Common Criteria 3.1
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.1 (CC3.1) states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.” Why is common criteria 3.1 so critical for SOC 2 compliance? Let’s discuss.
Conducting a Risk Assessment
During a SOC 2 audit, your auditor will want you to conduct a risk assessment, especially if you haven’t done one in the last year. Conducting a risk assessment is especially critical to SOC 2 compliance because it allows an organization to determine the controls that will be evaluated during the SOC 2 audit. It also allows organizations to identify the different types of risks that they might face.
Types of Risks
Understanding the types of risks that your organization faces is critical in maintaining a strong security posture, avoiding fines and penalties, and safeguarding an organization’s reputation. It’s imperative that an organization’s leadership recognizes that there are risks that go beyond the threats to your information security systems. An organization must consider financial risks, market risks, operational risks, and risks associated with non-compliance with laws and regulations. During the SOC 2 audit process, the auditor will want to see that an organization has been thorough enough when performing their risk assessment. Have they considered various types of risks? Are the controls that are in place able to mitigate different types of risks? If an organization fails to recognize the different types of risk that the organization faces, the organization would be unable to achieve their business objectives.
More SOC 2 Resources
The risk assessment requirement in common criteria 3.1 (CC3.1) is a very important element of the SOC 2 Trust Services Criteria. Whenever we bring up doing a risk assessment to people who maybe haven’t done one recently and they ask, “Do we really have to do this?” We say they do. We want you to do a risk assessment if you haven’t done one in the last year at least. A risk assessment is so critical to being SOC 2 compliant, because that’s really the basis on which you select the controls that are going to be audited in the engagement. We’re going to ask you: what are you trying to deal with by putting these controls in place? Have you been broad enough in the risks you’ve considered? Risk is not only IT; risk is not just information security. There are financial risks, market risks, operational risks, and risks that come from the non-compliance with laws and regulations. You really have to be very broad in your thinking and look for the risks that would cause your organization to not achieve the objectives that you have set out to achieve.