FrameworksSOC 2
assurancev2017 (updated 2022)Published
SOC 2 Trust Services Criteria
SOC 2
SOC 2 is an auditing procedure that ensures service providers securely manage data to protect the interests of the organization and the privacy of its clients. It is based on the Trust Services Criteria covering Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Issuing Body
American Institute of Certified Public Accountants (AICPA)
Version
2017 (updated 2022)
Published
2022-01-01
Controls
42
Mapped Laws
—
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| CC1.1 | COSO Principle 1 — Commitment to Integrity and Ethics The entity demonstrates a commitment to integrity and ethical values. Management establishes standards of conduct, evaluates adherence, and addresses deviations in a timely manner. | — | defined |
| CC1.2 | COSO Principle 2 — Board Independence and Oversight The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. | — | defined |
| CC1.3 | COSO Principle 3 — Organizational Structure and Reporting Lines Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. | — | defined |
| CC1.4 | COSO Principle 4 — Commitment to Competence The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. | — | defined |
| CC1.5 | COSO Principle 5 — Accountability for Internal Control The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. | — | defined |
| CC2.1 | COSO Principle 13 — Use of Relevant Information The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. | — | defined |
| CC2.2 | COSO Principle 14 — Internal Communication The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. | — | defined |
| CC2.3 | COSO Principle 15 — External Communication The entity communicates with external parties regarding matters affecting the functioning of internal control. | — | defined |
| CC3.1 | COSO Principle 6 — Specification of Suitable Objectives The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. | — | defined |
| CC3.2 | COSO Principle 7 — Risk Identification and Analysis The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. | — | defined |
| CC3.3 | COSO Principle 8 — Fraud Risk Assessment The entity considers the potential for fraud in assessing risks to the achievement of objectives. | — | defined |
| CC3.4 | COSO Principle 9 — Change Identification and Analysis The entity identifies and assesses changes that could significantly impact the system of internal control. | — | defined |
| CC4.1 | COSO Principle 16 — Ongoing and Separate Evaluations The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. | — | defined |
| CC4.2 | COSO Principle 17 — Evaluation and Communication of Deficiencies The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action. | — | defined |
| CC5.1 | COSO Principle 10 — Selection and Development of Control Activities The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. | — | defined |
| CC5.2 | COSO Principle 11 — Technology General Controls The entity also selects and develops general control activities over technology to support the achievement of objectives. | — | defined |
| CC5.3 | COSO Principle 12 — Policy and Procedure Deployment The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. | — | defined |
| CC6.1 | Logical and Physical Access Controls — Restriction The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. | — | managed |
| CC6.2 | Logical and Physical Access Controls — Authentication Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. | — | managed |
| CC6.3 | Logical and Physical Access Controls — Role Management The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on approved and documented access requests and the rules of least privilege. | — | managed |
| CC6.4 | Logical and Physical Access Controls — Physical Access The entity restricts physical access to facilities and protected information assets to authorized personnel to meet the entity's objectives. | — | managed |
| CC6.5 | Logical and Physical Access Controls — Disposal The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity's objectives. | — | managed |
| CC6.6 | Logical and Physical Access Controls — External Threats The entity implements logical access security measures to protect against threats from sources outside its system boundaries. | — | managed |
| CC6.7 | Logical and Physical Access Controls — Transmission Integrity The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. | — | managed |
| CC6.8 | Logical and Physical Access Controls — Malware Prevention The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. | — | managed |
| CC7.1 | System Operations — Vulnerability Management To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations or the introduction of new vulnerabilities, and conducts ongoing evaluations of the effectiveness of detection and monitoring activities. | — | managed |
| CC7.2 | System Operations — Anomaly Detection The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives. | — | managed |
| CC7.3 | System Operations — Incident Evaluation The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives and, if so, takes actions to prevent or address such failures. | — | managed |
| CC7.4 | System Operations — Incident Response The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. | — | managed |
| CC7.5 | System Operations — Recovery The entity identifies, develops, and implements activities to recover from identified security incidents. | — | managed |
| CC8.1 | Change Management — Change Control Process The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its change management objectives. | — | managed |
| CC9.1 | Risk Mitigation — Vendor Risk Management The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. | — | managed |
| CC9.2 | Risk Mitigation — Third-Party Risk The entity assesses and manages risks associated with vendors and business partners. | — | managed |
| A1.1 | Availability — Capacity Management The entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. | — | managed |
| A1.2 | Availability — Environmental Protections The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its availability commitments and system requirements. | — | managed |
| A1.3 | Availability — Recovery Testing The entity tests recovery plan procedures supporting system recovery to meet its availability commitments and system requirements. | — | managed |
| C1.1 | Confidentiality — Identification of Confidential Information The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. | — | managed |
| C1.2 | Confidentiality — Disposal of Confidential Information The entity disposes of confidential information to meet the entity's objectives related to confidentiality. | — | managed |
| PI1.1 | Processing Integrity — Completeness and Accuracy The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. | — | managed |
| PI1.2 | Processing Integrity — System Inputs The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives. | — | managed |
| P1.0 | Privacy — Notice and Communication The entity provides notice to data subjects about its privacy practices to meet the entity's objectives related to privacy. | — | managed |
| P2.0 | Privacy — Choice and Consent The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the implications, if any, for failing to provide or limiting authorization. | — | managed |