Although it’s incredibly helpful to go through a checklist when ensuring SOC 2 compliance, don’t forget that SOC is ultimately about giving customers what they paid for and keeping them safe. With this in mind while you’re building your company, a good place to start is by defining your commitments to customers and users as well as system requirements that will help you meet those commitments. These overarching commitments will turn into the pillars that your SOC 2 audit will be built around.
When it comes time for a SOC 2 audit, management will define which Trust Service Categories will be present in the SOC 2 report, and they will be based on commitments to customers that have been made and documented within contracts or elsewhere. So, after conducting some research to dive into what SOC 2 is and how it relates to your organization, it’s time to put together a framework for passing a SOC 2 audit.
Defining and Upholding Commitments to Customers
Commitments are the declarations made by management/the organization to customers regarding the performance of one or more of your organization’s systems. Commitments generally are included in written contracts, service-level agreements, or public statements like privacy notices.
Some commitments are applicable to all customers (baseline commitments), whereas others are designed to meet individual customer needs and result in the implementation of processes or controls, in addition to those required to meet the baseline commitments.
Examples of commitments to customers include:
- Encryption of data in transit
- Encryption of data at rest
- Background checks
- Security practices outlined on your website
Meeting System Requirements
During a SOC 2 audit, you’re assessed against your own policies and procedures (also known as system requirements) that are in place to meet commitments to customers, rather than an external standard. Although it should be noted that most SOC 2 assessors are fluent in these areas and can help organizations make the right commitments to their customers if they are unsure about what commitments to make within the Trust Service Categories.
System requirements refer to how the system (generally your technical infrastructure) should function to meet your organization’s commitments to customers, relevant laws and regulations, or guidelines of industry groups, such as trade or business associations.
Understanding the SOC 2 Subcategories
Under each Trust Service Category, there are subcategories that need to be addressed in the SOC 2 report. All subcategories under the security category must be addressed in a SOC 2 unless they’re non-applicable.
Each subcategory is assigned a certain number of criteria that need to be met through a multitude of controls. On average, there should be two to three controls in place to meet each common criteria. Within the security category alone, you’ll need approximately 66-99 controls in place to meet all of the common criteria.
There are points of focus under each criteria as well — which can be used to go another level deeper during the audit. If management chooses to add another category, such as processing integrity, into the scope of the SOC 2 audit and report, there will be additional criteria and points of focus that need to be met and assessed through a number of extra controls.
Here’s an idea of what subcategories exist under each main Trust Service Category, as detailed by the American Institute of CPAs (AICPA):
- Control environment
- Communication and information
- Risk assessment
- Monitoring activities
- Control activities
- Logical and physical activities
- System operations
- Change management
- Risk mitigation
- Capacity management
- Backup and recovery
- Disaster recovery testing
- Identity and maintaining confidential information
- Disposal of confidential information
- Obtaining or generating, using and communicating relevant, quality information
- Completeness and accuracy of input data
- Completeness and accuracy of data in processing
- Completeness and accuracy of output data
- Completeness and accuracy of stored data
- Notice and communication of objectives related to privacy
- Choice and consent
- Use, retention, and disposal
- Disclosure and notification
- Quality, monitoring, and enforcement
Determine Your Controls and Assign Them to the Proper People
While keeping the Trust Service categories and subcategories in mind, you need to ensure that your controls are laid out and assigned to proper control owners. If you’re still in the very early stages of planning, now is a great time to define and implement the controls that your organization needs to meet its commitments to customers.
When putting together your SOC 2 control framework, there are a variety of ways that you can keep track of your controls and the assigned owners of each. If you are publicly-held, you can use a GRC program for this, otherwise another option is creating a control tracker using a Google Sheet or any other preferred tool like a cloud-based platform.
GRC tools are great when managing many different standards and certifications in a more mature organization. Storing this info in the cloud makes it easier to access and share to keep the information as updated as possible — this approach is a great option for small to midsize businesses with a smaller compliance program as it gets the job done and saves on cost.
The important takeaway here: keep track of everything, so when a SOC 2 audit happens, you aren’t scrambling to find evidence or figure out who’s in charge of a certain control.
Check out our recent SOC 2 compliance webinar for a more in-depth guide on building a SOC 2 framework and assigning controls.