All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

SOC-2 CC2: Communication and Information

The second SOC-2 requirement in the CC-Series is Communication and Information.

Read More

CC2.1

SOC 2 CC2.1 requires that your organisation acquire, produce, and use relevant, high-quality information to support internal control.

CC2.1 highlights the following points of focus:

Identifies Information Requirements

Your organisation should have a focus on recognising the information necessary and expected to support the operation of the other internal control elements and achieve your objectives.

Captures Internal and External Sources of Data

Your organisation’s information systems should capture both internal and external data sources.

Processes Relevant Data Into Information

The organisation’s information systems should process and convert relevant data into information.

Maintains Quality Throughout Processing

Your organisation’s information systems should produce information that is:

  • Timely
  • Current
  • Correct
  • Entire
  • Available
  • Protected
  • Verifiable
  • Maintained.

Information should be consistently reviewed to evaluate its relevance in aiding your internal control components.

CC2.2

SOC 2 CC2.2 requires that your organisation internally communicate information, including objectives and responsibilities for internal control, necessary to support its functioning.

CC2.2 highlights the following points of focus:

Communicates Internal Control Information

Your organisation should have a process for communicating required information, enabling all staff to recognise and undertake their internal control responsibilities.

Communicates With the Board of Directors

Communication between management and the board of directors should ensure both parties have the information needed to fulfill their roles per your organisation’s objectives.

Provides Independent Communication Lines

The organisation should establish separate communication channels, such as whistle-blower hotlines. These should facilitate anonymous or confidential communication when normal channels are defective or ineffective.

Chooses Appropriate Method of Communication

Your organisation’s method of communication should take into account the:

  • Timing
  • Intended audience
  • Nature

Of the information being communicated.

Additional points of focus specifically related to all engagements using the trust services criteria:

Communicates Obligations

Any organisation personnel with responsibility for the following aspects of system control:

  • Design
  • Development
  • Implementation
  • Operation
  • Maintenance

They should receive communications about their responsibilities, as well as reporting changes in their responsibilities, and they should also have the information required to carry out those obligations.

Communicates Information on Reporting Breakdowns, Incidents, Concerns, and Other Complaints

Your organisation’s staff should be provided with information on how to report system failures, incidents, concerns, and other complaints.

Communicates Objectives and Adjustments to Objectives

The organisation should communicate its objectives and any changes to those objectives to employees in a timely manner.

Communicates Information to Improve Security Knowledge and Awareness

Your organisation should communicate information to improve security knowledge and awareness. You should also model appropriate security behaviours to employees through a security awareness training programme.

Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level:

Communicates Information About System Operation and Boundaries

The organisation should prepare and convey information about the system's design and operation and its boundaries to authorised employees. This should also enable them to understand their role in the system and its results.

Communicates System Objectives

Your organisation should communicate its objectives to employees to support them in their responsibilities.

Communicates System Changes

Any system changes that impact responsibilities or the achievement of your objectives should be conveyed quickly and effectively.

CC2.3

SOC 2 CC2.3 requires that your organisation communicates with external parties regarding issues impacting the operation of internal control.

CC2.3 highlights the following points of focus:

Communicates to External Parties

Your organisation should implement processes to convey relevant and timely information to external parties. This includes:

  • Shareholders
  • Partners
  • Owners
  • Regulators
  • Customers
  • Financial analysts
  • Other external parties.

Facilitates Inbound Communications

The organisation should use open communication channels allowing input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others. This should provide management and the board of directors with relevant information.

Communicates With the Board of Directors

Assessments conducted by external parties should be communicated to the organisation’s board of directors.

Provides Separate Communication Lines

Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.

Selects Appropriate Form of Communication

Your organisation’s method of communication should consider the timing, intended audience, and nature of the communication. It should also consider legal, regulatory, and fiduciary obligations and expectations.

An additional point of focus that applies only to an engagement using the trust services criteria for confidentiality:

Communicates Objectives Associated with Confidentiality and Modifications to Objectives

The organisation should communicate objectives and any changes to objectives related to confidentiality to:

  • External users
  • Vendors
  • Business partners
  • Others whose products and services are part of the system.

An additional point of focus that applies only to an engagement using the trust services criteria for privacy:

Communicates Objectives Associated with Privacy and Modifications to Objectives

Your organisation should communicate objectives related to privacy and changes to those objectives to:

  • External users
  • Vendors
  • Business partners
  • Others whose products and services are part of the system.

Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level:

Communicates Information About System Operation and Boundaries

The organisation should prepare and communicate information about the system's design, functioning, and limitations to authorised external users. This permits users to understand their responsibility in the system and the outcomes of system operation.

Communicates System Objectives

Your organisation should communicate its system objectives to appropriate external users.

[H3] Communicates System Responsibilities

External users with responsibility for:

  • Designing
  • Developing
  • Implementing
  • Operating
  • Maintaining
  • Monitoring

System controls should receive communications about their responsibilities and have the information required to carry out those duties.

Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters

External users should be provided with information on reporting system failures, incidents, concerns, and other complaints.