SOC 2 Academy

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. If an organization opts to include the processing integrity category in their audit, they need to comply with the additional criteria for processing integrity. Processing integrity criteria 1.3 says, “The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives.” Let’s discuss why identifying logging errors is crucial to complying with this criterion.

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the confidentiality category in their audit, they would need to comply with the additional criteria for confidentiality. Confidentiality criteria 1.2 says, “The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss.

When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the availability category in their audit, they would need to comply with the additional criteria for availability. Availability criteria 1.2 says, “The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” We’ve discussed how organizations can comply with this criterion, but we believe there’s a key component that requires further discussion: data backup processes. Let’s take a look at why organizations need to have proper data backup processes and how it impacts SOC 2 compliance.

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.1 says, “The entity assesses and manages risks associated with vendors and business partners.” How can organizations be sure that they’re complying with this criterion? Let’s discuss the difference between identifying your vendor as carve-out or inclusive and why it matters during a SOC 2 audit.

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 8.1 says, “The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.” How can organizations be sure that they’re complying with this criterion? Let’s discuss some change management best practices that organizations should be following.

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.4 says, “The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.” Let’s take a look at what organizations need to do to comply with this criterion and why it's important to establish incident response teams.

When an organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 7.1 says, “To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.” What will an auditor look for when assessing this criterion? What do organizations need to do to demonstrate that they have processes to detect and monitor changes in their system configurations? Let’s discuss.

During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.7. Common criteria 6.7 says, “The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.” While we’ve discussed ways that organizations can comply with this requirement, let’s take a look at how an organization’s environment can change the way they approach compliance with common criteria 6.7.

When a service organization pursues SOC 2 compliance, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.5 says, “The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.” Let’s take a look at why disposing of physical devices is important.

During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 6.3. Common criteria 6.3 says, “The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.” How can organizations comply with this requirement? It comes down to three things: assigning roles and responsibilities, implementing the concept of least access necessary, and creating a separation of duties.

While not requirements, points of focus are meant to serve as references to assist organizations when they are designing, implementing, operating, and evaluating controls over security, availability, confidentiality, processing integrity, and privacy. When it comes to implementing logical access controls, there are some additional points of focus that will help organizations ensure that their information security systems remain secure. Let’s take a look at how these additional points of focus will help service organizations comply with common criteria 6.1 during a SOC 2 audit.

During a SOC 2 audit engagement, an auditor will validate that an organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria, which means that they will assess an organization’s compliance with common criteria 5.2. Common criteria 5.2 says, “The entity also selects and develops general control activities over technology to support the achievement of objectives." This means that organizations need to design and develop processes to ensure that the technology being used is effective and helping the organization meet its business objectives. How can organizations go about designing processes for their technology? Let's discuss.

Establishing methods of effective monitoring is a critical component of SOC 2 compliance. During a SOC 2 audit, an auditor will not only assess whether or not an organization is effectively monitoring their internal controls but also whether or not the proper person is monitoring those internal controls. Why is that? It comes down to the need for checks and balances, so let’s discuss.

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.4 (CC3.4) states, “The entity identifies and assesses changes that could significantly impact the system of internal control.” Let’s take a look at what organizations need to do during their SOC 2 audit to demonstrate compliance with common criteria 3.4.

During a SOC 2 audit, auditors will validate that organizations comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.2 states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed." When an auditor is assessing an organization’s compliance with this, they will observe how an organization is assessing the significance of risks found in their risk assessment. Let’s take a look at what organizations need to do to demonstrate compliance with common criteria 3.2.

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.1 (CC3.1) states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.”  Why is common criteria 3.1 so critical for SOC 2 compliance? Let’s discuss.

Communication is one of the underpinnings of meeting the requirements within the SOC 2 Trust Services Criteria. Common criteria 2.2 says, “The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.4 says that an organization must demonstrate a commitment to attracting, developing, and retaining competent employees in alignment with objectives. How can organizations do this? Let’s discuss.

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that the organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. The first common criteria (CC1.1) states, “The entity demonstrates a commitment to integrity and ethical values.” So, what does an organization need to do to demonstrate this? How will the auditor test for integrity? Let’s discuss.

What is a Point of Focus? In the past, many organizations have struggled on their journey toward SOC 2 compliance because they lacked an understanding of what they needed to do to comply with the Trust Services Criteria.