SOC 2: Additional Specific Criteria for Controls Evaluation

The Security category is imperative for all SOC 2 engagements; but what if your commitments to customers and services demand including other criteria? 

In one of our previous articles, we started talking about controls necessary to obtain a positive SOC 2 audit report. Hence, we already know that there are specific criteria for evaluating the design and effectiveness of these controls. These criteria have been established by the Assurance Services Executive Committee (ASEC) in the document called 2017 Trust Services Criteria (TSC) for Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security category is an integral part of each SOC 2 audit that lays the foundation for other audit criteria. Thus, including Security in the audit’s scope is often enough to assure your customers of the reliability and respectability of your services. 

However, what if the organization’s commitments require evaluating more than the Security category? How should organizations understand what additional category to include in the scope of their SOC 2 audits? What criteria will auditors use to assess the design and effectiveness of these controls? To answer these and other related questions, keep reading the article. 

Deciding on what Additional TSC to Include

The orienting point for determining the need for including the additional trust service category(s) is the entity’s commitments to customers and system requirements. Commitments are the service provider’s declaration to customers regarding the performance of the entity’s system(s) and processes. Such commitments are included in written contracts, service level agreements, or public statements. Hence, if your company is a SaaS provider, committed to delivering reliable software services to your clients, then you should include Availability into the scope of your SOC 2 audit.

At the same time, you should also take into consideration the system requirements. These refer to how the system should function to achieve the entity’s commitments to customers, regulations, trade, or business associations.  For instance, if your systems process financial data, you are more likely to be concerned with Processing Integrity.  

Evaluating Controls Related to Confidentiality 

Confidentiality should be presented in the SOC 2 audit report if the organization offers engagement with sensitive data, such as Personally Identifiable Information (PII), or Protected Health Information (PHI). In fact, there is SOC 2 + HIPAA audit for those companies that deal with PHI, and we will cover this type of audit in future articles. The Confidentiality category addresses the organization’s commitments in regards to how clients’ sensitive information is handled. It is necessary to understand that confidentiality applies not only to personal information but is relevant to various other types of sensitive information such as trade secrets or intellectual property.

Information is confidential if the custodian is required to limit its access, use, retention,  and restrict its disclosure. You may find the confidentiality requirements in laws or regulations as well as in contracts that contain commitments made to customers or others. So, the organizations should check their contractual obligations to ensure customers’ information is properly protected. Some of the confidentiality-related questions include:

• Are the procedures in place to identify and classify confidential information when it is received or created?
• What procedures do you implement to protect confidential information from unauthorized access?
• Are the procedures in place to identify confidential information requiring destruction when the end of the retention period is reached?

Evaluating Controls Related to Processing Integrity 

If the organization provides services that are concerned with processing integrity (usually involving financial operations or e-commerce), consider Processing Integrity. The principle includes controls necessary to process and provide data in a timely and accurate manner.

The control criteria evaluate whether the entity obtains, generates, uses, and communicates information to support the appropriate use of products and services. Some of the questions auditors would ask you during the SOC 2 audit include: 

• Is data checked at the input point to ensure it meets the defined criteria before being accepted by the system?
• Are your systems configured to validate data for completeness to ensure inputs meet the outputs?
• Do you have a process documenting data input and output validation for completeness, accuracy, and timeliness?

Evaluating Controls Related to Availability 

The Availability category should be included in the scope of the SOC 2 audit report if services your organization provides are time-sensitive and their availability is critical. For example, it would be extremely critical for a stock trading platform or hospital health monitoring dashboard. Availability neither sets a minimum acceptable performance level nor addresses system functionality or usability. Instead, it does address whether systems include controls to support continuous operations, monitoring, and maintenance. Availability also typically applies to companies providing colocation, data center, SaaS, or hosting services to their clients. 

To assess the design and effectiveness of controls related to Availability, auditors will use common criteria as well as the additional specific criteria. A set of additional criteria for Availability require implementing necessary policies and procedures regarding the system’s capacity demand planning, use of system components, environmental protection, data backup process, and recovery plans. 

Some of the questions that businesses should ask themselves before the SOC 2 audit include: 

• Are there procedures in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur?
• Is there a business continuity plan in place? Is it tested on a periodic basis?
• Is the use of system components measured to establish a baseline for capacity management?

Evaluating Controls Related to Privacy

The privacy category is often referred to as standing on its own, as it specifically addresses how customers’ personal information is collected and used. It ensures that the organization is handling personal data in accordance with any commitments in the entity’s privacy policy. The Privacy series of controls are important for businesses that work with personal information and have substantial privacy obligations. For the privacy audit,  organizations need to implement controls related to individuals’ rights as well as proper protection, use, and retention of personal information. 

• Are the notices provided to data subjects regarding the purpose of collection, choice, and consent, types of information collected, etc?
• Do you inform your data subjects about the choices available to them with respect to the collection, use, and disclosure of personal information?
• Do you limit the collection of personal data to the extent necessary to meet the entity’s objectives?

Conclusion

To succeed in a SOC 2 audit, you should understand what set of controls is relevant for your business. You should also be aware of what criteria auditors will use to evaluate the design and effectiveness of these controls. In many SOC2 engagements, evaluating controls related to the Security category is sufficient. However, to make your SOC 2 report more robust as well as to satisfy more customers with growing expectations, it is often necessary to extend the scope of the SOC 2 audit report and include another category(s) –  Confidentiality, Processing Integrity, Availability, and Privacy.

If some questions remain unanswered, do not hesitate and contact our Planet 9 team. We’ll be happy to assist!

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646