Your SOC 2 journey is much like your fitness journey. It brings in best practices and nuances in your security posture that builds your information security muscle. And just like how you plan your fitness regimen in terms of intensity and frequency (based on your fitness level and goals), in SOC 2 parlance, you deploy your key SOC 2 Controls based on your organization’s risk assessment, stage of growth, and customer requirements.
So, if SOC 2 is on your mind, this article is a must-read to understand SOC 2 requirements in terms of the Trust Service Criteria (TSC), find out what SOC 2 controls list excel for privacy is and the common controls you can implement to meet them.
Also, you can download SOC 2 controls list pdf as a handy guide attached below.
What are SOC 2 Controls?
Controls, in simple words, are the processes, policies and systems you put in place to prevent and detect security mishaps and oversights to bolster your information security practices.
What is a List of SOC 2 Controls?
SOC 2 controls list is based on the five TSC that businesses are evaluated on during their SOC 2 audit report. It comprises the processes, procedures, and systems that your organization has in place to protect customer data as per SOC 2 requirements (detailed in the next section).
The framework draws its controls list from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework and outlines four additional control elements as follows:
- Logical and Physical Access Controls
- System and Operations Controls
- Change Management Controls
- Risk Mitigation Controls
The SOC 2 audit evaluates the design and operational effectiveness of your cloud security controls against the TSC that you have chosen. The framework, therefore, isn’t prescriptive, and to that extent, the exact list of controls will also differ for organizations; it’s up to businesses to establish what their key controls are.
In short, your controls will depend on the SOC 2 requirements you must meet to get compliant.
What are SOC 2 Requirements?
SOC 2 requirements stem from the TSC defined by the American Institute of CPAs (AICPA). Your exact requirements, however, will depend on the TSC you choose. Be that as it may, you must consider each TSC as a focus area for your infosec compliance program. Each TSC defines a set of compliance objectives and requirements your business must adhere to with your defined controls.
Here’s a quick overview of the five TSC.
It must be in scope for every SOC 2 audit and is, therefore, referred to as the common criteria. It requires you to enable access control, entity-level controls, firewalls, and other operational/governance controls to protect your data and applications. This TSC takes substantial effort and will require participation from your IT Development, IT Infrastructure, HR, senior management, and operations teams.
The Availability criteria in SOC 2 focusses on minimizing downtime and requires you to demonstrate that your systems meet operational uptime and performance standards. It includes network performance monitoring, disaster recovery processes, and procedures for handling security incidents, among others. Business continuity, data recovery and backup plans are critical pieces here.
This principle requires you to demonstrate the ability to identify and safeguard confidential information throughout its lifecycle by establishing access control and proper privileges (to ensure that data can be viewed/used only by the authorized set of people or organizations). Confidential data includes financial information, intellectual property, and any other form of business-sensitive details specific to your contractual commitments with your customer.
This principle assesses whether your cloud data is processed accurately, reliably and on time and if your systems achieve their purpose. It includes quality assurance procedures and SOC tools to monitor data processing. This is relevant for businesses that execute critical customer operations such as financial processing, payroll services, and tax processing, to name a few.
It requires you to protect Personally Identifiable Information (PII) from breaches and unauthorized access through rigorous access controls, two-factor authentication, and encryption. Privacy is relevant to you if your business stores customers’ PII data such as healthcare data, birthdays, and social security numbers.
Download your SOC 2 Controls List PDF
What is a SOC 2 List of Controls?
SOC 2 controls are a list of policies, processes and systems that businesses should implement to meet the SOC 2 compliance requirements. It covers a wide gamut of security best practices across IT infrastructure and core applications. The controls also include policy writing, vendor management and many other non-technical areas.
To get an overview of the controls list that applies to you, you must first select the TSC that are relevant to you. There are 61 individual criteria associated with the five TSC. You will only need to deploy internal controls for each of the individual criteria (under your selected TSC). This can be done through policies that establish what is expected and procedures that put your policies into action.
The design and implementation of your internal SOC 2 controls will also depend on factors such as the internal risk assessment of your critical systems & applications, the stage of growth of your business and how you anticipate growing, specific requirements from your customers, and the scope of your SOC 2 compliance, to name a few.
To learn more about the SOC 2 compliance journey, read The Founders’ Guide to SOC 2.
To achieve SOC 2 compliance, your controls need to meet the varied criteria listed under the Common Criteria as well as the TSC that you choose as relevant. Here’s a look at how the different criteria stack up and what it entails to design your controls around them.
SOC 2 Controls for Security
It is the most critical criteria listed in the framework. It comprises nine common criteria (CC), of which five are essential and based on the COSO principles.
Beyond these, there are four other Common Criteria series. And here’s how they stack up:
SOC 2 Logical and Physical Access Controls
These controls require you to show that you are taking physical and virtual measures to ensure data privacy, integrity and confidentiality. These controls include restricted access to sensitive data and devices or networks (role- and responsibility-based), safeguards to monitors, and issuing credentials, among others. It also includes restricting physical access to facilities, workstations and protected information assets to authorized personnel only.
A strong Identity and Access Management (IAM) program can help you ensure there is no inappropriate access to your data.
SOC 2 Systems and Operational Controls
These controls pertain to your infrastructure’s efficiency and test how quickly you can normalize deviations/disruptions to operations to mitigate the security risks. These include threat detection, incident response, root cause analysis and compliance.
Using an established Managed Detection and Response (MDR) service to detect, investigate and actively respond through threat mitigation and containment can help you here.
SOC 2 Change Management Controls
These controls relate to an effective change management system, comprising policies and procedures for updating infrastructure, data, software or processes. An exhaustive database that captures all the changes made in your firm, who authorized them, who designed them, who configured them, who tested them, who approved them and who implemented them is a good starting point.
For instance, an easy-to-use and scalable patch management tool can protect your systems from security risks while keeping up with the advancements in software development.
SOC 2 Risk Mitigation Controls
Risk mitigation and assessment are crucial in SOC 2 audits as it identifies any risks associated with growth, location, or infosec best practices. You will need to document the scope of risks from identified threats and vulnerabilities and demonstrate how you monitor, identify, analyze and prevent losses that could come from those.
Some areas you can consider for risk assessment are vendors and business partners, misuse of access to information, leadership changes, regulatory, economic and physical environment changes, and technology changes. You will need to assign a likelihood and impact to each identified risk and then deploy controls to mitigate them.
To learn more about how the AICPA details each common criteria, read their report here.
SOC 2 Security Controls List for Availability
This TSC makes a good fit for cloud-hosted companies such as yours because the native features of the cloud make it easy for you to address the criteria.
It consists of three criteria:
The three criteria in Availability pertain to Infrastructure & Capacity Monitoring, Backups & Replication, and Business Continuity and Disaster Recovery Plan & Test. So, you will deploy controls related to backups, replication, processing capacity, business continuity, and disaster recovery planning and tests to meet these requirements.
Here are some questions that may help you:
- How do you track metrics such as CPU utilization, memory utilization, and disk I/O?
- Do you have backup and replication configurations in place?
- Do you have risk management policies and procedures regarding business continuity and disaster recovery (BC/DR)? What type of BC/DR tests do you perform?
AICPA SOC 2 Controls List for Confidentiality
If your business stores sensitive information protected by non-disclosure agreements (NDAs) or if your customers have specific requirements about confidentiality, then you must add this TSC to your SOC 2 scope.
The Confidentiality category consists of two criteria:
This criteria also tests your data deletion and removal practices. You should choose Confidentiality if you make commitments to your customers that their data will be deleted on completion of the service or termination of the contract.
SOC 2 Master List of Controls for Processing Integrity
The Processing Integrity category includes five criteria, which are:
Your controls here include policies and procedures to ensure that your system is operating effectively and review processes to ensure the accuracy of the information input into the system or software, to name a few. End-user device security and network security also feature here. If you are using cloud providers like Amazon, you can request an AOC and SOC reports to demonstrate their physical safety and server security controls.
SOC 2 Controls List Excel for Privacy
This TSC requires you to provide notice of privacy practices to relevant parties and promptly update and communicate changes in the use of personal information.
The Privacy criteria details the following eight categories in its requirements:
Download your SOC 2 Controls List PDF
The Smart Way to Become SOC 2 Compliant
While understanding the SOC 2 requirements and controls list is critical, it perhaps makes up only a third of your compliance journey. The entire process from here on – from defining the scope of your audit to risk assessment to deploying checks to ensure controls to mapping and evidence collection is intensive and time-consuming. It can take a chunk of your CTO’s time (who already is swamped with new releases and meetings).
But when you work with Sprinto, all of this is streamlined and automated in a way that’s error-free, fast, and scalable. Here’s how:
- Logical Approach to Compliance: Sprinto’s approach to compliance is logical and goes from People, Policies, Infrastructure, Code Repos, Incident Management, and Access Control to Documentation. This way, you don’t miss out on any security measures.
- Editable Security Policies: Sprinto provides an editable template of 20+ security policies that make for an easy read and adoption.
- Easy Evidence Collection: Evidence collection and cataloging is automated with Sprinto, saving you hundreds of hours of audit prep time.
- Scalable Solution: Sprinto is built to grow with your organization. From expanding the scope of your audit to adding more frameworks as you grow, Sprinto makes compliance effortless and easy.
- Auditor-friendly: The auditors get all the information they need on Sprinto’s custom Auditor’s Dashboard, making evidence sharing easy for both of you. And unlike most other tools in the market, Sprinto offers 100% case coverage and completely manages the auditor for you.
- Allows for Edge Cases: Unlike other automation players, Sprinto makes allowance edge cases (for instance, an employee on long leave who couldn’t update their operating system) and lets you mark them as exceptions and temporarily move them out of your audit scope.
- Entity-level Mapping of Controls: Controls mapping is automated with Sprinto, saving you from hours of dreadful work. You can mark production and non-production assets and define the security criteria for each. For instance, you can earmark some of your non-production assets from the purview of the audit.
- Always be Compliant: Sprinto’s continuous monitoring helps you be compliant always and flags off lapses, oversights, and vulnerabilities that need fixing. With Sprinto, you could add custom controls, classify your entities and select the evidence you want to share.
Kickstart your SOC 2 compliance journey with Sprinto. Book a free demo here and learn how Sprinto can make your SOC 2 experience effortless and error-free.