Late last year, the SOC 2 Working Group, a part of the AICPA's Assurance Services Executive Committee (ASEC), made some revisions to the SOC 2 Trust Service Criteria and Description Criteria in the form of "implementation guidance." It is worth noting that these changes did not alter the Criteria's requirements themselves. However, if you oversee a SOC 2 for your organization or are considering obtaining one, comprehending the alterations and their implications is crucial information.
Despite no substantial changes to the Criteria, the new guidance may provide valuable insights and assistance when implementing SOC 2 controls, ensuring a smoother process and a more efficient and effective audit.
What Are the Changes?
The Trust Service Criteria (TSP Section 100) and the Description Criteria (DC Section 200) documents underwent revisions by the Group. The revisions entailed a high-level overview of the changes, which are excerpted below:
- Trust Service Criteria (TSP section 100):
"The version of the 2017 TSC has been modified to reflect new points of focus and edits to extant points of focus (collectively referred to as revisions) relevant to certain of the trust services criteria."
- Description Criteria (DC Section 200):
- Additional clarity regarding certain disclosure requirements
- Guidance on disclosure of how controls meet the requirements of a process or control framework
- Guidance on disclosure of information about the risk assessment process and specific risks."
"The revised implementation guidance in this version is intended to provide users of the criteria with the following:
For those familiar with the SOC 2 framework, the "points of focus" (POF) serve as a means to provide service organization management with implementation guidance on crucial elements of the Criteria. These POFs are not requirements, and management is not obligated to address all of them, as they represent a menu of examples and considerations on how service organizations may design/implement controls to achieve the related criteria.
Recently, our SOC 2 specialists undertook a comparison of the old and new TSC, highlighting the newly added POF in appendix A. There are numerous new additions, including POF for Confidentiality and Privacy categories. It is advisable to thoroughly review these additions, as they may trigger your organization to consider implementing internal controls that align with the relevant Criteria. Such a review may lead to improved compliance and better assurance of the integrity of your organization's systems.
The reinforced messaging in the recent SOC 2 guidance regarding the connection between the service organization's "service commitments and system requirements" and the entity's objectives (TSP Section 100, paragraphs .18-.21) may be highly valuable. The phrase "to meet the entity's objectives" appears in many trust service criteria. The new guidance emphasizes that those objectives are directly linked to the documented service commitments and system requirements. This clarification highlights the critical importance of having clear and concise system commitments and system requirements in place. Failure to do so may result in inadequate compliance with the trust services criteria that include this language. As a result, it is strongly suggested that you review this section to ensure that your stated system commitments and requirements are up to par. This review may lead to changes that enhance your organization's compliance and better serve your clients' needs.
In addition, some notable updates were made to the Description Criteria ("DC"), and the updates provide the enhanced clarity on certain topics that have been persistently misunderstood.
As you may know, Data represents one of the five components of your "System" (with the other four being Software, Infrastructure, People, and Procedures), and service organization management is required to describe the relevant data in their System Description. In the revised Description Criteria, a pertinent point is made regarding how to interpret data for the purposes of SOC 2 compliance. The focus should be on customer data and data that supports the System. This reminder is particularly helpful when identifying the type of data that is relevant, as it can help prevent scope creep by ensuring that only controls that protect data falling within this interpretation are audited. Please refer to DC3, pages 16-17 for more information.
Another helpful point of clarification provided by the Group is that applications and software tools that support the fulfillment of service commitments are likely to fall within the System's boundaries and therefore be considered in-scope for SOC 2 compliance (refer to DC3, page 18 for more information).
The document continues to say:
“Examples of applications or software tools that can help with the operation of controls include tools that help with the identification or detection of threats and vulnerabilities (for example, firewalls, intrusion prevention systems [IPSs], intrusion detection systems [IDSs], security information and event management systems [SIEMs]), monitoring the implementation of key software settings, or monitoring the effectiveness of automated controls.”
This point may trigger the service organization management to add these applications or software tools to your System Description (i.e., Section 3 of the SOC 2 report). It is recommended that you talk with your SOC auditor to determine if logical access or change management controls are expected to be applied to these applications or software tools.
Performing a risk assessment can be a confusing and seemingly fruitless exercise without proper guidance. In its most basic form, having a clear understanding of the initial objectives or goals is the first step (most often skipped), and then one assesses the various risks of not achieving those objectives or goals. As you may know, there are four TSCs related to risk assessment. The Group reminds the reader that when addressing those criteria, the focus should be "risks that threaten the achievement of their service commitments and system requirements" (DC5 of DC Section 200). And therefore, the objectives/goal of your risk assessment should be achieving your service commitments and system requirements. If your risk assessment process does not have this laser focus, you may be assessing risks irrelevant to your SOC 2 scope and doing more work than you need to.
Furthermore, the revised guidance offers additional assistance to service organization management in assessing whether a particular criterion of the applicable trust service criteria is irrelevant to the system and the reasoning behind this determination.
Here is a helpful example in DC8 of DC Section 200:
“For example, a service organization uses an infrastructure-as-a-service cloud provider for all IT systems related to the services provided. The subservice organization is responsible for deleting information from its hosting environment before ending logical and physical access of storage devices. Because the service organization still manages a portion of this process they still have a contractual commitment to protect the information of its customers. Therefore, CC6.5, The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity's objectives, is still relevant, even if the subservice organization is carved out.”
If you have a number of TSCs that are considered not applicable, it is recommended that you take a fresh look at your rationale to ensure that it is still regarded as valid.
As noted above, we have highlighted some thought-provoking changes in the newly released SOC 2 Trust Service Criteria and Description Criteria. If you are interested in digging deeper into these topics to fully understand the impact on your organization's SOC 2 report(s), please contact the IT Risk and Assurance team at CBIZ.
Appendix A – Newly Added Points of Focus (POF)
CC1.3: Additional POF When Using the TSC for Privacy
"Establishes Structures, Reporting Lines, and Authorities to Support Compliance With Legal and Contractual Privacy Requirements" POF was added.
CC1.5: Additional POF When Using the TSC for Privacy
"Takes Disciplinary Actions" POF was added.
CC2.1: Additional POF when using the TSC
"Documents Data Flow" POF was added.
"Manages Assets" POF was added.
"Classifies Information" POF was added.
"Uses Information That Is Complete and Accurate" POF was added.
"Manages the Location of Assets" POF was added.
For a full list of newly added POF, please contact our IT Risk and Assurance team.
Copyright © 2023, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).