SOC 2 Controls CC2: Communication and Information
The second SOC-2 requirement in the CC-Series is Communication and Information.
CC2.1
SOC 2 CC2.1 requires that your organisation acquire, produce, and use relevant, high-quality information to support internal control.
CC2.1 highlights the following points of focus:
Identifies Information Requirements
Your organisation should have a focus on recognising the information necessary and expected to support the operation of the other internal control elements and achieve your objectives.
Captures Internal and External Sources of Data
Your organisation’s information systems should capture both internal and external data sources.
Processes Relevant Data Into Information
The organisation’s information systems should process and convert relevant data into information.
Maintains Quality Throughout Processing
Your organisation’s information systems should produce information that is:
- Timely
- Current
- Correct
- Entire
- Available
- Protected
- Verifiable
- Maintained.
Information should be consistently reviewed to evaluate its relevance in aiding your internal control components.
CC2.2
SOC 2 CC2.2 requires that your organisation internally communicate information, including objectives and responsibilities for internal control, necessary to support its functioning.
CC2.2 highlights the following points of focus:
Communicates Internal Control Information
Your organisation should have a process for communicating required information, enabling all staff to recognise and undertake their internal control responsibilities.
Communicates With the Board of Directors
Communication between management and the board of directors should ensure both parties have the information needed to fulfil their roles per your organisation’s objectives.
Provides Independent Communication Lines
The organisation should establish separate communication channels, such as whistle-blower hotlines. These should facilitate anonymous or confidential communication when normal channels are defective or ineffective.
Chooses Appropriate Method of Communication
Your organisation’s method of communication should take into account the:
- Timing
- Intended audience
- Nature
Of the information being communicated.
Additional points of focus specifically related to all engagements using the trust services criteria:
Communicates Obligations
Any organisation personnel with responsibility for the following aspects of system control:
- Design
- Development
- Implementation
- Operation
- Maintenance
They should receive communications about their responsibilities, as well as reporting changes in their responsibilities, and they should also have the information required to carry out those obligations.
Communicates Information on Reporting Breakdowns, Incidents, Concerns, and Other Complaints
Your organisation’s staff should be provided with information on how to report system failures, incidents, concerns, and other complaints.
Communicates Objectives and Adjustments to Objectives
The organisation should communicate its objectives and any changes to those objectives to employees in a timely manner.
Communicates Information to Improve Security Knowledge and Awareness
Your organisation should communicate information to improve security knowledge and awareness. You should also model appropriate security behaviours to employees through a security awareness training programme.
Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level:
Communicates Information About System Operation and Boundaries
The organisation should prepare and convey information about the system's design and operation and its boundaries to authorised employees. This should also enable them to understand their role in the system and its results.
Communicates System Objectives
Your organisation should communicate its objectives to employees to support them in their responsibilities.
Communicates System Changes
Any system changes that impact responsibilities or the achievement of your objectives should be conveyed quickly and effectively.
CC2.3
SOC 2 CC2.3 requires that your organisation communicates with external parties regarding issues impacting the operation of internal control.
CC2.3 highlights the following points of focus:
Communicates to External Parties
Your organisation should implement processes to convey relevant and timely information to external parties. This includes:
- Shareholders
- Partners
- Owners
- Regulators
- Customers
- Financial analysts
- Other external parties.
Facilitates Inbound Communications
The organisation should use open communication channels allowing input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others. This should provide management and the board of directors with relevant information.
Communicates With the Board of Directors
Assessments conducted by external parties should be communicated to the organisation’s board of directors.
Provides Separate Communication Lines
Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
Selects Appropriate Form of Communication
Your organisation’s method of communication should consider the timing, intended audience, and nature of the communication. It should also consider legal, regulatory, and fiduciary obligations and expectations.
An additional point of focus that applies only to an engagement using the trust services criteria for confidentiality:
Communicates Objectives Associated with Confidentiality and Modifications to Objectives
The organisation should communicate objectives and any changes to objectives related to confidentiality to:
- External users
- Vendors
- Business partners
- Others whose products and services are part of the system.
An additional point of focus that applies only to an engagement using the trust services criteria for privacy:
Communicates Objectives Associated with Privacy and Modifications to Objectives
Your organisation should communicate objectives related to privacy and changes to those objectives to:
- External users
- Vendors
- Business partners
- Others whose products and services are part of the system.
Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level:
Communicates Information About System Operation and Boundaries
The organisation should prepare and communicate information about the system's design, functioning, and limitations to authorised external users. This permits users to understand their responsibility in the system and the outcomes of system operation.
Communicates System Objectives
Your organisation should communicate its system objectives to appropriate external users.
[H3] Communicates System Responsibilities
External users with responsibility for:
- Designing
- Developing
- Implementing
- Operating
- Maintaining
- Monitoring
System controls should receive communications about their responsibilities and have the information required to carry out those duties.
Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters
External users should be provided with information on reporting system failures, incidents, concerns, and other complaints.
Ready to Take Control of Your Privacy Compliance?
Book a demo and experience the difference with Hicomply.