Common Criteria 2.2
Communication is one of the underpinnings of meeting the requirements within the SOC 2 Trust Services Criteria. Common criteria 2.2 says, “The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.” For any type of organization to operate efficiently, there needs to be established avenues of communication for all employees. How will an employee know who to report an issue to if they are unaware about who should receive such information? How does an organization’s management relay expectations or concerns to their employees? During a SOC 2 audit, demonstrating that an organization effectively communicates is especially important. Let’s discuss the importance of two-way communication.
The Importance of Two-Way Communication
In order for an organization to demonstrate compliance with common criteria 2.2, there needs to be a clear process for two-way communication. The board of directors, C-level executives, or management must be able to clearly communicate the roles, responsibilities, expectations, and concerns to each other and their employees. If an organization’s objectives are not being met, how will the board of directors communicate this with management? If an issue arises within an organization, how will employees be addressed? If an employee is not meeting management’s expectations, how will this be communicated? Management might have bi-annual meetings with the board of directors, they might opt to send out a company-wide newsletter to keep employees current on developments within an organization, or they might prefer weekly department calls.
On the other hand, while management and the board of directors should have clear communication channels to their employees, there also needs to be defined mechanisms for employees to safely communicate with their superiors. For example, a whistleblower hotline would serve as a safe mode of communication for an employee who has discovered wrongdoings within a company. Hotlines allow employees to communicate issues to management without fear and can empower employees to communicate issues more promptly. Regardless of the communication channels put into place, an organization must provide clearly defined avenues for two-way communication so that the board of directors receives the information it needs to ensure the organization is meeting its objectives, and employees can understand what they’re expected to do.
More SOC 2 Resources
You may not realize how important communication is to SOC 2 compliance. Communication is really one of the underpinnings on meeting the requirements within the SOC 2 Trust Services Criteria. Common criteria 2.2 talks about having two-way communication within your entity. For example, the board of directors or the C-level management should be providing communication to the rest of the employees, so that they understand what is expected of them and what is required to meet the objectives they set forth for the organization. But also, employees need an avenue or mechanism to report issues up to the board. Maybe this takes place in weekly or monthly reports that are included in the board of director’s meeting minutes; maybe it’s a whistleblower hotline. So, if someone sees something that isn’t working the way that it’s supposed to, they have a way to get that information to the board. Whatever mechanism you choose to put into place, it just needs to provide that type of visibility so that the board is receiving the information that it needs and employees understand what they’re being expected to do.