On December 15, 2014, the new SOC 2 Common Criteria took effect. What does that mean for your SOC 2 audit?
The change to the Common Criteria reduced overlap between Trust Services Principles (TSPs). Prior to the update, many SOC 2 reports had the same controls documented over and over to support the common overlapping requirements between each of the TSPs. Now these common criteria are addressed only once in the report which reduces the redundancy of the SOC 2 report content.
Must Cover Common Criteria (former Security Principle)
The former Security Principle now consists of “Criteria Common to All Principles.” These new Common Criteria apply to four of the five TSPs (Privacy is not included). The Common Criteria, which are similar to the old Security Principle Criteria, must be covered in every report. In the past a company could select just one of the five TSPs for inclusion in their report. Now every SOC 2 must cover the Common Criteria and may add any of the additional TSPs (Confidentiality, Availability, Processing Integrity, and Privacy) as well. The new Common Criteria includes the following categories:
- Organization and management:The criteria relevant to how the organization is structured and the processes the organization has implemented to manage and support people within its operating units. This includes criteria addressing accountability, integrity, ethical values and qualifications of personnel, and the environment in which they function.
- Communications:The criteria relevant to how the organization communicates its policies, processes, procedures, commitments, and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system.
- Risk management and design and implementation of controls: The criteria relevant to how the entity (1) identifies potential risks that would affect the entity’s ability to achieve its objectives, (2) analyzes those risks, (3) develops responses to those risks including the design and implementation of controls and other risk mitigating actions, and (4) conducts ongoing monitoring of risks and the risk management process.
- Monitoring of controls:The criteria relevant to how the entity monitors the system, including the suitability and design and operating effectiveness of the controls, and takes action to address deficiencies identified.
- Logical and physical access controls:The criteria relevant to how the organization restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement.
- System operations: The criteria relevant to how the organization manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement.
- Change management: The criteria relevant to how the organization identifies the need for changes to the system, makes the changes following a controlled change management process, and prevents unauthorized changes from being made to meet the criteria for the principle(s) addressed in the engagement.
Less Prescriptive/Higher Level Criteria
Overall the Common Criteria are less prescriptive and have higher level requirements. For example, the former security policy requirement SEC 1.2, had 14 components (a-n). Now the closest security policy requirement is in CC3.2 and simply states, “The entity designs develops, and implements controls, including policies and procedures, to implement its risk mitigation strategy.” It is up to your organization and your auditor to ensure that you have an adequate number of controls in place and operating effectively to support compliance with the updated SOC 2 criteria.
The updated criteria result in more streamlined, less redundant SOC 2 reports.
What should I do if I’m already getting a SOC 2?
Ensure that your 2015 SOC 2 follows the Common Criteria. Request your service auditor to provide a mapping between the old criteria and the new criteria and ensure that you have controls in place to address each of the criteria. Collaborate with your auditors to determine whether there are any gaps in your control environment relative to the new criteria. Remember that these changes in the criteria may result in your auditor selecting different controls for testing.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.