Every SOC 2 audit encompasses from one to five categories while Security is a must-have. Learn more about how the common criteria are evaluated.
Suppose you’ve been involved in any type of SOC 2 engagement. In that case, you should be familiar with the five categories of Trust Service Criteria (formerly – Principles) – Security, Availability, Processing Integrity, Confidentiality, and Privacy. These categories cover a set of internal controls related to different aspects of the entity’s information security and privacy program. Independent auditors assess the implementation of these controls in the scope of a SOC 2 audit. But there’s one hitch: SOC 2 neither provides a list of necessary controls nor states the minimum set of these controls to help ensure businesses meet all objectives of the audit. Instead, there is a set of Common Criteria that help evaluate the design and effectiveness of controls within the organization.
Thus, to succeed in a SOC 2 audit, you should understand what set of controls is relevant for your business as well as what criteria auditors will use to evaluate the design and effectiveness of these controls.
Specific criteria for evaluating the controls for SOC 2 audits have been established by the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accounts (AICPA) – 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Every SOC 2 report can encompass from one to five criteria categories which cover a set of internal controls related to the organization’s security and/or privacy program. To understand the combination of controls necessary for a SOC 2 audit, you must first decide which of the five Trust Services Criteria categories to include.
The first category, Security, is required to be in the scope of every SOC 2 audit. It is imperative, and organizations don’t have a choice about this one; however, they can decide whether to include other categories. In many cases, including the Security category is more than enough for your SOC 2 audit report. But remember, the SOC 2 typically covers a time span of 12 months – long enough for your business to expand to new operating horizons. So, the more categories you include, the more robust your SOC 2 report will be and the more likely it will satisfy more customers with growing expectations.
When evaluating and reporting on controls organizations have put in place, auditors use a particular set of criteria. Some of the criteria are shared among all trust service categories; the others respond to specific ones. One of the auditors’ handbooks for the evaluation process is the 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. This document contains common criteria applied to all five trust service categories, and the additional specific criteria applied selectively to Availability, Processing Integrity, Confidentiality, and Privacy.
In this article, we will cover the common criteria as well as controls related to them.
The common criteria are used for evaluating the design and effectiveness of controls related to Security. At the same time, they are also used for assessing the controls covered by the remaining trust service categories.
We are starting with a set of controls that correspond with Security since it is obligatory for all SOC 2 engagements, and it is what the other Trust Services Criteria are based on. Security refers to protecting information during its collection or creation, use, processing, transmission, and storage. It also addresses whether the system that uses electronic information is protected (both physically and logically) against unauthorized access, system failure, incorrect processing. As such, the Security category is associated with the common controls that aim to prevent data from unauthorized access, protect against malware, detect and respond to security incidents, and other general security controls.
Based on this set of control criteria, entities must implement controls that formulate an ethical and integrity framework for all subsequent controls. Entities must demonstrate their commitments to ethical values, how the authorities and responsibilities are established, as well as how essential HR practices such as recruitment and training are implemented. Some of the questions that you need to ask yourself before the SOC 2 audit:
The CC2 set of criteria helps evaluate the effectiveness of controls that establish the entity’s obligation in collecting, generating, and using information. These criteria are also used while assessing controls regarding the dissemination of information internally and externally. Answer these (and many other) questions before the SOC 2 audit to understand what to expect:
The CC3 control series focuses on identifying, analyzing, and treating risks to achieve the organization’s main objectives. It is also related to identifying and assessing changes that could significantly affect the system or data held in that system. To understand your organization’s performance in applying risk assessment controls, ask yourself the following:
The CC 4 criteria are used when assessing how entities manage the necessary controls. As such, organizations must implement policies and procedures that deal with monitoring adherence to the controls themselves and communicating control deficiencies. Some of the questions that would be useful for understanding your monitoring controls include:
Auditors assess what policies and procedures exist to put the controls into practice and evaluate how the entity selects the control activities over the existing technology environment. The most important element of the CC5 is the establishment of the policies themselves and identifying how these policies are distributed to personnel. Ask yourself these questions to realize whether you are on the right way:
One of the CC 5′ statements corresponds with the COSO principle 12. It states that the entity deploys controls activities through policies that establish what is expected and procedures that put policies into practice. This allows the common criteria to extend beyond the Security category and evaluate achieving the entity’s objectives relevant to a trust services engagement. As such, there are other control criteria that help evaluate the design and effectiveness of controls related to Security as well as to Availability, Processing Integrity, Confidentiality, and Privacy.
The CC6 series is by far the biggest section of controls within the Trust Services Criteria. It deals with policies and procedures related to access controls. Specifically, these criteria evaluate the design and effectiveness of controls in regards to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access. Some of the questions to ask yourself in regards to meeting these control criteria include:
Using the CC7 criteria, auditors evaluate the entity’s security architecture regarding how it manages the operation of the system and detects/mitigates logical and physical processing deviations. When evaluating your system operation controls, ask yourself the following:
The criteria help to evaluate a series of controls relevant to how an organization identifies the need for changes to infrastructure, data, software, and procedures to meet its objectives. They also help evaluate how the entity makes changes using a controlled change management process and prevents unauthorized changes from being made. The main question being asked yourself in this regard is:
The CC6 criteria are used to evaluate how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners. The common questions include:
Remember that the list of questions for evaluating each of the control categories is much bigger than that mentioned above. We, however, provide only the orienting points to choose the right direction for your SOC 2 audit readiness.
Thus, the Common Criteria fully cover the Security category and implicitly evaluate the Availability, Processing Integrity, Confidentiality, and Privacy. In many cases, this is more than enough to undergo a SOC 2 audit. However, if the entity’s objectives require extending beyond evaluating the security category, then additional specific criteria are necessary to use.
This SOC 2 auditing scenario, however, will be discussed in one of the future articles.
If some questions regarding the common criteria or other aspects of the SOC 2 audit report are still unanswered, do not hesitate and contact our Planet 9 team. We’ll be happy to assist!