SOC 2 reports are an important tool service providers use to give their customers assurances about their service’s security, compliance, privacy, availability, confidentiality and processing integrity by providing details about the service and the related controls that are in place. SOC 2 examinations are conducted by independent CPA firms such as Coalfire Controls, LLC and other credible firms. Periodically, the American Institute of CPAs (AICPA) reviews the standardized criteria used in a SOC 2 examination and makes updates to keep the process relevant and assure it is providing stringent measures for customer organizations’ peace of mind.
The AICPA is currently in the process of such a review—and as a part of that review, the public is encouraged to review an exposure draft of the new guidelines and provide feedback. As a part of the working group providing input to the revised guidelines, I would like to draw our readers’ attention to some of the more salient changes and encourage service providers and organizations to read the exposure draft, understand the changes, and provide feedback to the AICPA if they have concerns or input.
Many of the elements of the criteria were taken from the recently published SOC for Cybersecurity guide from the AICPA. The exposure draft contains both the criteria for a system description as well as implementation guidance for each of the criteria.
Some of new criteria to take note of include:
- Describing principal service commitments and system requirements – what are the commitments made to report users and what are the requirements of the system to meet those commitments
- Reporting of incidents – describing system incidents (impairment of the system) for the prior 12 months (from the report date) including the: a) nature; b) timing; and c) extent of incidents
- Subservice organizations – greater detail in the reporting of who the subservice organizations are and what they are doing to help service organizations meet objectives
The reporting of incidents for a 12-month window is a significant change, which may or may not be of concern to service providers (especially for a type 1 report). The exposure draft is open for public comment until September 7, 2017, and you can have a voice by commenting on the draft using the process as described on page 5 of the Guide for Respondents. The AICPA is looking for responses on the following:
- Is any description criterion or implementation guidance irrelevant or otherwise unnecessary?
- Is any description criterion or implementation guidance missing?
- Would any description criterion or implementation guidance result in disclosure of information that would increase the risk of a security event?
- Do you have any concerns about the measurability of any of the description criterion or implementation guidance?
SOC 2 reports are important for both service providers to assure customers, and for customers to be confident in the services they purchase. Reviewing the SOC 2 description criteria is also a necessary part of keeping the process relevant in a continually changing cybersecurity and technology landscape. As providers and consumers, I encourage you to play an active role in the process. As a contributor to the development of this exposure draft, I also welcome any questions you may have—please feel free to email me at Jeff Cook.