Designed by the American Institute of Certified Public Accountants (AICPA), SOC 2 frameworks consist of 5 Trust Service Criteria (TSC).
For each Trust Service Criteria, you choose to include in your SOC 2 audit; there is a list of requirements/criteria that your auditor will assess your compliance against. SOC 2 Controls are what you implement to meet those requirements. Therefore, SOC 2 controls are individual systems, policies, procedures, and processes that organizations implement to comply with SOC 2 Trust Service Criteria.
The auditor attests to the design and operating effectiveness of those controls. For example, if a SOC 2 audit covers only security Trust Service Criteria (TSC), the auditor will typically assess around 80-100 controls. The number of controls is a variable that depends on the number of TSCs included in the report.
AICPA's SOC 2 Points Of Focus Act As Leading Examples
The American Institute of Certified Public Accountants provides "points of focus" for each Trust Service criteria in its SOC 2 official guide. These focus areas are examples of how an organization may meet the standards of each category. They help the organizations and service providers design and implement their control environment. It also aids the organizations in understanding how auditors assess each Trust service Criteria while evaluating and testing the organization's controls.
Note: The points of focus are not requirements. They are guidelines to help organizations better understand what they can do to meet 5 TSC.
Here is an example from the AICPA SOC 2 guide demonstrating the points of focus for "holding individuals accountable for their internal control responsibilities in the pursuit of objectives."
The first point of focus in CC1.5 "enforces accountability through structures, authorities, and responsibilities." It explains how management and the board of directors should establish a mechanism to hold individuals accountable for the performance of internal controls.
List Of SOC 2 Controls
In this section, we will be detailing the controls that pertain to each Trust Service Criteria. These controls are integral to SOC 2 certification and must be incorporated into the report if your organization is covering the said criteria.
1. Security controls
Security control is the most important control of SOC 2 compliance requirements. It covers operational processes around security and compliance. Security is the only Trust Service Criteria that must be included in the SOC 2 report, per the guidelines. Hence, these security controls are imperative for the successful completion of the audit.
Here are a few security controls that an auditor is bound to assess:
2. Privacy controls
Organizations that use or store customers' personal information must incorporate Privacy TSC in their SOC 2 report. To meet privacy requirements, the organization needs to communicate to the customers about the policies in place for the protection of stored data.
If your organization collects deals with any sort of personal data, it should pertain to the following requirements:
Obtain consent from the customer
Limit the amount of private information to collect
Extract personal information only by lawful means
Use the data only for the purpose it was collected for
Here are a few privacy controls that an auditor is bound to assess:
Record of Processing Activities
Data Protection Impact Assessment
3. Confidentiality controls
The role of Confidentiality control is to check if the information shared within and outside the organization is secure. It implies that confidential data must be protected against unauthorized access.
For instance - Access Control Reviews should happen at least once a month in the organization to ensure all the access given to employees is needed.
Here are a few confidentiality controls that an auditor is bound to assess:
Media Handling and disposal procedure
Access Control Reviews
4. Processing integrity controls
Processing integrity controls are divided into two broad categories. While some controls refer to the organization's ability to define what data it needs to achieve its goals, others define processing integrity in terms of inputs and outputs.
For example, if a patient inputs a blood requirement from blood banks, the output should be the required blood type.
The auditor will check if the output of processing is consistent with the requirements mentioned in the statement of work.
5. Availability controls
Availability controls focus on minimizing downtime, mainly for SaaS and cloud computing providers. A formal risk assessment, risk management, and risk mitigation process are important for identifying threats to data centers/cloud infrastructure and maintaining availability.
Here are a few availability controls that an auditor is bound to assess:
Backup restoration testing report
Capacity monitoring of cloud infrastructure
UPS and DG set
This was a brief understanding of the SOC 2 controls. If your organization is planning to apply for SOC 2 compliance, then knowledge about these controls is bound to come in handy. To streamline your compliance procedure, you can also partner with Scrut Automation which will guide your organization through the required controls and policies.
Start your compliance process with us!
Scrut Automation is a smart and radically simple Governance, Risk, and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.