Resources
Everything you need to know
Company
Security and customers first
Close

Request a demo

Find out today the difference that Hicomply’s unique solution can make to your business.

Close

Thank you for your request

Success

In the meantime, connect with Hicomply for insights on authentication and fraud prevention

Close

ROI Calculator

See how much you could save with Hicomply

Hicomply feature Yearly saving
Automated scoping Easily scope your ISMS with the Hicomply platform
Asset register autogeneration A shorter learning curve for organisations and a simplified process
Risk assessment Autogenerate your risk register and risk treatment plan
Extended policy templates 90% of the essential are already written out of the box
Controls framework All controls are pre-loaded and already linked to the risks they mitigate
Task management Automate all actions, administration and setup time of your ISMS
Real time monitoring Understand status and progress across your ISMS with the Hicomply dashboard
Compliance & Training Your whole team, on the same page
Audit readiness Hicomply makes sure you have everything in place for your audit
Auditor access Give auditors a dedicated login to access and audit your ISM
Back to Resource Hub

SOC 2 Controls: CC2 Communication and Information

CC2.1

SOC 2 CC2.1 requires that your organisation acquires or produces and uses relevant, high-quality information to support internal control.

CC2.1 highlights the following points of focus:

Identifies Information Requirements

Your organisation should have a focus in place to recognise the information necessary and expected to support the operation of the other elements of internal control and the achievement of your objectives.

Captures Internal and External Sources of Data

Your organisation’s information systems should capture both internal and external sources of data.

Processes Relevant Data Into Information

The organisation’s information systems should process and convert relevant data into information.

Maintains Quality Throughout Processing

Your organisation’s information systems should produce information that is:

  • Timely
  • Current
  • Correct
  • Entire
  • Available
  • Protected
  • Verifiable
  • Maintained.

Information should be consistently reviewed to evaluate its relevance in aiding your internal control components.

CC2.2

SOC 2 CC2.2 requires that your organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

CC2.2 highlights the following points of focus:

Communicates Internal Control Information

Your organisation should have a process in place to communicate required information, enabling all staff to recognise and undertake their internal control responsibilities.

Communicates With the Board of Directors

Communication between management and the board of directors should ensure that both parties have the information needed to fulfill their roles in line with your organisation’s objectives.

Provides Independent Communication Lines

The organisation should establish separate communication channels, such as whistle-blower hotlines. These should facilitate anonymous or confidential communication when normal channels are defective or ineffective.

Chooses Appropriate Method of Communication

Your organisation’s method of communication should take into account the:

  • Timing
  • Intended audience
  • Nature

Of the information being communicated.

Additional points of focus specifically related to all engagements using the trust services criteria:

Communicates Obligations

Any organisation personnel with responsibility for the following aspects of system control:

  • Design
  • Development
  • Implementation
  • Operation
  • Maintenance

Should receive communications about their responsibilities, as well as changes in their responsibilities, and they should also have the information required to carry out those obligations.

Communicates Information on Reporting Breakdowns, Incidents, Concerns, and Other Complaints

Your organisation’s staff should be provided with information on how to report system failures, incidents, concerns, and other complaints.

Communicates Objectives and Adjustments to Objectives

The organisation should communicate its objectives and any changes to those objectives to employees in a timely manner.

Communicates Information to Improve Security Knowledge and Awareness

Your organisation should communicate information to improve security knowledge and awareness. You should also model appropriate security behaviours to employees through a security awareness training programme.

Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level:

Communicates Information About System Operation and Boundaries

The organisation should prepare and convey information about the design and operation of the system and its boundaries to authorised employees. This should also enable them to understand their role in the system and the results of system operation.

Communicates System Objectives

Your organisation should communicate its objectives to employees to support them in carrying out their responsibilities.

Communicates System Changes

Any system changes that impact responsibilities or the achievement of your objectives should be conveyed quickly and effectively.

CC2.3

SOC 2 CC2.3 requires that your organisation communicates with external parties regarding issues impacting the operation of internal control.

CC2.3 highlights the following points of focus:

Communicates to External Parties

Your organisation should put processes in place to convey relevant and timely information to external parties. This includes:

  • Shareholders
  • Partners
  • Owners
  • Regulators
  • Customers
  • Financial analysts
  • Other external parties.

Facilitates Inbound Communications

The organisation should use open communication channels allowing input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others. This should provide management and the board of directors with relevant information.

Communicates With the Board of Directors

Assessments conducted by external parties should be communicated to the organisation’s board of directors.

Provides Separate Communication Lines

Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.

Selects Appropriate Form of Communication

Your organisation’s method of communication should consider the timing, intended audience, and nature of the communication. It should also take into account legal, regulatory, and fiduciary obligations and expectations.

Additional point of focus that applies only to an engagement using the trust services criteria for confidentiality:

Communicates Objectives Associated with Confidentiality and Modifications to Objectives

The organisation should communicate objectives and any changes to objectives related to confidentiality to:

  • External users
  • Vendors
  • Business partners
  • Others whose products and services are part of the system.

Additional point of focus that applies only to an engagement using the trust services criteria for privacy:

Communicates Objectives Associated with Privacy and Modifications to Objectives

Your organisation should communicate objectives related to privacy and changes to those objectives to:

  • External users
  • Vendors
  • Business partners
  • Others whose products and services are part of the system.

Additional points of focus that apply only when an engagement using the trust services criteria is performed at system level:

Communicates Information About System Operation and Boundaries

The organisation should prepare and communicate information about the design and functioning of the system and its limitations to authorised external users. This permits users to understand their responsibility in the system and the outcomes of system operation.

Communicates System Objectives

Your organisation should communicate its system objectives to appropriate external users.

Communicates System Responsibilities

External users with responsibility for:

  • Designing
  • Developing
  • Implementing
  • Operating
  • Maintaining
  • Monitoring

System controls should receive communications about their responsibilities and have the information required to carry out those duties.

Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters

External users should be provided with information on how to report system failures, incidents, concerns, and other complaints.

SOC 2 Hub

More Resource Hub

ISO27001
NHS DSPT Hub
ISO27001
SOC 2 Controls: CC6 Logical and Physical Access…
ISO27001
SOC 2 Controls: CC5 Control Activities