Two key resources for SOC 2 reporting were updated during 2022:
- Revised Implementation Guidance was added to DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report. DC 200 includes the categories of information that must be addressed in an organization’s system description (i.e., section 3 of a SOC 2 report). It also includes implementation guidance that should be considered in addition to the description criteria. Service organizations use DC 200 to write and update their system descriptions and auditors use DC 200 to evaluate whether system descriptions are fairly presented in a SOC 2 audit.
- Revised Points of Focus were added to TSP 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy. TSP 100 includes the categories of controls that may be included in a SOC 2 report and the criteria necessary to address those controls. It also includes “points of focus” under each of the criteria that should be considered in a SOC 2 audit. TSP 100 is used by auditors to evaluate the design and operating effectiveness of controls in a SOC 2 audit.
The purpose of this blog post is to provide an overview of the changes identified above. The changes are intended to help service organizations better meet the information needs of their customers and business partners who use their SOC 2 reports. It is important to note that the Description Criteria themselves did not change – only the implementation guidance was updated. The implementation guidance provides important factors to consider when making judgments about the nature and extent of disclosures called for by each criterion.
In a similar respect, the Trust Services Criteria (TSC) remain unchanged and only the points of focus that support certain TSC have been updated. Points of focus represent important characteristics of the criteria. As such, they may assist both management and the auditor when they are evaluating whether controls were suitably designed and operated effectively to achieve the entity’s objectives based on the TSC.
Revised Implementation Guidance for Description Criteria
The 2018 description criteria have been modified to reflect revisions to the implementation guidance relevant to certain of the description criteria. The revised implementation guidance is intended to provide users of the criteria with the following:
- Additional clarity regarding certain disclosure requirements
- Guidance on disclosure of how controls meet the requirements of a process or control framework
- Guidance on disclosure of information about the risk assessment process and specific risks
One of the interesting changes to DC 200 was the introduction of 2 new terms which are important for SOC reports that include the privacy category: “data controller” and “data processor”.
Data controller – An organization that (alone or jointly with others) determines the purposes for and the means by which personal data is processed.
Data processor – An organization that processes personal data at the direction of a data controller. In many cases, a service organization may process personal data for its business-to-business (B2B) customers (user entities), which in turn may function as data controllers. In other cases, a service organization may function as a data controller, depending on the facts and circumstances.
An example of a significant update to the implementation guidance that is related to these new terms can be found under DC1: The types of services provided:
When handling personal information, a service organization may function in the role of a data processor, data controller, or both. Depending on which of these roles the service organization performs, its responsibilities with regard to protecting personal information may differ. Therefore, when the SOC 2 examination addresses privacy, clear disclosure of the role or roles performed by the service organization may be necessary to describe the types of services provided. Such disclosures enable users to understand how the service organization addressed its responsibilities to mitigate risks to the achievement of its service commitments and system requirements related to privacy.
Revised Points of Focus for TSC
The AICPA has developed a set of criteria (trust services criteria) to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability or processing integrity of information and systems used to provide products or services or the confidentiality or privacy of information processed by the systems. As noted above, the broad trust services categories themselves (security, availability, processing integrity, confidentiality and privacy) have not changed. Nor have the criteria supporting the categories changed. The only thing that has changed are the “points of focus” under certain criteria. The 2017 TSC have been modified to reflect new points of focus and edit previous points of focus relevant to certain of the criteria.
The revised points of focus are intended to better support application of the criteria in:
- an environment of ever-changing technologies, threats and vulnerabilities, and other matters that may create additional risks to organizations.
- addressing changing legal and regulatory requirements and related cultural expectations regarding privacy.
- addressing data management (for example, data storage, backup, and retention), particularly when related to confidentiality.
- differentiating which points of focus related to privacy may apply only to an organization that is a data controller or only to an organization that is a data processor, as defined above.
An example of a significant change to the points of focus is the following, which applies broadly to all privacy points of focus:
The privacy points of focus assume that the service organization is a data processor or data controller, or both, as defined in appendix A. In many cases, a service organization may function as a data processor for its business-to-business (B2B) customers (user entities), which may in turn function as data controllers. In other cases, a service organization may function as a data controller. Practitioners have a responsibility to understand whether the service organization functions as a data processor, data controller, or both, and to evaluate all the points of focus to determine which are applicable based on the service organization’s responsibilities. The following references indicate a typical allocation of responsibility.
[P] = This point of focus is likely to be relevant to a data processor.
[C] = This point of focus is likely to be relevant to a data controller.
Often times when privacy is in scope for a SOC 2 audit and the service organization is a data processor, several privacy criteria are not applicable. For example, P2.0 Privacy Criteria Related to Choice and Consent. The revised points of focus clarify that this criteria likely only applies to data controllers by including the [C] reference discussed above.
Another interesting revision occurred in a footnote under the points of focus for CC1.2 The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. The footnote states: The definition of board of directors in appendix A, “Glossary,” recognizes that smaller, less complex businesses may meet the governance and oversight objectives of the entity with simplified organizational structures. With sufficient management oversight, a board of directors may be effective without retaining independent board members.
This new guidance could prove useful for smaller service organizations that do not have an independent board of directors.
Service organizations should consider whether and how their controls address the clarifications and new points of focus. In evaluating the new guidance, organizations should pay particular attention to the following changes:
- Types of relevant information — New points of focus clarify that the types of information relevant to systems of internal control include information about data flow, asset inventory and location, information classification, and the completeness and accuracy of information used in the system.
- Risk assessment — The revised points of focus include the underlying components of risk assessment: threat and vulnerability identification and the evaluation of the likelihood and magnitude of a threat event intersecting with a vulnerability. The revised points of focus also include the consideration of residual risk after considering internal controls and management’s decisions to accept, reduce or share risks.
- Logical access — Modified points of focus encourage consideration of logical access controls across the system architecture, including all relevant infrastructure, IT tools, and types of access, such as employee, contractor, vendor, business partner, system and service accounts. In addition, recovery of devices, such as laptops, is now considered in the points of focus.
- Change management — Two new points of focus have been added to address change management. The first relates to the identification, testing and implementation of software patches. The second addresses the consideration of resilience requirements during the change management process if a SOC 2 report addresses system availability.
- Availability — Given the increase in ransomware attacks, a new point of focus was added on management’s identification of threats to data recoverability and mitigation procedures.
- Privacy — A number of points of focus were revised to better align with widely used privacy practices.
The AICPA also emphasized that the applicability of any particular point of focus depends on the facts and circumstances and that the points of focus provided are unlikely to be exhaustive for most service organizations. Consequently, use of the TSC does not require that every point of focus be met. However, a service organization should consider the applicability of the new points of focus and whether other points of focus also need to be met to achieve their service commitments and system requirements.
Conclusion:
In conclusion, service organizations may need to make changes to their controls and disclosures in SOC 2 reports as a result of the updates discussed in this post. SOC 2 reports that include the privacy category may require more extensive changes than those that exclude privacy. When privacy is in scope, the system description should generally be updated (under DC1) to include disclosure of whether the service organization is a data processor or data controller.
Thanks for reading!