The Common Criteria For SOC 2

Vector image of a Laptop Screen displaying List Of SOC 2 Common Criteria
List Of SOC 2 Common Criteria

To help SaaS providers assure their clients of data security, the American Institute of Certified Public Accountants (AICPA) has developed System, and Organization Controls (SOC) audits. There are three types of SOC audits - SOC 1, SOC 2, and SOC 3. Of the three types, SOC 2 is the most common report for evaluating an organization's security practices.

TSC includes security, availability, processing integrity, confidentiality, and privacy. But organizations do not have to undergo an audit for all five at one time. They choose the TSC based on what works for their business.

While firms can select which SOC 2 Trust Services Criteria to include in their audit scope, every SOC 2 report must contain the Security Criteria.

List Of SOC 2 Common Criteria

The AICPA has mapped the Trust Services Criteria (TSC) framework to conduct SOC 2 audits. The common criteria apply to all five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

That said, the Security Trust Service Criterion acts as a safeguard for the information and systems against unauthorized access and disclosure of details. And it helps us determine:

  • If the data is secure during its creation.

  • If the data is secure during its use, processing, transmission, and storage.

  • If the company can prevent and monitor vulnerabilities in its systems.

The Common Criteria list, also known as the CC series, is comprised of 9 subcategories, namely:

CC1: Control Criteria

This criterion demonstrates a commitment to integrity and ethical values.

CC2: Communication and Information

This criteria demonstrates the policies and procedures in place to ensure security and informs if they are communicated well to internal and external partners.

CC3: Risk Assessment

This determines if the organization can analyze risk and monitor how new technologies and changes impact that risk.

CC4: Monitoring Activities

It determines if the organization can monitor, evaluate, and communicate the effectiveness of its controls.

CC5: Control Activities

This criterion decides if the controls, processes, and technologies are in place to reduce risk.

CC6: Logical and Physical Access Controls

It aims to assess the following controls;

  1. If the organization can encrypt the data and monitor the access controls

  2. Who can access data and limit physical entrance to office premises

CC7: System Operations

This criterion determines if the;

  1. Systems are monitored to ensure they function properly

  2. Incident response and disaster recovery plans in place

CC8: Change Management

It checks if material changes to systems are properly tested and approved beforehand or not.

CC9: Risk Mitigation

Determines if the organization has the ability to mitigate risk through proper business, technical processes, and vendor management.

SOC 2 Common Criteria Mapping To ISO 27001

AICPA maps the SOC 2 criteria onto ISO/IEC 27001 – Information Security Management. ISO 27001 states the requirements for establishing, implementing, maintaining, and improving an organization's infosec posture.

ISO 27001 is widely used outside the US, and any organization with a global network of clients can use this standard. Its core includes ten clauses and an Annex that breaks down into 114 controls across 14 groups. These are as follows:

A.5: Information security - 2 controls

A.6: Security Organization - 7 controls

A.7: Human resources security – 6 controls

A.8: Asset management - 10 controls

A.9: Access control - 14 controls

A.10: Cryptography - 2 controls

A.11: Environmental security - 15 controls

A.12: Operational security -14 controls

A.13: Communication security - 7 controls

A.14: Acquisition and maintenance - 13 controls

A.15: Third-party security – 5 controls

A.16: Incident management - 7 controls

A.17: Business continuity - 4 controls

A.18: Regulatory compliance - 8 controls

The AICPA's ISO 27001 mapping spreadsheet breaks down the overlap between these controls and the Trust Services Criteria.

Mapping SOC 2 Common Criteria To EU GDPR

AICPA maps the SOC 2 onto the European Union (EU) General Data Protection Regulation (GDPR). The EU GDPR is designed to protect EU citizens' personal data rights and applies to all companies that use EU citizens' data.

It includes 99 articles across 11 chapters, and the most EU GDPR breaks down across its second and third chapters. The AICPA's EU GDPR mapping spreadsheet helps to cross-reference criteria and controls.

To get started with SOC 2 mapping, schedule a demo with Scrut.

Scrut Automation is a smart and radically simple Governance, Risk, and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.