and that you have some way of ranking things according to that impact and that likelihood, so that you can make the best decisions going forward on how you’re going to address those risks.

[/av_toggle]

[/av_toggle_container]

Common Criteria 3.2

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.2 (CC3.2) states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” We’ve discussed the different types of risks organizations can face and the importance of using the findings of a risk assessment, so let’s take a look at how to manage risks and what organizations need to do to demonstrate compliance with common criteria 3.2.

Managing Organizational Risks

A major component of using your risk assessment is assessing how to manage risks identified during the assessment. This includes evaluating the significance of the risks, assessing the likelihood of the risks, and determining how to respond to those risks. Ultimately, management must decide if they will accept, avoid, reduce, or share the risks found and how they will go about doing that. For instance, when an organization’s management meets to discuss the findings of the risk assessment, they’ll determine whether or not they want to accept certain risks or share them with someone else. This might be the case when an organization has partnered with a third-party vendor to perform part of their business process. If a risk is identified because of that partnership, the organization might reject that risk and place the responsibility on the vendor to mitigate it. Organizations might also opt to accept certain risks and will then have to determine additional controls to put into place to alleviate them.

So, how can an organization demonstrate compliance with common criteria 3.2 during a SOC 2 audit? Organizations should formally document how they plan to use their risk assessment to manage risk. In doing so,organizations are able to provide clear evidence to an auditor that they have performed a risk assessment, evaluated the significance of the risks to the organization,and have determined a plan to manage the risks identified. By having a process in place of how to manage risks, organizations are more likely to achieve their business objectives and maintain a strong security posture.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

After your organization sits down and documents their risk assessment, the questions “So what? What do we do with this?” might be asked. The purpose of common criteria 3.2 is to look at how you used your risk assessment in order to make choices about how those risks were going to be managed. For example, you’ll have a meeting where you discuss your risks and you’ll decide whether or not to accept or avoid certain risks. We’re going to reduce this risk by putting additional controls in place, or we’re going to share this risk with someone else. You might look at insurance as a way to transfer risk away. Ultimately, as an auditor, we’re going to be looking at the decisions that you’ve made about how you are going to manage those risks. Having it documented in your risk assessment is a very important place to start.

[/av_toggle]

[/av_toggle_container]

Common Criteria 3.1

During a SOC 2 audit, auditors will validate that organizations comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. When an auditor is assessing an organization’s compliance with common criteria 3.1, which states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives,” they will want to see that the entity not only conducts but uses their risk assessment. Let’s take a look at how organizations can go about using their risk assessment and why it’s so important.

The Importance of a Risk Assessment

Conducting a risk assessment is a proactive way that organizations can identify and assess organizational risk. However, another key element of a risk assessment is using the findings to prioritize the risks to the organization’s business continuity, reputation, financial health, and more. How can an organization’s management utilize their risk assessment? They can do so in a few ways, including:

  1. Managing day-to-day activities: Having a prioritized list of risks to an organization allows an entity’s management to have a better understanding of which risk needs more attention and how they can execute a plan of action to mitigate those risks during their day-to-day activities.
  2. Budgeting: When leadership understands where the organization’s risks lie, they will have more insight into how they need to budget and allocate funds to alleviate risks.
  3. Mitigating: Once management understands which risks are more important and they have allocated the necessary funds, they can begin mitigating the risks identified during the risk assessment.
  4. Monitoring: By conducting risk assessments on a regular basis, entities will be able to use their findings, compare them to past assessments, and monitor their progress.

Without conducting risk assessments on a regular basis, organizations will be unable to risk-rank threats to their organization, mitigate those risks efficiently, and ensure that their business objectives are met. For SOC 2 compliance, it’s absolutely necessary for organizations to perform risk assessments and demonstrate that they use their findings in a way that helps them meet their objectives.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

While having a risk assessment is an important requirement for your SOC 2 compliance efforts, I also want to point out how important it is to utilize it on a day-to-day basis within your organization. The assessment of risk is something that you can use to manage your activities on an ongoing basis. For example, if you don’t know what your level of risk is on any particular day, you may not know what priority to place on certain activities. For example, in your budget, using your risk assessment is a way to allocate dollars to the areas that bring the best bang for the buck to make sure that you’re spending dollars in areas where you have the highest risks. Just make sure that you leverage your risk assessment and use it in the way that it is intended.

[/av_toggle]

[/av_toggle_container]

Common Criteria 3.1

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.1 (CC3.1) states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.” Why is common criteria 3.1 so critical for SOC 2 compliance? Let’s discuss.

Conducting a Risk Assessment

During a SOC 2 audit, your auditor will want you to conduct a risk assessment, especially if you haven’t done one in the last year. Conducting a risk assessment is especially critical to SOC 2 compliance because it allows an organization to determine the controls that will be evaluated during the SOC 2 audit. It also allows organizations to identify the different types of risks that they might face.

Types of Risks

Understanding the types of risks that your organization faces is critical in maintaining a strong security posture, avoiding fines and penalties, and safeguarding an organization’s reputation. It’s imperative that an organization’s leadership recognizes that there are risks that go beyond the threats to your information security systems. An organization must consider financial risks, market risks, operational risks, and risks associated with non-compliance with laws and regulations. During the SOC 2 audit process, the auditor will want to see that an organization has been thorough enough when performing their risk assessment. Have they considered various types of risks? Are the controls that are in place able to mitigate different types of risks? If an organization fails to recognize the different types of risk that the organization faces, the organization would be unable to achieve their business objectives.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

The risk assessment requirement in common criteria 3.1 (CC3.1) is a very important element of the SOC 2 Trust Services Criteria. Whenever we bring up doing a risk assessment to people who maybe haven’t done one recently and they ask, “Do we really have to do this?” We say they do. We want you to do a risk assessment if you haven’t done one in the last year at least. A risk assessment is so critical to being SOC 2 compliant, because that’s really the basis on which you select the controls that are going to be audited in the engagement. We’re going to ask you: what are you trying to deal with by putting these controls in place? Have you been broad enough in the risks you’ve considered? Risk is not only IT; risk is not just information security. There are financial risks, market risks, operational risks, and risks that come from the non-compliance with laws and regulations. You really have to be very broad in your thinking and look for the risks that would cause your organization to not achieve the objectives that you have set out to achieve.

[/av_toggle]

[/av_toggle_container]

Common Criteria 2.3

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.3 says, “The entity communicates with external parties regarding matters affecting the functioning of internal control.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss how to organizations should be communicating with external parties.

Communicating with External Parties

Similar to common criteria 2.2, common criteria 2.3 calls for a system of two-way communication to be established by an organization and their external parties. External parties include an organization’s stakeholders, such as shareholders, partners, investors, owners, regulators, customers, vendors, or financial analysts. During a SOC 2 audit, an auditor will want to verify that an organization is communicating information regarding the functionality of the organization’s internal controls to these external parties. An auditor will also want to see that there are processes in place that allows external parties to communicate input, concerns, or feedback to the organization’s management or board of directors. For example, management might send out monthly newsletters to stakeholders updating them on the progress or current state of the organization’s internal controls. Management might also host a bi-annual meeting or send out an anonymous survey to all shareholders in order to receive feedback about the company. Regardless of the industry or size of an organization, communicating with external parties promotes the transparency needed to ensure that the organization’s internal controls are effectively running.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

Common criteria 2.3 (CC2.3) of the SOC 2 Trust Services Criteria talks about communicating with external parties. Who are these external parties? I would call them stakeholders. Stakeholders to your organization would include owners, partners, customers, regulators, people who have a financial interest in your organization, vendors. All of these people need to be communicated with from time to time about not only your expectations of them, but also receiving feedback from them about how your organization is doing. Do you take any feedback from those types of stakeholders and consider and integrate it into your monitoring activities to make sure that your organization is operating the way that you expect?

[/av_toggle]

[/av_toggle_container]