One of the most common requests I get from organizations preparing for a SOC 2 audit is for the SOC 2 control list that specifies the required controls. However, unlike other security frameworks, SOC 2 does not come with a set list of controls. Rather, the amount and type of SOC 2 controls an organization needs will depend on their service or product and which trust services criteria are in scope for their SOC 2. While it sometimes is nice to have a checklist of controls, a SOC 2 allows for flexibility so that controls can be adapted to your organization and address unique risks and circumstances your organization faces.
The challenge, though, is identifying and implementing the SOC 2 controls you need for your examination. Fortunately, the AICPA does provide some guidance through points of focus to help you determine the controls that should be implemented. The purpose of this article is to explain how you can begin identifying and implementing SOC 2 controls for your SOC 2 examination.
SOC 2 Trust Services Criteria
Let’s start by reviewing the structure of the SOC 2 requirements that help guide the identification of your SOC 2 controls. A SOC 2 examination evaluates the design and operating effectiveness of controls using the trust services criteria related to security, availability, processing integrity, confidentiality, or privacy. The trust services criteria define the outcomes your controls should meet to achieve your objectives. There are 61 criteria across the five categories, but only those relevant to your SOC 2 scope need to be addressed.
At a minimum, a SOC 2 report will include the security criteria. Controls will need to be implemented that support or address the criteria that are in scope.
SOC 2 Points of Focus
Each of the trust services criteria includes points of focus, which offer guidance on the types of controls, or elements that should be considered when designing the controls. Note, however, that the points of focus are not mandatory and may not all apply to your organization. Further, auditors are not required to assess each point of focus. Nonetheless, considering them is valuable for identifying SOC 2 controls that align with the relevant criteria.
The full list of trust services criteria and points of focus can be found in the following document: TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022).
Identifying or Selecting SOC 2 Controls
After you identify the in-scope criteria and related points of focus, you can determine the necessary controls by mapping them to these elements. Let’s look at an example of how this can be done. Let’s consider criteria CC6.2 which is relevant to managing system access:
“CC6.2 – Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.”
This criterion is accompanied by three points of focus, one of which is stated as follows:
“Creates Access Credentials to Protected Information Assets —The entity creates credentials for accessing protected information assets based on an authorization from the system’s asset owner or authorized custodian. Authorization is required for the creation of all types of credentials of individuals (for example, employees, contractors, vendors, and business partner personnel), systems, and software.”
Based on the criteria and point of focus provided, procedures related to authorizing and provisioning new access are required. In this case, implementing a policy and procedure that requires all new access requests to be documented and approved by management prior to provisioning access is an example of a control that could be mapped to these elements. While not part of this example, procedures for removing access should also be implemented.
Repeat this process for all in-scope trust service criteria to complete your SOC 2 controls list. As you identify more SOC 2 controls, you can create a control matrix outlining each control, the criteria it maps to, relevant risks that it mitigates, responsible parties, frequency, and required support. If gaps or missing controls are identified, design and implement these before your SOC 2 exam.
Common FAQs About SOC 2 Controls
This FAQ section provides answers to common questions related to SOC 2 controls and requirements. Whether you’re preparing for a SOC 2 audit or looking to enhance your organization’s understanding of SOC 2, this section provides answers to help you navigate SOC 2 requirements.
How Many Controls Are Required For a SOC 2?
There is no standard set of SOC 2 controls, including the number of controls that your organization should have. The amount will vary based on the trust services criteria in scope and the complexity of your organization and its processes and procedures. In general, for a SOC 2 report covering the security criteria, you can expect about 60-80 controls. Additional criteria will require additional controls.
What Is the Difference Between SOC 1 & SOC 2 Controls?
Refer to this article for a detailed explanation of the difference between a SOC 1 and SOC 2 report. In summary, there can be overlap between SOC 1 and SOC 2 controls, particularly related to information technology controls. However, SOC 1 controls are controls at a service organization that are relevant to the user entity’s (organization using the product or service) internal control over financial reporting. These tend to include more business process controls.
What Are the Five Criteria for SOC 2?
A SOC 2 examination evaluates the design and operating effectiveness of controls using the trust services criteria related to security, availability, processing integrity, confidentiality, or privacy. The criteria are broken out into these five categories.
What Is the SOC 2 Common Criteria List?
While an organization can select any of the trust services criteria for their SOC 2 audit, at a minimum, the security criteria will be included. The criteria that make up the security criteria are referred to as the common criteria and are denoted by “CC,” which includes the following sections:
- Control Environment (CC1)
- Information and Communication (CC2)
- Risk Assessment (CC3)
- Monitoring Activities (CC4)
- Control Activities (CC5)
- Logical and Physical Access Controls (CC6)
- System Operations (CC7)
- Change Management (CC8)
- Risk Mitigation (CC9)
What Are SOC 2 Type 2 Controls?
There is no difference between SOC 2 type 2 controls and SOC 2 controls. SOC 2 controls can be processes, policies, or procedures designed to achieve or comply with trust services criteria. The “type 2” indicates which type of SOC 2 report or examination is performed. Type 2 reports include testing the operating effectiveness of controls, whereas a Type 1 report only looks at design and implementation. However, both types of reports still use the same trust services criteria.
Next Steps for Building Your SOC 2 Controls Framework
There is no standard or required SOC 2 control list. SOC 2 audits require organizations to design and implement controls based on their specific services and the trust services criteria in scope. The trust services criteria (security, availability, processing integrity, confidentiality, and privacy) outline outcomes for controls, and points of focus provide guidance for control elements. While this approach requires more upfront work and analysis of controls, it allows controls to be tailored to organizational needs and requirements.
Linford & Company is an independent CPA firm specializing in SOC 2 assessments and other various audit services. Our team of external auditors has helped many new clients start their SOC 2 journey, including identifying the boundaries of their system, determining the criteria needed in their examination, and identifying relevant controls. All clients are provided these services as part of the readiness assessment. If you have questions about identifying controls or are interested in an audit, please feel free to click the “Contact Auditor” button on this blog post.
Kevin has over ten years of experience in internal controls, audit, and advisory work. Kevin started his career in public accounting at Deloitte focusing on internal controls, SOC audits, and IT assurance work. After Deloitte, Kevin filled a leadership role in the SOX Compliance group at a financial services company. Kevin is a CPA and holds a Bachelor of Science degree in Accounting from Brigham Young University and a Master of Business Administration degree from Ohio University.