SOC 2 Criteria: Change Is Coming - And You Can Have a Voice

Jeff Cook, SOC Director, Coalfire

SOC 2 reports are an important tool service providers use to give their customers assurances about their service’s security, compliance, privacy, availability, confidentiality and processing integrity by providing details about the service and the related controls that are in place. SOC 2 examinations are conducted by independent CPA firms such as Coalfire Controls, LLC and other credible firms. Periodically, the American Institute of CPAs (AICPA) reviews the standardized criteria used in a SOC 2 examination and makes updates to keep the process relevant and assure it is providing stringent measures for customer organizations’ peace of mind.

The AICPA is currently in the process of such a review—and as a part of that review, the public is encouraged to review an exposure draft of the new guidelines and provide feedback. As a part of the working group providing input to the revised guidelines, I would like to draw our readers’ attention to some of the more salient changes and encourage service providers and organizations to read the exposure draft, understand the changes, and provide feedback to the AICPA if they have concerns or input.

Many of the elements of the criteria were taken from the recently published SOC for Cybersecurity guide from the AICPA. The exposure draft contains both the criteria for a system description as well as implementation guidance for each of the criteria. 

Some of new criteria to take note of include:

  • Describing principal service commitments and system requirements – what are the commitments made to report users and what are the requirements of the system to meet those commitments
  • Reporting of incidents – describing system incidents (impairment of the system) for the prior 12 months (from the report date) including the:  a) nature; b) timing; and c) extent of incidents
  • Subservice organizations – greater detail in the reporting of who the subservice organizations are and what they are doing to help service organizations meet objectives

The reporting of incidents for a 12-month window is a significant change, which may or may not be of concern to service providers (especially for a type 1 report). The exposure draft is open for public comment until September 7, 2017, and you can have a voice by commenting on the draft using the process as described on page 5 of the Guide for Respondents. The AICPA is looking for responses on the following:

  • Is any description criterion or implementation guidance irrelevant or otherwise unnecessary?
  • Is any description criterion or implementation guidance missing?
  • Would any description criterion or implementation guidance result in disclosure of information that would increase the risk of a security event?
  • Do you have any concerns about the measurability of any of the description criterion or implementation guidance?

SOC 2 reports are important for both service providers to assure customers, and for customers to be confident in the services they purchase. Reviewing the SOC 2 description criteria is also a necessary part of keeping the process relevant in a continually changing cybersecurity and technology landscape. As providers and consumers, I encourage you to play an active role in the process. As a contributor to the development of this exposure draft, I also welcome any questions you may have—please feel free to email me at Jeff Cook.

Jeff Cook


Jeff Cook — SOC Director, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS