SOC 2 Academy: Recovering from a Security Incident
Common Criteria 7.5
Because security incidents are a matter of when, not if, they occur, it’s a best practice to always analyze what happened and how an organization could have prevented it. That’s why during a SOC 2 audit, an auditor will assess an organization’s compliance with the 2017 Trust Services Criteria, which includes common criteria 7.5. Common criteria 7.5 says, “The entity identifies, develops, and implements activities to recover from identified security incidents.” Let’s discuss what an auditor will look for when assessing an organization’s compliance with this criterion.
Incident Response Recovery
Recovering from a security incident can be a tedious task, but it’s an opportunity for organizations to learn from their mistakes and strengthen their security posture. For service organizations pursuing SOC 2 compliance, they’ll want to demonstrate that they do the following throughout their incident response recovery to comply with common criteria 7.5:
- The organization’s incident response plan restores the affected environment to a level of functionality that allows them to meet their business objectives.
- The organization effectively communicates about the security incident, what actions were taken to recover from it, and how it can be prevented in the future.
- The organization determines the root cause of the event.
- The organization implements changes to prevent and detect recurrences.
- The organization improves response and recovery procedures.
- The organization implements periodic incident response testing.
It’s important that organizations keep in mind that security incidents and disasters can’t be 100% prevented. However, by creating, practicing, and implementing effective incident response programs, including the incident response recovery process, they’ll be more prepared for when disaster hits.
More Incident Response Resources
Common criteria 7.5 for SOC 2 compliance has to do with recovering from an incident. After the incident is over and the dust is settled, what should you do with it? You’ll want to learn from it. You should sit down and analyze the root cause of the incident, what you could’ve done differently, and what you learned from the situation that can help you in the future. You want to make sure that any incident that does get documented during the year of your audit period that you have a way to show the auditor that you have considered the results of the incident, learned from it, documented the lessons learned, had a debriefing, put new procedures into place, and modified the incident response program because of the lessons you learned. So, think about recovery when you consider common criteria 7.5 and how proper recovery would include learning from the incident and applying those changes to your incident response approach, so that you are stronger when or if another incident occurs.