SOC 2 is achieved by the issuing of an attestation in a SOC 2 report (not certification) which must be completed by a Certified Public Accountant (CPA) who is a member of the American Institute of Certified Public Accountants (AICPA).
The format of the SOC 2 Report is determined by the AICPA and is structured as follows:
- Opinion letter
- Management's assertion
- Description of the system
- Description of tests of controls and results of testing
What is COSO and how does it relate to SOC 2?
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) is an initiative from five private North American organisations including the AICPA which outlines the 17 Principles of Internal Audit Control that are the basis fore the Trust Services Criteria that are audited against as part of the SOC 2 attestation assessment.
Trust Services Categories
When determining the scope of the SOC 2 attestation there are 5 trust services categories which are:
- Security
- Confidentiality
- Processing Integrity
- Availability
- Privacy
Trust Services Criteria and Expected Evidence
An organisation can select which of the categories they want to include in scope which will then determine the criteria used in the attestation assessment which are outlined in Page 10-168 of the Trust Services Criteria document published by the AICPA . If all 5 categories of trust services criteria are selected as in scope the number of criteria to be assessed is around 185. Examples of the criteria include:
Security
Principle/Trust Services Criteria | Requirement | Evidence Required |
COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values . (Trust Services Criteria CC1.1) | Upon hire, employees must acknowledge a code of conduct describing the responsibilities and expected behaviour with regard to data and information system usage. | Example employee code of conduct acknowledgement |
Employees are required to sign a confidentiality agreement upon hire. This agreement prohibits any disclosures of information and other data to which the employee has been granted access | Example signed employee confidentiality agreement | |
Managers are required to complete performance appraisals for direct reports at least annually. | Performance appraisals for a example employee (evidence should show performances assessed against the rules of behaviour) | |
Employees and contractors who violate the code of conduct are subject to disciplinary actions documented in a formalised sanctions policy. | Code of conduct and employee sanctions policy | |
CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. | A Mobile Device Management (MDM) system is in place to centrally manage mobile devices supporting the service. | Evidence of centrally managed mobile device management system |
Portable and removable media devices are encrypted when used. | Evidence of encryption on portable and removable media devices | |
CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. | Anti-malware technology is deployed for environments commonly susceptible to malicious attack and is configured to be updated routinely, logged, and installed on all relevant production servers. | Screenshot of antimalware configurations (scan schedule, virus definition update schedule, notification configurations, and an example alert notification) |
Infrastructure supporting the service is patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure servers supporting the service are hardened against security threats. | Evidence of the most recent security patches applied to the in scope environment | |
A file Integrity Monitoring (FIM) tool is used to notify system administrators of potential unauthorized changes to the production system. | File integrity monitoring configuration dashboard, alert configurations, and an example alert |
Confidentiality
Principle/Trust Services Criteria | Requirement | Evidence Required |
C1.1 The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality. | Confidential or sensitive customer data is prohibited, by policy, from being used or stored in non-production systems/environments. | Policy prohibiting the storage of production data in non-production systems |
Processing Integrity
Principle/Trust Services Criteria | Requirement | Evidence Required |
PI1.2 The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives. | System logic is coded into the system that generates on-screen alerts in the event that there are any issues when inputting or processing transactions. | Observation of on-screen error alerts during data entry |
For instances when a card number is manually typed in to the application, the system is configured with input validation checks to ensure that the necessary information is provided to process the transaction. | Input validation configuration for data entry into the application | |
Historical transaction data is retained for the life of a customer. No transactional data is purged until the customer account is deleted. | Data retention and disposal policies |
Availability
Principle/Trust Services Criteria | Requirement | Evidence Required |
A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. | System capacity is evaluated on an [on-going] [annual] basis and system changes are implemented to help ensure processing capacity can meet demand. | Evidence of ongoing system capacity evaluation |
Privacy
Principle/Trust Services Criteria | Requirement | Evidence Required |
P1.1 The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy. | Privacy policies are formally documented and made readily available to data subjects, internal personnel and third parties who need them. Privacy policies are documented to include the following practices:- Notice- Choice and Consent- Collection- Use, Retention- Access- Disclosure- Security for Privacy- Quality- Monitoring and Enforcement | Privacy Policy |