SOC 2 has seen quite a few changes in the past year in how reports must be presented in the future. The American Institute of Certified Public Accountants (AICPA) replaced the old SSAE 16 standard with SSAE 18, released the 2017 Trust Services Criteria, the new Description Criteria (DC-200), and a new SOC 2 Guide. That’s a lot of change in a small amount of time! Many of these changes will help clarify reports and make SOC examinations stronger; Coalfire is here to help you navigate the changes and understand how it will affect your reporting.
System Descriptions (Section 3)
Most of what was included in previous system descriptions will carry over into the requirements for DC-200. For example, the components of the system used to provide services still exists in DC-200 and has not changed.
The following is a summary of the new DC-200 sections and what may transfer over from your previous SOC 2 system description (note – SOC 2 system descriptions could vary by customer, so your previous description elements may be different).
- Type of Services Provided – should transfer 1:1 from your company overview and/or services provided.
- Principal Service Commitments and System Requirements – should transfer from previously provided commitments and system requirements (see more detail below).
- Components of the System Used to Provide the Services – comprised of your previous components section (infrastructure, software, people, procedures, data) as well as discussions of system boundaries.
- System Incidents – This was not previously required and is a new disclosure. See below for more detail.
- Applicable Trust Services Criteria and Related Controls – consists of the previous “relevant aspects of the control environment, risk assessment, monitoring, and information and communication” as well as “trust services principles, criteria, and related controls.”
- Complementary User Entity Controls (CUEC) – transfers from the old CUECs.
- Subservice Organizations and Complementary Subservice Organization Controls (CSOC) – should be similar to previous discussions of your CSOCs and how you monitored their compliance (vendor management).
- Specific Criterion Not Relevant to the System – same as previous if you had this. This is meant to explain to the reader why certain criterion are N/A to your system, if you have any.
- Significant Changes to the System – same as before: describe any significant changes to the system or control environment during the period of a Type 2 engagement.
There is a greater focus now on commitments and system requirements, as well as the addition of significant system incident disclosures. Think of commitments and system requirements as what you are promising to customers that use the service. Many times, these types of commitments are included in MSAs, SLAs, or other contractual arrangements. An example is if your service guarantees 99.9% uptime – that is an availability commitment. The system requirements are what you have in place to meet those commitments as described (physical and environmental protections in your data center, redundancy, etc., in our example).
For system incidents, the AICPA defines significant incidents as those that: (a) were the result of controls that were not suitably designed or operating effectively to achieve one or more of the commitments and system requirements; or (b) otherwise resulted in a significant failure in the achievement of one or more of those commitments and system requirements. System incidents should be looked at for disclosure on a case-by-case basis. The AICPA states that disclosures should not be made if discussion of the incident would result in a higher security risk to your organization. A good rule of thumb here is if you had a press release or mass email to customers notifying of an incident, it would likely require disclosure.
Criteria and Controls (Section 4)
Like system descriptions, much of the previous criteria for section 4 will map very smoothly over to the new criteria - a partner can assist you in determining how this applies to your business. The following is a summary of the 2017 Trust Services Criteria and related information on how to map from the old criteria:
- CC1 Series – Control Environment: Mostly carries over from the old CC1 series. There is a specific criterion within the new CC1.2 that follows COSO principle 2 – board of directors’ oversight and independence from management (especially for the performance of internal control). If you already had a BOD with oversight, the new criterion should not be a problem. If not, or if you did not have a BOD, you will need to document how there is management oversight for the performance of internal control. That oversight should be independent from management as well.
- CC2 Series – Communication and Information: Carries over from the previous CC2 series.
- CC3 Series – Risk Assessment: Carries over from the previous CC3 series.
- CC4 Series – Monitoring Activities: Carries over from the previous CC4 series.
- CC5 Series – Control Activities: Mostly carries over from parts of the previous CC3 series.
- CC6 Series – Logical and Physical Access Controls: Carries from various parts of the previous CC5 series.
- CC7 Series – System Operations: Mostly carries over from the previous CC6 series.
- CC8 Series – Change Management: Carries over from the previous CC7 series.
- CC9 Series – Risk Mitigation: Carries over from parts of the previous Confidentiality and CC3 series.
- Availability: No changes from the previous series.
- Confidentiality: Most of the old confidentiality criteria are now encompassed in security; however, the old C1.7 and C1.8 are now the only two confidentiality criteria in the 2017 revision.
For the most part, the transition from the old criteria to the new 2017 criteria should be a rather smooth process, with just some added information that is now required for reporting. The 2017 criteria (officially TSC-100 from the AICPA) and, in turn, the new DC-200 description criteria are required for SOC 2s with an “as of” date (type 1) or “period end” date (type 2) on or after December 15, 2018.
If you have any questions on the new criteria or how to transition your previous SOC 2 into the new requirements, please feel free to contact me at firstname.lastname@example.org or 703-935-2242.