If your organization is subject to or plans to be subject to a SOC 2 Examination, you’ll need to utilize the American Institute of Certified Public Accountants (AICPA) guidelines. On October 15, 2022, AICPA released its updated SOC 2 guide, which detailed critical changes in various aspects.
While the official TSC list remains unchanged, a few notable changes in points of focus and description criteria may impact your business. This article examines these changes, so continue reading to learn more!
What Is SOC 2?
The SOC 2 guidelines fall under the American Institute of Certified Public Accountants’ (AICPA) control. A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 reports are restricted use reports intended to provide detailed information and assurance of control at service organizations. The testing surrounding this auditing standard must be performed by an independent CPA firm.
Companies that achieve SOC 2 compliance demonstrate their constant devotion to customer data security, which is critical for businesses seeking to secure commercial contracts.
What Is Changing In the New SOC Control Guidelines?
In October 2022, the AICPA adjusted the SOC 2 control guidance. While the official TSC list remains unchanged, AICPA changed and clarified points of focus (POFs) to support the Trust Service Criteria (TSC).
For example, consider the following changes in the interaction between a TSC and POF:
- TSC: The entity implements logical access security software, infrastructure, and architectures to protect information assets, safeguard them from security events, and meet the entity’s objectives.
- POF under TSC CC6.1: Identifies and Authenticates Users
- Previous version: Persons, infrastructures, and software are identified and authenticated before accessing information assets, whether locally or remotely.
- Revised version: The entity identifies and authenticates persons, infrastructure, and software before accessing information assets, whether locally or remotely. The entity utilizes more complex or advanced user authentication techniques, such as multifactor authentication, when such protections are deemed appropriate based on its risk mitigation strategy.
- POF under TSC CC6.1: Identifies and Authenticates Users
Aside from this, the AICPA outlines various expansions of the POFs in its revised version. While the guidance doesn’t indicate organizations must meet every POF, it asks organizations to consider the applicability of each based on facts and circumstances specific to the organization. These revisions include the following:
- Privacy: The AICPA updated these POFs for typical practices, such as disciplinary actions, defined as “A sanctions process is defined, and applied as needed, when an employee violates the entity’s privacy policies or when an employee’s negligent behavior causes a privacy incident.”
- Risk assessment: These changes in POFs outline suggestions for evaluating risks by comprehending the underlying components of risk assessment. These include threat and vulnerability identification, the evaluation of the likelihood and magnitude of a threat event intersecting with vulnerability.
- Logical access: Revisions in this sector outline verifying organizations address all types of access, which includes employees, vendors, contractors, and business partners. In addition, this sector describes period user access review, including how the organization reviews inappropriate system or service accounts.
- Change management: The POF surrounding “deploying system changes” evolves from the previous version, building from its predecessor by addressing the segregation of responsibilities as a method to prevent or detect unauthorized changes. The new and improved POF tackles processes designed to identify, evaluate, test, approve, and implement sections on infrastructure and software within a reasonable timeframe.
- Monitoring activities: POFs surrounding how the organization “considers different types of ongoing and separate evaluations” were updated with expansions encouraging organizations to take a diverse approach in considering what constitutes monitoring. This includes penetration testing, compliance assessments, third-party assessments, and internal audit assessments.
- Availability: A new POF surrounds threat identification, data recoverability, and mitigation procedures.
Why Did The AICPA Change SOC 2 Control Guidance?
According to the AICPA, these changes are meant for improvement purposes. Specifically, the new and improved POFs are supposed to offer better support application of the TSC. The publication lists four specific reasons behind the revision:
- Constantly fluctuating technologies, threats, and vulnerabilities, and other matters could present additional risks to an organization.
- Addressing data management, including retention and data storage, often when associated with confidentiality.
- Addressing shifts in legal and regulatory requirements and associated cultural expectations surrounding privacy.
- Distinguishing the points of focus surrounding privacy that may apply solely to organizations that control data or those that process data.
What Is Changing In SOC 2 System Description Guidance?
In addition to the shifts in SOC 2 Control Guidance, the AICPA introduced new Description Criteria (DC) that surrounds what the organization’s system description should include. Although the official description criteria are unchanged, the new guidance is in place to expand on existing information and offer valuable clarifications and examples.
Examples and clarifications in the updated DC guidance include the following:
- Clarifying the thought process surrounding the correct times to disclose a security incident in the system description: The guidance encourages organizations to decide where the incident stems from, including whether it resulted from ineffective controls across the organization’s shared systems. If the incident resulted from such an occurrence, organizations should challenge whether various controls would prevent a breach from occurring. If controls to avoid a system breach are unavailable, organizations are advised to disclose the incident.
- Emphasis on which tools organizations should include in the software components section of the system description. The organization’s tools in this sector may consist of monitoring tools, firewalls, IPS systems, and tools that automate controls.
Unsure What These Changes Mean For Your Business? Insight Assurance Can Help!
While the fundamentals of the TSC and official DC remain unchanged, the adjustments to clarified POFs and expansions of DC are essential. These changes can help your organization better accommodate your customer’s information needs and your business partners who utilize your SOC 2 report. So, while the changes may require a learning curve, absorption is well worth the effort.
If this learning curve seems daunting or you’re new to SOC 2 compliance, we can help! Our talented team at Insight Assurance can help clarify confusing points and ensure your business’ security is up to SOC 2 standards. Eager to get started? Fill out our contact form today!