SOC 2 Common Criteria List
A SOC 2 audit encompasses one to five Trust Service Categories, while Security is a must-have. Learn more about how the SOC 2 common criteria are evaluated SOC 2 is a widely recognized auditing framework developed by the American Institute of Certified Public Accountants (AICPA) to help service providers demonstrate their commitment to data security and privacy. This commitment is shown through the SOC audit report, which is based on the five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. Every SOC 2 report can encompass one to five criteria categories that cover a set of internal controls related to the organization’s security and/or privacy program. While all these criteria help evaluate the design and effectiveness of internal controls, only Security is required to be in the scope of every SOC 2 audit. This is why Security is often referred to as SOC 2 common criteria. Organizations then decide whether to include the SOC 2 Specific Criteria - Availability, Processing Integrity, Confidentiality, and Privacy. When preparing for a SOC 2 audit, organizations should understand what set of controls is relevant to their business and what criteria auditors will use to evaluate the design and effectiveness of these controls. So, let’s uncover SOC 2 common and specific criteria as well as controls related to them.
SOC 2 Trust Service Criteria
SOC audit report is based on the five Trust Services Criteria (TSC):
All these criteria help evaluate the design and effectiveness of internal controls related to different aspects of the organization’s information security and privacy program. At the same time, these Criteria can be differentiated to:
- SOC 2 Common Criteria (Security). The common criteria are the core of the SOC 2 audit report as they establish the criteria common to all the TSC and the comprehensive set of criteria for Security. For example, the criteria related to risk assessment apply to four other categories. Every organization undergoing a SOC 2 audit must meet the common criteria.
In many cases, Security is more than enough for the SOC 2 audit report. But remember, the SOC 2 typically covers a time span of 12 months - long enough for your business to expand to new operating horizons. So, the more categories you include, the more robust your SOC 2 report will be and the more likely it will satisfy more customers with growing expectations.
- SOC 2 Specific Criteria: the specific criteria are additional requirements tied to the unique objectives of individual TSC beyond Security. Organizations select specific criteria based on their business operations and client expectations. For example, a SaaS company offering data analytics may emphasize Processing Integrity, while a cloud storage provider may focus on Confidentiality.
Security: SOC 2 Common Criteria List
We are starting with a set of controls that correspond with Security since it is obligatory for all SOC 2 engagements, and it is what the other TSC are based on. Security refers to protecting information during its collection or creation, use, processing, transmission, and storage. It also addresses whether the system that uses electronic information is protected (both physically and logically) against unauthorized access, system failure, and incorrect processing. As such, the Security category is associated with the common controls that aim to prevent data from unauthorized access, protect against malware, detect and respond to security incidents, and other general security controls.
CC1: Organization’s Control Environment
The purpose of the Control Environment is to establish a culture of accountability and integrity within the organization. This ensures that all individuals understand their roles and responsibilities and work in alignment with organizational goals. The key requirements in the scope include a clearly defined organizational structure with well-documented roles and responsibilities, stablished onboarding/offboarding processes, along with clear procedures for evaluating their performance. Some of the questions that you need to ask yourself before the SOC 2 audit: Are the processes to hire individuals and evaluate their performance in place? Do you defined organization’s standards at all levels of the entity and by outsourced service providers and business partners? Are the requirements relevant to security, availability, processing integrity, confidentiality, and privacy considered when defining authorities and responsibilities? In practice, to have the highest score in this category, organizations must develop a code of conduct outlining ethical behavior and provide mandatory annual training to all employees.
CC2: Communication and Information
The CC2 set of criteria helps evaluate the effectiveness of controls that establish the entity’s obligation in collecting, generating, and using information. It aims to ensure that critical information flows efficiently within the organization and to external stakeholders to support decision-making and operational processes. Under this criterion, organizations must establish clear communication channels for policies, procedures, and system changes. Mechanisms for timely feedback and updates from employees and external partners are also necessary. Answer these (and many other) questions before the SOC 2 audit to understand what to expect: Do my organization’s information systems process and transform relevant data?Are processes to communicate information to all personnel for understanding and carrying out their internal control responsibilities in place?Are these processes to communicate information to third parties in place? Are data classification and handling standards developed by the company? Regular team meetings and email communication policies can keep employees informed about security updates.
CC3: Risk Assessment
The CC3 control series focuses on identifying, analyzing, and treating risks to achieve the organization’s main objectives. It is also related to identifying and assessing changes that could significantly affect the system or data held in that system. The purpose of the risk assessment is to identify, analyze, and address potential risks that could impact system reliability and security. So, organizations must conduct formal risk assessments periodically, prioritize risks based on likelihood and impact, and adjust controls to mitigate new and emerging threats. To understand your organization’s performance in applying risk assessment controls, ask the following question: Does your entity identify and assess risk resulting from your business processes and technologies on an ongoing basis?Do the risk identification procedures consider both internal and external factors?
CC4: Monitoring of Controls
The CC 4 criteria are used when assessing how entities manage the necessary controls. As such, organizations must implement policies and procedures that deal with monitoring adherence to the controls themselves and communicating control deficiencies. Implementing automated tools for monitoring system performance and regular audits and reviews of control activities would demonstrate to auditors a proper implementation of this control. Some of the questions that would be useful for understanding your monitoring controls include: Do you consider the rate of change in business processes when selecting and developing ongoing evaluations?Are the systems and networks monitored for intrusion attempts and unauthorized system changes?Do you take action to resolve security incidents and control failures? A company uses Security Information and Event Management (SIEM) systems to monitor for unusual behavior and generates monthly reports to evaluate the effectiveness of controls may serve as a practical example of implementation of this criterion.
CC5: Control Activities
Auditors assess what policies and procedures exist to put the controls into practice and evaluate how the entity selects the control activities over the existing technology environment. The most important element of the CC5 is the establishment of the policies for data security, system access, and operations themselves, identifying how these policies are distributed to personnel, and regularly reviewing and updating these policies to align with organizational needs. Ask yourself these questions to realize whether you are on the right way: Are all your business processes that require control activities determined? Are the controls activities applied at all levels of your organization? Do you use the design and current state of an internal control system to establish a baseline for ongoing and separate evaluations?Do you evaluate your controls’ performances on an ongoing basis? An example of implementation of this common criterion is an organization implementing a policy requiring all system changes to go through a formal review and approval process before deployment. One of the CC 5' statements corresponds with the COSO principle 12. It states that the entity deploys control activities through policies that establish what is expected and procedures that put policies into practice. This allows the common criteria to extend beyond the Security category and evaluate achieving the entity’s objectives relevant to a trust services engagement. As such, there are other control criteria that help evaluate the design and effectiveness of controls related to Security as well as to Availability, Processing Integrity, Confidentiality, and Privacy.
CC6: Logical and Physical Access Controls
The CC6 series is by far the biggest section of controls within the TSC. It deals with policies and procedures related to access controls. Specifically, these criteria evaluate to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access. Organizations must have strong authentication methods, such as MFA, RBAC, regular access logs, and strong physical security measures, like restricted access to server rooms. Some of the questions to ask yourself in regards to meeting these control criteria include: Are your information assets identified, classified, and managed properly?Do you have proper Identification and authentication mechanisms in place for individuals and systems accessing entity information, infrastructure, and software?Is physical and logical access to your facilities and systems formally managed?Do you use encryption to supplement other measures used to protect data at rest? The organization using multifactor authentication (MFA) and role-based access control (RBAC) to ensure employees can only access information relevant to their roles serves as an example of how to implement these requirements.
CC 7: System Operations
Using the CC7 criteria, auditors evaluate the organization’s ability to manage the operation of the system and detect/mitigate logical and physical processing deviations. The main requirements under this criterion include monitoring system performance and availability, detecting and responding to incidents, including security breaches, and maintaining logs to analyze and resolve system issues. When evaluating your system operation controls, ask yourself the following: Are infrastructure and software monitored for noncompliance with the standards?Do you monitor system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives?Do you conduct vulnerability scans designed to identify potential vulnerabilities or misconfigurations periodically and after any significant change in the environment?
CC8: Change Management
The criteria help to evaluate a series of controls relevant to how an organization identifies the need for changes to infrastructure, data, software, and procedures to meet its objectives. They also help evaluate how the entity makes changes using a controlled change management process and prevent unauthorized changes from being made. The main question being asked yourself in this regard is: Does your organization authorize, design, develop, configure, document, approve and implement changes to infrastructure, data, software, and procedures to meet its objectives?
CC 9: Risk Mitigation
The CC6 criteria are used to evaluate how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners. Do you identify, select, and develop risk mitigation activities for risks arising from potential business disruptions?Are identified risks reported to the appropriate level of authority and risk mitigation plans are developed, implemented, and monitored? Remember that the list of questions for evaluating each of the control categories is much bigger than that mentioned above. We, however, provide only the orienting points to choose the right direction for your SOC 2 audit readiness. Thus, the Common Criteria fully cover the Security category and implicitly evaluate the Availability, Processing Integrity, Confidentiality, and Privacy. In many cases, this is more than enough to undergo a SOC 2 audit. However, if the entity’s objectives require extending beyond evaluating the security category, then additional specific criteria are necessary to use.
How Planet 9 Can Help
To succeed in a SOC 2 audit, you should understand what trust services principles and controls are relevant for your business and ensure these controls are designed and operating effectively. Planet 9, a leading cybersecurity consulting firm in the San Francisco Bay Area, offers comprehensive SOC 2 compliance services tailored to your specific needs. Our experienced team, consisting of vCISOs and compliance managers, can help you:
- Identify Critical Controls: Determine the most relevant SOC 2 controls for your organization.
- Conduct Gap Assessment and Remediation: Pinpoint security gaps and implement effective solutions.
- Audit Preparation and Support: Prepare for and navigate the audit process with ease.
- Continuous Compliance: Maintain ongoing compliance through regular assessments and updates.
- Map the SOC 2 Controls to HIPAA Security Rule (see SOC 2 + HIPAA audit) or ISO 27001 (SOC 2 vs. ISO 27001)
Book a free consultation to achieve and maintain SOC 2 compliance now.
