What Are SOC 2 Controls?

Updated: Aug 16

Vector Representation of SOC 2 Controls icons
Detailed guide to SOC 2 Controls

Designed by the American Institute of Certified Public Accountants (AICPA), SOC 2 frameworks consist of 5 Trust Service Criteria (TSC).

For each Trust Service Criteria, you choose to include in your SOC 2 audit; there is a list of requirements/criteria that your auditor will assess your compliance against. SOC 2 Controls are what you implement to meet those requirements. Therefore, SOC 2 controls are individual systems, policies, procedures, and processes that organizations implement to comply with SOC 2 Trust Service Criteria.

The auditor attests to the design and operating effectiveness of those controls. For example, if a SOC 2 audit covers only security Trust Service Criteria (TSC), the auditor will typically assess around 80-100 controls. The number of controls is a variable that depends on the number of TSCs included in the report.

AICPA's SOC 2 Points Of Focus Act As Leading Examples

The American Institute of Certified Public Accountants provides "points of focus" for each Trust Service criteria in its SOC 2 official guide. These focus areas are examples of how an organization may meet the standards of each category. They help the organizations and service providers design and implement their control environment. It also aids the organizations in understanding how auditors assess each Trust service Criteria while evaluating and testing the organization's controls.

Note: The points of focus are not requirements. They are guidelines to help organizations better understand what they can do to meet 5 TSC.

Here is an example from the AICPA SOC 2 guide demonstrating the points of focus for "holding individuals accountable for their internal control responsibilities in the pursuit of objectives."

The first point of focus in CC1.5 "enforces accountability through structures, authorities, and responsibilities." It explains how management and the board of directors should establish a mechanism to hold individuals accountable for the performance of internal controls.

List Of SOC 2 Controls

In this section, we will be detailing the controls that pertain to each Trust Service Criteria. These controls are integral to SOC 2 certification and must be incorporated into the report if your organization is covering the said criteria.

1. Security controls

Security control is the most important control of SOC 2 compliance requirements. It covers operational processes around security and compliance. Security is the only Trust Service Criteria that must be included in the SOC 2 report, per the guidelines. Hence, these security controls are imperative for the successful completion of the audit.

Here are a few security controls that an auditor is bound to assess:

  • Password security

  • Multi-factor authentication

  • Incident response

  • Data Encryption

2. Privacy controls

Organizations that use or store customers' personal information must incorporate Privacy TSC in their SOC 2 report. To meet privacy requirements, the organization needs to communicate to the customers about the policies in place for the protection of stored data.

If your organization collects deals with any sort of personal data, it should pertain to the following requirements:

  1. Obtain consent from the customer

  2. Limit the amount of private information to collect

  3. Extract personal information only by lawful means

  4. Use the data only for the purpose it was collected for

Here are a few privacy controls that an auditor is bound to assess:

  • Retention policy

  • Consent mechanism

  • Record of Processing Activities

  • Data Protection Impact Assessment

  • Privacy Policy

3. Confidentiality controls

The role of Confidentiality control is to check if the information shared within and outside the organization is secure. It implies that confidential data must be protected against unauthorized access.

For instance - Access Control Reviews should happen at least once a month in the organization to ensure all the access given to employees is needed.

Here are a few confidentiality controls that an auditor is bound to assess:

  • Media Handling and disposal procedure

  • Retention policy

  • Access Control Reviews

4. Processing integrity controls

Processing integrity controls are divided into two broad categories. While some controls refer to the organization's ability to define what data it needs to achieve its goals, others define processing integrity in terms of inputs and outputs.

For example, if a patient inputs a blood requirement from blood banks, the output should be the required blood type.

  • The auditor will check if the output of processing is consistent with the requirements mentioned in the statement of work.

5. Availability controls

Availability controls focus on minimizing downtime, mainly for SaaS and cloud computing providers. A formal risk assessment, risk management, and risk mitigation process are important for identifying threats to data centers/cloud infrastructure and maintaining availability.

Here are a few availability controls that an auditor is bound to assess:

  • BCP/DR procedure

  • Backup restoration testing report

  • Capacity monitoring of cloud infrastructure

  • ISP Redundancy

  • UPS and DG set

Closing Thoughts

This was a brief understanding of the SOC 2 controls. If your organization is planning to apply for SOC 2 compliance, then knowledge about these controls is bound to come in handy. To streamline your compliance procedure, you can also partner with Scrut Automation which will guide your organization through the required controls and policies.

Start your compliance process with us!

Scrut Automation is a smart and radically simple Governance, Risk, and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.


Recent Posts

See All