The AICPA’s SOC 2 framework outlines five Trust Services Principles and Criteria. The criteria are made up of 64 controls:
- Security Controls
- Privacy Controls
- Confidentiality Controls
- Processing Integrity Controls
- Availability Controls
You don’t need to implement every control for your audit. The SOC 2 controls you need to implement will be based on the Trust Services Criteria you focus on and include in the scope of your audit. Security controls, known as common criteria, are required in every audit, and you may need to implement privacy, confidentiality, processing integrity or availability controls, known as additional criteria.
Below, we’ve outlined the SOC 2 controls list.
SOC 2 Common Criteria
CC1 Control Environment
The control environment criteria require that the organisation demonstrates a commitment to integrity and ethical values. The board of directors should show independence from management, and supervise the development and performance of internal control.
Structures, reporting lines, appropriate authorities and responsibilities should be established by management with board oversight, and the organisation should show a commitment to attracting, developing and retaining capable employees in alignment with its objectives.
Accountability is also key for this criteria – the organisation should be able to demonstrate how individuals are accountable for their control responsibilities.
View CC1 Control Environment criteria
CC2 Communication and Information
Communication and information criteria require that your organisation or entity obtains (or generates) and uses appropriate, quality information to support the functioning of internal control. Internal communications should include the internal control objectives and responsibilities necessary to support the functioning of internal control.
The organisation should also communicate with external parties regarding any matters impacting the functioning of internal control.
View CC2 Communication and Information criteria
CC3 Risk Assessment
The organisation should clearly identify objectives to enable the identification and assessment of risks related to your objectives. This includes identifying risks to the achievement of your objectives across the full organisation, and analysing risks to determine how they should be managed.
You should also be able to demonstrate that your organisation considers the potential for fraud when assessing risks to the achievement of your objectives, and identify and assess changes that could significantly impact the system of internal control.
View CC3 Risk Assessment criteria
CC4 Monitoring Activities
Your organisation should choose, develop and execute ongoing and/or separate assessments to determine whether the elements of internal control are present and operational.
The business should also evaluate and communicate any identified internal control deficiencies quickly and effectively to whomever in your organisation is responsible for taking corrective action, including senior management and the board of directors.
View CC4 Monitoring Activities criteria
CC5 Control Activities
The organisation should choose and develop control activities that contribute to the mitigation of risks to the attainment of its objectives to satisfactory levels. It should also choose and develop general control activities over technology to support the achievement of its objectives.
Your organisation should deploy control activities through policies that outline what is expected, and in procedures that put policies into action.
View CC5 Control Activities criteria
CC6 Logical and Physical Access Controls
Your business or organisation must implement logical access security software, infrastructure and architectures over information assets. The aim of this process is to protect assets from security events, enabling your organisation to meet its objectives.
You should register and authorise any new internal and external users whose access is administered by your organisation. This should be prior to system credentials being issued or access to the system being granted to these users. User system credentials should be removed when that user’s access is no longer authorised.
In line with this, your organisation must authorise, modify or remove access to data, software, functions and other protected information assets based on user roles and responsibilities, or on the system design and changes. In doing so, your organisation should consider the concepts of least privilege and segregation of duties in order to meet objectives.
The organisation should restrict physical access to facilities and protected information assets, e.g. data centre facilities, backup media storage and other sensitive locations, to only authorised personnel in order to meet your objectives. Your organisation should also discontinue logical and physical protections over physical assets only after the ability to read or recover information from those assets has been diminished, and is no longer required in order to meet objectives.
Your business should implement logical access security measures to protect against threats from sources outside your organisation’s system boundaries. Your organisation should restrict the transmission, movement and removal of information to authorised internal and external users and processes, and protect it during those processes.
In addition, you should execute controls to prevent or detect and act upon the introduction of unauthorised or malicious software to meet your objectives.
CC7 System Operations
Your organisation should use detection and monitoring procedures to identify
- Changes to configurations that result in the introductions of new vulnerabilities
- Susceptibilities to newly discovered vulnerabilities.
It’s also important that your organisation monitors system components and the operation of those components for anomalies that are indicative of
- Malicious acts
- Natural disasters
- Errors affecting your organisation’s ability to meet objectives.
You should analyse anomalies to determine whether they correspond to security events.
The organisation should evaluate security events to determine whether they could or have resulted in a failure to meet security objectives and, if so, your organisation takes actions to prevent or address these failures.
If your organisation identifies a security incident, it should respond be executing a defined incident response programme to understand, contain, remediate and communicate the incident as appropriate. It also identifies, develops and implements activities to recover from identified security incidents.
CC8 Change Management
Your organisation should:
Changes to infrastructure, data, software and procedures to meet objectives.
CC9 Risk Mitigation
The organisation should assess and manage risks related to vendors and business partners.
A1 Additional Criteria for Availability
Your organisation should maintain, examine and assess current processing capacity and use of system components: infrastructure, data and software. This is to manage capacity demand and to support the employment of additional capacity to meet your organisation’s objectives.
In addition, the organisation should:
- Develop or acquire
Environmental protections, software, data backup processes, and recovery infrastructure. It should also test recovery plan procedures supporting system recovery to meet its objectives.
C1 Additional Criteria for Confidentiality
Your organisation should identify and maintain confidential information to meet your objectives related to confidentiality. To meet objectives related to confidentiality, you should dispose of confidential information.
PI1 Additional Criteria for Processing Integrity
Your organisation should
- Obtain or generate
Relevant, quality information regarding the objectives related to processing. This includes definitions of data processed as well as product and service specifications, to support the use of products and services.
The organisation should put in place policies and procedures over system inputs. This includes controls over completeness and accuracy to result in products, services, and reporting to meet your objectives. Policies and procedures over system processing should also be implemented, to result in products, services, and reporting to meet your objectives.
You also need to implement policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet your objectives, and implement policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet your objectives.
Additional Criteria for Privacy
P1 Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy
The organisation or business should provide notice to data subjects about its privacy practices to meet its privacy-related objectives. The notice should be updated and communicated to data subjects in a timely manner for changes to your organisation’s privacy practices, including changes in the use of personal information, to meet your objectives related to privacy.
P2 Privacy Criteria Related to Choice and Consent
You should communicate choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and any consequences of each choice.
The organisation must obtain explicit consent for the collection, use, retention, disclosure, and disposal of personal information from data subjects or other authorised individuals. This consent should be obtained only for the intended purpose of the information to meet your organisation’s privacy objectives.
In addition, your organisation should document its basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information.
P3 Privacy Criteria Related to Collection
Your organisation should collect personal information in a way that is consistent with your privacy objectives.
P4 Privacy Criteria Related to Use, Retention, and Disposal
The business or organisation limits the use of personal information to the purposes outlined in your privacy objectives.
P5 Privacy Criteria Related to Access
You should grant identified and authenticated data subjects the ability to access their stored personal information for review. Upon request, your organisation should provide physical or electronic copies of that information to data subjects to meet your privacy objectives. If access is denied, data subjects must be informed of the denial and reason for denial.
P6 Privacy Criteria Related to Disclosure and Notification
The organisation discloses personal information to third parties with the explicit consent of data subjects. Such consent should be obtained prior to disclosure in order to meet your privacy objectives.
P7 Privacy Criteria Related to Quality
Your organisation should collect and maintain accurate, up-to-date, complete, and relevant personal information to meet its privacy objectives.
P8 Privacy Criteria Related to Monitoring and Enforcement
You should implement a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitor compliance to meet your privacy objectives. Corrections and other necessary actions related to identified deficiencies should be made or taken in a timely manner.
For more information at the SOC 2 standard and its requirements, visit our SOC 2 hub.
Looking to achieve SOC 2 certification for your business? The process is simple with Hicomply – book your demo to find out more.