CC2.1
SOC 2 CC2.1 requires that your organisation acquires or produces and uses relevant, high-quality information to support internal control.
CC2.1 highlights the following points of focus:
Identifies Information Requirements
Your organisation should have a focus in place to recognise the information necessary and expected to support the operation of the other elements of internal control and the achievement of your objectives.
Captures Internal and External Sources of Data
Your organisation’s information systems should capture both internal and external sources of data.
Processes Relevant Data Into Information
The organisation’s information systems should process and convert relevant data into information.
Maintains Quality Throughout Processing
Your organisation’s information systems should produce information that is:
- Timely
- Current
- Correct
- Entire
- Available
- Protected
- Verifiable
- Maintained.
Information should be consistently reviewed to evaluate its relevance in aiding your internal control components.
CC2.2
SOC 2 CC2.2 requires that your organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
CC2.2 highlights the following points of focus:
Communicates Internal Control Information
Your organisation should have a process in place to communicate required information, enabling all staff to recognise and undertake their internal control responsibilities.
Communicates With the Board of Directors
Communication between management and the board of directors should ensure that both parties have the information needed to fulfill their roles in line with your organisation’s objectives.
Provides Independent Communication Lines
The organisation should establish separate communication channels, such as whistle-blower hotlines. These should facilitate anonymous or confidential communication when normal channels are defective or ineffective.
Chooses Appropriate Method of Communication
Your organisation’s method of communication should take into account the:
- Timing
- Intended audience
- Nature
Of the information being communicated.
Additional points of focus specifically related to all engagements using the trust services criteria:
Communicates Obligations
Any organisation personnel with responsibility for the following aspects of system control:
- Design
- Development
- Implementation
- Operation
- Maintenance
Should receive communications about their responsibilities, as well as changes in their responsibilities, and they should also have the information required to carry out those obligations.
Communicates Information on Reporting Breakdowns, Incidents, Concerns, and Other Complaints
Your organisation’s staff should be provided with information on how to report system failures, incidents, concerns, and other complaints.
Communicates Objectives and Adjustments to Objectives
The organisation should communicate its objectives and any changes to those objectives to employees in a timely manner.
Communicates Information to Improve Security Knowledge and Awareness
Your organisation should communicate information to improve security knowledge and awareness. You should also model appropriate security behaviours to employees through a security awareness training programme.
Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level:
Communicates Information About System Operation and Boundaries
The organisation should prepare and convey information about the design and operation of the system and its boundaries to authorised employees. This should also enable them to understand their role in the system and the results of system operation.
Communicates System Objectives
Your organisation should communicate its objectives to employees to support them in carrying out their responsibilities.
Communicates System Changes
Any system changes that impact responsibilities or the achievement of your objectives should be conveyed quickly and effectively.
CC2.3
SOC 2 CC2.3 requires that your organisation communicates with external parties regarding issues impacting the operation of internal control.
CC2.3 highlights the following points of focus:
Communicates to External Parties
Your organisation should put processes in place to convey relevant and timely information to external parties. This includes:
- Shareholders
- Partners
- Owners
- Regulators
- Customers
- Financial analysts
- Other external parties.
Facilitates Inbound Communications
The organisation should use open communication channels allowing input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others. This should provide management and the board of directors with relevant information.
Communicates With the Board of Directors
Assessments conducted by external parties should be communicated to the organisation’s board of directors.
Provides Separate Communication Lines
Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
Selects Appropriate Form of Communication
Your organisation’s method of communication should consider the timing, intended audience, and nature of the communication. It should also take into account legal, regulatory, and fiduciary obligations and expectations.
Additional point of focus that applies only to an engagement using the trust services criteria for confidentiality:
Communicates Objectives Associated with Confidentiality and Modifications to Objectives
The organisation should communicate objectives and any changes to objectives related to confidentiality to:
- External users
- Vendors
- Business partners
- Others whose products and services are part of the system.
Additional point of focus that applies only to an engagement using the trust services criteria for privacy:
Communicates Objectives Associated with Privacy and Modifications to Objectives
Your organisation should communicate objectives related to privacy and changes to those objectives to:
- External users
- Vendors
- Business partners
- Others whose products and services are part of the system.
Additional points of focus that apply only when an engagement using the trust services criteria is performed at system level:
Communicates Information About System Operation and Boundaries
The organisation should prepare and communicate information about the design and functioning of the system and its limitations to authorised external users. This permits users to understand their responsibility in the system and the outcomes of system operation.
Communicates System Objectives
Your organisation should communicate its system objectives to appropriate external users.
Communicates System Responsibilities
External users with responsibility for:
- Designing
- Developing
- Implementing
- Operating
- Maintaining
- Monitoring
System controls should receive communications about their responsibilities and have the information required to carry out those duties.
Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters
External users should be provided with information on how to report system failures, incidents, concerns, and other complaints.