SOC 2 Academy: Mitigating Risks that Lead to Business Disruptions

by Joseph Kirkpatrick / March 15th, 2019

Common Criteria 9.1

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.1 says, “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.” How can organizations be sure that they’re complying with this criterion? Let’s discuss why organizations need to mitigate risks that lead to business disruptions.

How to Comply with Common Criteria 9.1

It’s inevitable that businesses will encounter some type of security incident. Whether it’s a big or small incident, organizations who mitigate risks that lead to business disruptions will be better prepared. That’s where common criteria 9.1 comes into play. For service organizations committed to delivering secure services, they’ll need to demonstrate to their auditor during a SOC 2 audit that they mitigate risks that lead to business disruptions. How can they do that? We suggest two ways: creating a business continuity plan and purchasing insurance.

It’s critical that organizations have a business continuity plan in place in the event of a natural or man-made disaster. What would happen if a power outage, tornado, or data breach hit your organization and you didn’t have a plan in place? How would your organization function in the event of a disaster? Disasters hit when organizations are least excepting it, so establishing and practicing a disaster recovery plan will help organizations comply with common criteria 9.1.

Likewise, purchasing insurance should be a key consideration. If disaster strikes, what would be the financial impact to your business? An organization might have vendors, clients, employees, and other personnel that would be impacted. By purchasing insurance, organizations can be better prepared for when, not if, disaster hits and can effectively mitigate risks that lead to business disruptions.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

SOC 2 Trust Services Criteria common criteria 9.1 is about risk mitigation. It says that the entity considers the types of mitigation activities that need to be put into place to cover from business disruptions. This type of disruption could happen from a security event or some type of disaster or natural event that occurs, but it’s important to identify what potential business disruptions could occur within your organization that could keep you from meeting your objectives. If you are a print services provider and can’t output any media because of an event that occurred, that’s obviously a big impact to an organization like that. If you are hosting an application that people rely on and must get access to, and your application is down because of a denial-of-service attack, and no one can get to your application to use it the way you said they should be able to, that’s obviously a major business disruption. If you provide managed services to your clients and you’re not able to access your system because you’ve gone through a ransomware attack and your employees can’t get to the database or access the resources needed to work, that’s a major business disruption. You want to think about alternative capabilities in order to recover from those business disruptions in order to comply with common criteria 9.1. What are the other ways that you can put things into place? This really stems from a good business continuity plan. It’s really about continuity. This has been affected and we’re now operating in a less-than-desirable state, so how do we continue operations during this less-than-desirable situation that we’re in until we can fully recover from it? Identifying potential disruptions and the impact they would have on you is a way to prioritize the types of mitigation activities you put into place. Insurance is also something to consider. When you think about if you’re down and can’t generate revenue, you’re going to have a huge financial risk, and insurance is a way to mitigate the financial impact of the disruption to your organization. Talk to your auditor. Be sure to check with us about advice, tips, and example that would apply to your environment to help with any potential business disruptions that you might face.