Common Criteria 1.4
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the SOC 2 Trust Services Criteria. Common criteria 1.4 says that an organization must demonstrate a commitment to attracting, developing, and retaining competent employees in alignment with objectives. How can organizations do this? Let’s discuss.
Attracting, Developing, and Retaining Competent Employees
During a SOC 2 audit, service organizations must demonstrate that their internal controls are in place and operating effectively, and this will not be possible if the organization does not have competent employees. In order to attract such employees, organizations can begin with their job descriptions and job postings. Ensuring that job descriptions accurately portray the qualities and characteristics needed to successfully fulfill positions is crucial. For example, if an organization is looking to fill a role that requires strong attention to detail, this needs to be explicitly stated. Organizations that fail to effectively communicate the job requirements could end up hiring unfit candidates, which would waste resources and hinder the organization’s ability to meet their objectives.
Developing employees is another key component in ensuring that an organization has competent employees. This can be done through various ways: the on-boarding process, requiring continuing education courses, security awareness training, annual team meetings, weekly or monthly department calls, or one-on-one meetings with a supervisor. How can your employee expect to grow within your company? How will you retain employees? Do you offer a growth or success plan? Do you meet with individual employees on an annual basis to conduct performance reviews? If an organization wants to retain employees, they’ll need to give them a clear path on how they can grow with the organization.
Without attracting, developing, and retaining competent employees, organizations will have a greater risk for vulnerabilities or potential breaches. It’s paramount that entities find candidates that are the right fit for an organization and that they continue to develop the right kind of employees, so that the organization can continue to meet its objectives.
More SOC 2 Resources
Common criteria 1.4 (CC 1.4) in the Trust Services Criteria is about hiring the best talent to come into your organization and help you meet your objectives. How do you attract, retain, and develop the best employees? Do you have job postings and job descriptions in order to help people understand what your requirements are for the position? Do you have training programs to help people understand what it is that they’re supposed to do to be successful in your organization? Do you provide that instruction through policies, procedures, and other materials that you may provide to employees on a day-to-day basis? Do you have succession or growth plans to help people grow into different positions within your organization? Have you implemented a performance management program in order to help people identify areas where they can improve but also address deficiencies in an individual’s performance? All of these things are very important to have in order to help you be able to review your employees’ performance and also evaluate their technical competency, and make sure that before you bring them on board, they’re the right fit for your organization to help you meet your objectives.