Are you looking to stand up or mature your SOC 2 compliance program? This SOC 2 Framework Guide was designed to be a starting point to understanding and executing a SOC 2 program, and includes:
- An overview of the SOC 2 framework structure and requirements, with an at-a-glance summary.
- Definitions, resources, and examples for the key steps in the SOC 2 process: scoping and framework application, framework execution, internal and external assessments against the framework, and maintaining ongoing compliance.
- An overview of the SOC 2 framework compliance flow.
- Relationships to other standards and documents including ISO 27001, COSO Internal Control – Integrated Framework, and SOC 1 and 3.
CrossComply customers can go a step further to learn how to perform the various necessary activities described below within AuditBoard — simply click here to log in and follow the “CrossComply Connection” prompts for additional guidance.
What Is the SOC 2 Framework?
SOC 2, or a Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy is an independent attestation report that service organizations — or organizations of two or more people engaged in providing services to a customer — can provide to customers attesting to its cybersecurity control environment. The SOC 2 framework is published by the American Institute of Certified Public Accountants (AICPA) and is a completely voluntary cybersecurity framework most widely used by service organizations with primarily US-based customers. ISO 27001, which is used for generally the same purpose, is used by organizations with customers based outside the US.
SOC 2 Framework at a Glance
The SOC 2 framework is designed to be used by all types of service organizations. As such, the criteria provide flexibility in how they can be applied and therefore audited. Unlike more prescriptive cybersecurity frameworks, SOC 2 allows the service organization to define how its cybersecurity controls are implemented, provided they meet the intent of the Criteria they satisfy.
SOC 2 is closely aligned to the 17 principles in the COSO framework published in 2013. It uses these principles as the baseline of many of the Common Trust Services Criteria described in the next section.
SOC 2 provides the following benefits for both service organizations and customers of service organizations:
- Independent attestation report of defined, common criteria.
- Uses industry best-practices to define criteria.
- Provides a commonly accepted baseline to review against for an organization’s third-party assessment process.
SOC 2 has become the de facto standard in the US for service organizations to attest to the quality of their controls related to provided services. Service organizations wishing to do business with customers in the US will find that it has become critical to obtaining new business and/or maintain existing business to maintain a SOC 2 compliance and audit program.
What Are the SOC 2 Requirements?
Trust Services Categories
SOC 2 is made up of five Trust Services Categories — Security (Common Criteria), Availability, Processing Integrity, Confidentiality, and Privacy — which serve as the high-level sections of the framework. Each of the five categories has a specific focus:
- Security (Common Criteria): Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.
- Availability: Information and systems are available for operation and use to meet the entity’s objectives.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives. Although confidentiality applies to various types of sensitive information, privacy applies only to personal information.
Trust Services Criteria
Each of the five Categories includes numerous Trust Services Criteria,which are the specific criteria used to assess a service organization’s environment. The Trust Services Criteria are also organized numerically as shown below. This numbering system indicates a specific topic/domain in which the criteria fall (i.e., Monitoring of Controls, Risk Assessment).
Points of Focus
Each Trust Services Criteria includes one or more Points of Focus. The Points of Focus are provided as guidance to auditors and service organizations to aid in the design of suitable controls to meet the associated criteria. While compliance to all Points of Focus within the criteria is not required, auditors may use these as determining factors in the suitability of the design of the control(s) being assessed. For the criteria aligned with COSO principles, the COSO Points of Focus are included in the SOC 2 Framework and, as needed, supplemented by additional points of focus specific to the nature of the SOC 2 report. Many auditors may use their own numbering of the points of focus within each of the criteria. Service organizations should use their judgment in determining which Points of Focus are applicable to the service being provided as well as their organization.
SOC 2 Structure Diagram
SOC 2 Scoping and Framework Application
SOC 2 is unique from most cybersecurity frameworks in that the approach to scoping is highly flexible. As part of its auditing standards, the AICPA requires that service organizations select one or more of the five Trust Services Categories: Security (Common Criteria), Availability, Processing Integrity, Confidentiality, and Privacy.. Typically, service organizations will only choose to include the Category or Categories that are relevant to the service they provide. Most importantly, service organizations should choose the Category or Categories that their customers would expect to see in a SOC 2 report. While the organization chooses the applicable categories, inclusion of Security (Common Criteria) is mandatory. As such, if an organization wants to report to their customers on compliance with the Privacy category, they are required to meet requirements of both the Common Criteria and Privacy.
The table below shows examples of the types of service or industry that would be relevant to each of the Trust Services Categories. The table is not exhaustive and other examples may be relevant.
Once the appropriate Category or Categories are selected, a service organization must then determine if each of the Trust Services Criteria within the applicable Category or Categories applies to the service being provided.
Service organizations should be prepared to provide justification to SOC 2 auditors on why certain Trust Services Criteria do not apply. Typically, it would apply to situations where an activity specified in the criteria is not performed by the organization at all, or is outsourced to a third party. Often a carve out method is used in the SOC 2 report for such instances — please see the Assessing Against the SOC 2 Framework section below for more details.
SOC 2 Framework Execution
In order to successfully execute a SOC 2 program, organizations should implement ongoing key control activities to align with the Trust Services Criteria. The activities that must be performed to ensure compliance with SOC 2 requirements will primarily be driven by the service organization’s SOC 2 scope. Specifically, each Trust Services Category will drive a set of activities that must be performed to ensure compliance. We’ve summarized some of the key control activities commonly required for SOC 2 compliance and the frequency by which the activity needs to be performed. The list below does not include a complete list of key control activities to address all of the individual Trust Services Criteria — a complete listing of the TSCs is available in CrossComply via the UCF® integration.
- Establish an Information Security Program - Reviewed/Updated at least annually.
- Create, Maintain, and Promulgate Policies and Procedures - Reviewed/Updated at least annually.
- Third-Party Risk Assessment / Vendor Reviews - Based on the service organization’s policies/procedures, but at least annually.
- Conduct a Risk Assessment of the In-Scope Environment - Based on the service organization’s policies/procedures, but at least annually.
- Mitigate Identified Risks - Ensure documented mitigation plans exist for applicable risks. Ensure mitigation plans are implemented.
- Establish and Maintain a Compliance Evaluation Program - Based on the service organization’s policies/procedures, but at least annually.
- Document and Update In-Scope Control Activities - Reviewed/Updated at least annually.
- Establish a Logical Access Management Program - Based on the service organization’s policies/procedures, but at least annually.
- Establish a Physical Access Management Program - Based on the service organization’s policies/procedures, but at least annually.
- Establish and Maintain an Information Asset Inventory - Reviewed/Updated at least annually.
- Establish and Maintain a Data Classification Matrix - Reviewed/Updated at least annually.
- Define and Maintain System Configuration Standards - Reviewed/Updated at least annually.
- Conduct Vulnerability Scans and/or Penetration Testing - Based on the service organization’s policies/procedures, but at least annually.
- Create and Maintain a Security Incident Response Plan - Reviewed/Updated and tested at least annually.
- Perform Logging and Monitoring of the In-Scope Environment - Based on the service organization’s policies/procedures, but at least annually.
- Establish and Maintain a Change Management Program - Ensure change records exist for all in-scope components during the defined time period.
It’s important to remember that SOC 2 requires documentation of control activities for all in-scope control activities, as well as the ability to prove that the control activity is operating effectively over the time period identified in the report. The latter only applies to a SOC 2 Type 2 audit, described in more detail in the next section. Evidence will be required during the SOC 2 external audit.
Assessing Against the SOC 2 Framework
Any organization can assess itself against the SOC 2 Trust Services Criteria. The Criteria are publicly available and there is no subscription or licensing costs to access the complete list of criteria. SOC 2 includes a requirement for an evaluation program to be created and maintained. This can be either an internal or external assessment program, or both.
Internal / Self-Assessments
Ideally, internal assessments will follow the same practice as an external assessment. A best practice for SOC 2 compliance is to assess all controls within the scope of an organization’s SOC 2 compliance program at least annually. However, organizations may choose to assess only high-risk controls within the assessment cycle. Internal assessments should always use the defined Trust Services Criteria to ensure compliance.
As required by the AICPA, only CPA organizations can conduct SOC 2 audits and create corresponding reports. There are two types of reports that can be created by a CPA organization after performing a SOC 2 assessment:
- Type 1 Report: A report on the service organization’s controls at a single point in time. This point in time is determined by the service organization and the auditor but is typically defined by the duration timeframe of the audit.
- Type 2 Report: A report on the service organization’s controls over a period of time. The time period is determined by the service organization and is typically a full calendar year but can be as little as three months (this is the minimum time period allowed for a Type 2).
Organizations leveraging third parties (referred to as subservice organizations) to support compliance with select criteria will often use the carve-out method for their external audit reporting. A carve-out method allows the service organization to rely on the subservice organization’s controls to demonstrate compliance, and the service organization is not required to implement their own internal controls to address those. All such exclusions need to be described in the final report.
Like most external compliance audits, there is a cost associated with SOC 2 external audits and the associated report.
Achieving Ongoing SOC 2 Compliance
Maintaining SOC 2 compliance will basically follow the same requirements as any other cybersecurity framework. However, one important nuance to consider is for organizations maintaining annual Type 2 reports.
To ensure that no exceptions are noted in an annual Type 2 report, organizations must ensure that they can provide evidence that controls are operating effectively over the preceding year. This means that controls must be tested based on the organization’s defined policies and procedures and evidence is gathered on the cadence defined in these documents. For example, if a service organization’s policies and procedures say they conduct quarterly logical access reviews, that organization will need to provide quarterly evidence for the preceding year that the reviews were conducted.
Overview: SOC 2 Framework Compliance Flow
SOC 2 compliance doesn’t have to be overly complicated. We’ve broken down the process flow for achieving and maintaining SOC 2 compliance, from standard GRC process steps for initial setup and audit readiness, through interactions with your SOC 2 external auditor, as well as how to ensure ongoing compliance. .
Initial Setup/Audit Readiness
- Scope Framework: Decide which Categories to include. Scope Criteria based on applicability.
- Identify/Document Controls: Document control statements for existing controls. Identify gaps where controls don’t exist.
- Implement Controls for Gaps: Implement controls for in-scope criteria that are not satisfied with current controls.
- Framework Execution: Ensure key activities are performed prior to control testing.
- Gather Evidence for Internal Testing: Gather evidence showing control activities are in place.
- Internal Self-Assessment: Document test plans for each control. Perform testing by using collected evidence. Identify issues where controls are not operating effectively.
- Issue Management and Remediation: Remediate issues by correcting activities that are causing them. Retest controls until they pass.
External Audit Process
- Issue Evidence Requests: Receive PCB/IRL/DRL from auditor. Issue evidence Requests to control owners
- Review/Submit Evidence to Auditor: REview evidence for correctness. Submit evidence to auditor for review.
- Auditor Testing / Walkthroughs: Auditors perform testing of controls and walkthroughs.
- Report Preparation: Preparation of audit report and QA process. Review of draft report.
- Report Issuance: Final report provided.
- Identify Internal Testing Schedule: Identify required recurring controls to be tested. Create a testing cycle for remaining controls.
- Gather Evidence for Internal Testing: Gather evidence showing control activities are in place.
- Internal Self-Assessment: Perform testing by using collected evidence. Identify issues where controls are not operating effectively.
- Remediate Issues: Remediate issues by correcting activities that are causing them.
- Retesting Cycle: Retest controls upon remediation of issues. Continue testing and remediation until all issues are resolved.
How Does SOC 2 Relate to Other Standards and Documents?
Relationships exist between SOC 2 and other standards and documents. ISO 27001, COSO Internal Control – Integrated Framework, and SOC 1 and 3 are examples of standards and documents that are either directly related to the SOC 2 Trust Services Criteria or are frequently referenced in relation to SOC 2.
ISO 27001: Standard for building an Information Security Management System (ISMS).
- Very similar framework.
- High level of commonality in requirements between both frameworks.
- Where SOC 2 is used for US-based companies, ISO 27001 is used by companies outside the US.
COSO Internal Control – Integrated Framework: Framework for implementing an internal control structure to meet various compliance goals.
- Basis for most of the Common Criteria (Security) Category in SOC 2.
- SOC 2 provides additional requirements within each Category to add specificity to the COSO framework.
SOC 1: Report on controls relevant to Internal Control over Financial Reporting (ICFR).
- No/very little commonality among business process controls, as SOC 1 is unique to each organization (no common criteria).
- Potential overlap of IT General Controls (depending on report scope).
SOC 3: A report on general effectiveness of your overall internal control program that is intended to be shared publicly.
- Identical set of criteria (Trust Services Criteria).
- Only difference is the intended audience of the report; SOC 2 is for a private audience, SOC 3 is for a public audience.
SSAE Standards: Standards used by CPA organizations to assess organizations against numerous AICPA standards/frameworks.
- No relationship other than as an auditing standard used by auditors conducting SOC audits.
- Apply to all SOC reports.
Using CrossComply to Manage the SOC 2 Framework
CrossComply has broad functionality that can help with many of the activities necessary to achieve and maintain SOC 2 compliance. CrossComply customers can learn how to perform the various necessary activities described above within AuditBoard— simply click here to log in and follow the “CrossComply Connection” prompts for additional guidance.