Many service organizations that issue System and Organization Controls (SOC) 2 reports are likely already familiar with the new trust services criteria (TSC) framework published by the American Institute of Certified Public Accountants (AICPA) in 2017. During the allowed transition period to the new TSC, most organizations opted to continue using the previous trust services principles and criteria (TSPC).
However, the new TSC framework must be used for SOC 2 reports with a reporting period ending on or after Dec. 15, 2018. As a result, organizations that have not already transitioned to the new framework will need to get ready sooner than later and identify changes and any additional steps that might be needed to help produce a successful SOC report in 2019.
Trust services criteria and COSO: A crossover
At first glance, the structure of the new TSC framework seems unchanged, and five reporting options are still in place. The common criteria, which include security, are required for all SOC2s. Organizations might also choose to be examined against the availability, confidentiality, processing integrity, and privacy categories of the framework. However, the criteria structure and language for those categories have been realigned based on the 2013 “Internal Control – Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Organizations already familiar with COSO will recognize the language that now makes up the majority of the common criteria.
The four optional categories – availability, confidentiality, processing integrity, and privacy – only have minimal changes to their control criteria. For the most part, organizations can continue to employ their existing control activities for these four categories. One noteworthy change was made to confidentiality. Previous confidentiality criteria that focused on data protection were redundant with the logical access portion of the common criteria and have been removed. Confidentiality now focuses on data retention and destruction practices.
The significant changes within the common criteria affect all service organizations that issue a SOC 2 report.
For your consideration: Points of focus
Organizations digging into TSP Section 100, “2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy,” might also have noticed that the illustrative controls previously provided for each set of criteria have been replaced by points of focus (PoF). The PoF are another COSO concept that has also been merged into the TSC framework. The PoF are intended to provide direction to management when identifying organizational controls to address each criterion.
Think of the PoF as illustrative subcriteria. If, upon first read, the intent or scope of certain criteria is not clear, the PoF give an additional level of detail. However, in practice, deciphering the PoF can take some time, so it’s important to understand that the PoF are provided as an optional resource. Organizations are not required to specifically address the PoF with their controls, and the PoF are not officially evaluated by the service auditors. Controls will continue to be evaluated in the context of whether they achieve the criteria. Therefore, if the PoF are not needed or useful in clarifying and understanding the criteria, they can be ignored.
The common criteria reboot
The common criteria address two broad control categories: governance and IToperations. Both aspects are still covered in the new TSC. Where the most noticeable changes emerge is with the language of the individual criteria, which results in higher control expectations for certain areas described in more detail below.
Governance: Risk management and internal control
The governance-related criteria are now taken directly from the COSO framework. In addition to the overall rewording, more prescriptive and stricter expectations now exist for controls related to an organization’s IT governance and risk assessment methodology. For example, one new criterion requires that a board of directors or equivalent governance committee must be in place and meet specific conditions: It must have oversight of internal controls, and its membership must be sufficiently independent from those directly responsible for executing internal controls.
In addition, within the risk management-related criterion in the new TSC (CC3, CC4, CC5, and CC9), organizations must now explicitly incorporate certain activities into their risk management programs, including:
- Identifying and addressing fraud risks
- Establishing an internal control framework
- Formalizing monitoring of internal control effectiveness and remediation plans
- Managing third-party risks
IT operations: System operations
Because the COSO framework does not address IT controls at a granular level, the IT operations-related criteria kept the previous TSC as their foundation and were enhanced in a few areas. The most significant changes can be found within system operations:
- Incident response. While previously covered by a single criterion (CC6.2), incident response is now expanded to four criteria that specify required activities and documentation for each incident.
- Configuration management. Organizations must now include controls to define baseline security configurations, as well as detect and respond to unauthorized configuration changes – a completely new requirement for SOC 2.
To be continued
In addition to reviewing major changes and new control areas, organizations should perform a comprehensive review of the new TSC framework and begin mapping their existing SOC 2 controls to identify potential gaps. The gaps can then be prioritized based on the type of control needed and the timing of when a control needs to be implemented. For example, a continuous control such as the existence of a board of directors or the configuration of certain system settings should be in place at the start of the SOC examination period. Other controls that only need to be performed annually (such as risk assessment) or that are driven by infrequent events (such as incident response) might be able to be implemented later during the period.