Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

SOC-2 CC3: Risk Assessment

The third SOC-2 requirement in the CC-series is Risk Assessment.

CC3.1

SOC 2 CC3.1 requires that your organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

CC3.1 highlights the following points of focus:

Operations Objectives

Reflects Management's Decisions

Your organisation’s operations objectives should accurately reflect management's decisions about structure, industry considerations, and organisation performance.

Considers Tolerance Levels for Risk

Your management team should consider the acceptable levels of variation relative to the attainment of your organisation’s operations objectives.

Includes Operations and Financial Performance Objectives

The organisation should indicate the desired level of operations and financial performance within its operations objectives.

Forms a Basis for Committing of Resources

Management should use your organisation’s operations objectives as a basis for allocating resources needed to achieve desired operations and financial performance.

External Financial Reporting Objectives

Complies With Applicable Accounting Standards

Your organisation’s financial reporting objectives should be consistent with accounting principles suitable and available for the organisation. The accounting principles selected should be pertinent in the circumstances.

Considers Materiality

The management team should consider materiality in financial statement reporting.

Reflects Organisational Activities

External reporting should reflect the underlying transactions and events to show qualitative characteristics and statements.

External Nonfinancial Reporting Objectives

Complies With Externally Recognised Frameworks

The management team should establish objectives consistent with laws and regulations or standards and frameworks of recognised external entities.

Reflects the Necessary Level of Precision

Management should consider the required level of precision and accuracy appropriate for user needs and based on criteria established by third parties in nonfinancial reporting.

Reflects Entity Activities

Your organisation’s external reporting should reflect the underlying transactions and events within a range of acceptable limits.

Internal Reporting Objectives

Reflects Management's Choices

Your organisation’s internal reporting should provide management with accurate and complete information about its choices and the information needed to manage the organisation.

Reflects the Necessary Level of Precision

Management should consider the required level of precision and accuracy appropriate for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives.

Reflects Entity Activities

Your organisation’s internal reporting should reflect the underlying transactions and events within a range of acceptable limits.

Compliance Objectives

Reflects External Laws and Regulations

Laws and regulations determine minimum standards of conduct, which your organisation should integrate into compliance objectives.

Considers Tolerances for Risk

Your management team should consider acceptable levels of variation relative to achieving your organisation’s operations objectives.

An additional point of focus specifically related to all engagements using the trust services criteria:

Establishes Sub-objectives to Support Objectives

The management team should identify sub-objectives related to security, availability, processing integrity, confidentiality, and privacy to support the achievement of your organisation’s objectives related to reporting, operations, and compliance.

CC3.2

SOC 2 CC3.2 requires that your organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed.

CC3.2 highlights the following points of focus:

Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels

The organisation should identify and assess risk at multiple levels:

  • Organisation
  • Subsidiary
  • Division
  • Operating unit

Relevant to the accomplishment of your objectives.

Analyses Both Internal and External Factors

Your organisation’s risk identification process should consider both internal and external factors and their influence on achieving objectives.

Involves Suitable Levels of Management

The organisation should put effective risk assessment mechanisms in place, involving suitable levels of management.

Assesses Significance of Risks Identified

Your organisation should analyse identified risks through a process that includes assessing the possible significance of the risk.

Defines How to Respond to Risks

Risk assessment should include considering how the risk should best be managed and whether to accept, avoid, reduce, or share the risk.

Additional points of focus specifically related to all engagements using the trust services criteria:

[H3] Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities

Your organisation’s risk identification and assessment procedure should include:

  • Recognising information assets. This includes physical devices and systems, virtual devices, software, data and data flows, external information systems and organisational roles
  • Evaluating the criticality of the identified information assets
  • Recognising the threats to your information assets from intentional (including malicious) and unintentional acts as well as environmental events
  • Identifying the possible vulnerabilities of the information assets.

Evaluates Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties

Your organisation’s risk assessment procedure should include analysing potential threats and vulnerabilities from vendors providing goods and services.

The risk assessment procedure should also include the analysis of threats and vulnerabilities that could arise from business partners, customers, and others with access to your organisation’s information systems.

Considers the Significance of the Risk

Consideration of the potential significance of the identified risks should include:

  • Establishing the criticality of identified information assets in meeting your organisation’s objectives
  • Assessing the impact of identified threats and vulnerabilities in meeting your organisation’s objectives
  • Assessing the probability of identified threats
  • Ascertaining the risk linked to assets based on asset criticality, threat impact, and probability.

CC3.3

SOC 2 CC3.3 requires that your organisation considers the potential for fraud in assessing risks to the achievement of objectives.

CC3.3 highlights the following points of focus:

Considers Numerous Types of Fraud

The organisation’s assessment of fraud should take into account reporting, possible asset loss, and corruption resulting from the various ways that fraud and misconduct can occur.

Assesses Incentives and Pressures

Your organisation’s assessment of fraud risks should consider incentives and pressures.

Assesses Opportunities

The assessment of fraud risk should consider opportunities for:

  • Unauthorised possession, use, or disposal of assets
  • Altering the entity’s reporting records
  • Committing other inappropriate acts.

Evaluates Attitudes and Rationalisations

The organisation’s assessment of fraud risk should consider how management and other personnel might engage in or rationalise improper actions.

Additional point of focus related explicitly to all engagements using the trust services criteria:

Considers the Risks Related to the Use of IT and Access to Information

Your organisation’s assessment of fraud risks should consider threats and vulnerabilities that could occur specifically from the use of IT and access to information.

CC3.4

SOC 2 CC3.4 requires that your organisation identifies and assesses changes that could significantly impact the internal control system.

CC3.4 highlights the following points of focus:

Considers Changes in the External Environment

Your organisation’s risk identification procedure should consider changes to the regulatory, economic, and physical environment in which the organisation operates.

Considers Changes in the Business Model

The organisation should consider the possible impacts of new business lines, significantly altered arrangements of existing business lines, obtained or divested business operations on the internal control system, rapid growth, changing dependence on foreign geographies, and new technologies.

Considers Changes in Leadership

Your organisation should consider changes in management and corresponding attitudes and philosophies on the internal control system.

An additional point of focus specifically related to all engagements using the trust services criteria:

Considers Shifts in Systems and Technology

Your risk identification process should consider changes arising from changes in your organisation’s systems and the technology environment.

Considers Changes in Vendor and Business Partner Relationships

Your risk identification process should consider potential changes in vendor and business partner relationships.