SOC 2 CC5.1 requires that your organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
CC5.1 highlights the following points of focus:
Integrates With Risk Assessment
Your organisation’s control activities should help ensure that risk responses that both address and alleviate risks are undertaken.
Considers Organisation-Specific Factors
The management team should consider how the environment, complexity, nature, and scope of its operations, as well as the specific attributes of the organisation, impact the selection and progression of control activities.
Determines Appropriate Business Processes
Your management team should determine which relevant business procedures require control activities.
Considers a Mix of Control Activity Types
Your organisation’s control activities should include a range and variety of controls, and may include a balance of approaches to mitigate risks. This may include considering both manual and automated controls as well as preventive and detective controls.
Considers at What Level Activities Are Applied
The management team should consider control activities at multiple levels in the organisation.
Addresses Segregation of Duties
Your management team should separate incompatible duties and, where such separation is not practical, management should select and develop alternate control activities.
SOC 2 CC5.2 requires that your organisation selects and develops general control activities over technology to support the achievement of objectives.
CC5.2 highlights the following points of focus:
Determines Reliance Between the Use of Technology in Business Processes and Technology General Controls
The management team should understand and establish the dependency and connection between business processes, automated control activities, and technology general controls.
Determines Relevant Technology Infrastructure Control Activities
Management should select and develop control activities over the technology infrastructure. These control activities should be designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
Establishes Appropriate Security Management Process Controls Activities
The management team should select and develop control activities that are designed and implemented to restrict technology access rights to authorised users in line with with their job responsibilities and to protect your organisation’s assets from external threats.
Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities
Management should select and develop control activities pertaining to the acquisition, development, and maintenance of technology and its infrastructure to achieve the management team’s objectives.
SOC 2 CC5.2 requires that your organisation deploys control activities through policies that establish what is expected and in procedures that put policies into action.
CC5.3 highlights the following points of focus:
Creates Policies and Procedures to Support Implementation of Management’s Directives
Management should establish control activities that are built into business procedures as well as employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions.
Establishes Responsibility and Accountability for Executing Policies and Procedures
The management team should establish responsibility and accountability for control activities with management (or other appointed employees) of the business unit or function in which the related risks reside.
Performs in a Timely Manner
Responsible personnel should undertake control activities in a timely manner, as defined by the organisation’s policies and procedures.
Takes Remedial Action
Responsible personnel should investigate and act on matters identified as a result of undertaking control activities.
Performs Using Skilled Personnel
Competent personnel with sufficient authority should perform control activities conscientiously and with ongoing focus.
Reexamines Policies and Procedures
The management team should regularly review control activities to determine their continued relevance and refresh them when needed.