Service organizations seek out SOC reports to prove to current and future clients that any data trusted with the service organization is safe. SOC 2 reports, in particular, provide insights into a company’s security, availability, processing integrity, confidentiality, and privacy—the five Trust Services Criteria (TSC) prioritized by the American Institute of Certified Public Accountants (AICPA). The TSC specifies criteria (rather than a SOC 2 controls list) that guide SOC 2 audit and report generation efforts.
SOC 2 Controls List and Definitions
The TSC is unlike other regulatory compliance frameworks in that it does not prescribe a SOC 2 security controls list that companies need to implement. Instead, it adapts controls from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework into criteria. It also outlines four control areas beyond these which can be considered SOC controls:
- Logical and physical access controls
- System and operations controls
- Change management controls
- Risk mitigation controls
SOC 2 Logical and Physical Access Controls
The first set of controls measured by the TSC pertains to logical and physical access. These controls include safeguards to monitor and restrict access to sensitive data and any devices or networks on which it is stored, transmitted, or processed. Service organizations need to demonstrate that they’re taking physical and virtual measures to protect data privacy, integrity, and confidentiality.
An example of physical access control is barricading or otherwise restricting access to individual workstations connected to private networks. On the logical side, a robust identity and access management (IAM) program can help ensure that users aren’t accessing files inappropriately.
SOC 2 System and Operations Controls
The next batch of controls comprises system and operations oversight. These criteria pertain to infrastructure’s general efficacy and efficiency, along with how quickly deviations in normal operations can be identified, analyzed, and mitigated—both for physical and logical deviations in security.
One all-encompassing program that addresses these controls effectively is managed detection and response (MDR). An MDR program runs continuous scans for irregularities, comprising:
- Threat detection, trained on indicators of attacks or other incidents
- Incident response protocols for stopping and recovering from attacks
- Root cause analysis to produce insights that inform future prevention
- Regulatory compliance, tailoring responses to any legal requirements
One significant benefit of a comprehensive MDR program is a centralized mitigation dashboard.
SOC 2 Change Management Controls
Third are change management controls, which cover evolving security needs as companies mature and integrate different technologies. Service organizations need to evaluate necessary changes and implement them promptly while preventing undue or inappropriate changes, which could compromise data security or availability.
One impactful solution for this control area is a patch monitoring program. Further, companies can perform internal assessments or contract a managed security services provider to run regular scans for gaps in their cybersecurity architecture. When a gap is identified, it needs to be patched immediately.
SOC 2 Risk Mitigation Controls
The last set of controls to which the TSC applies and a SOC 2 report measures involve risk mitigation. These criteria include all elements of monitoring for, identifying, analyzing, and preventing the losses that could come from risks before they materialize into full-blown attacks or breaches.
The most comprehensive solution for this control area is a threat and vulnerability management program. Similar to MDR, threat and vulnerability management prioritizes visibility over internal vulnerabilities external threats could exploit. Another critical consideration is third party risk management (TPRM), which accounts for risks across a network of strategic partners.
Trust Services Criteria (TSC) and SOC 2
While there is no list of SOC 2 controls aside from the specifications detailed above, most of the TSC comprises a list of criteria used to measure a company’s security controls. The criteria loosely correspond to the 17 principles from the COSO framework plus the additional control areas listed above. The TSC breaks down the criteria across five categories:
- Processing Integrity
The TSC also contains supplemental criteria associated with a specific category and common criteria, spanning all five.
Trust Services Category 1: Security
Security in the TSC framework refers to preventing unauthorized access, use, and disclosure of information across all systems. It also pertains to damage and changes to systems connected to data, including damage or changes that could impact any of the other categories.
Security is distinct from the other four categories in that it does not have any supplemental criteria, only the “common criteria” (CC series) apply. There are nine total CC series, which apply across all TSC categories unilaterally:
- Control environment (CC1)
- Communication and information (CC2)
- Risk assessment (CC3)
- Control monitoring (CC4)
- Control design and implementation (CC5)
Beyond these, CC6 through CC9 correspond to the four kinds of SOC 2 controls detailed above. For all other categories, these criteria apply in conjunction with category-specific criteria.
Trust Services Category 2: Availability
Availability in the TSC framework requires service organizations to ensure seamless access to information and systems needed or used by their clients. The TSC doesn’t prescribe a minimum requirement for uptime. Instead, it requires companies to gauge their functionality and usability needs and design controls to meet or exceed them.
All CC series apply to the Availability category, along with A series criteria that map out standards for measuring usage across all system components and basing thresholds off captured data.
Trust Services Category 3: Processing Integrity
Processing integrity in the TSC framework is relatively straightforward. It requires that service organizations take measures to ensure all system processing operates exactly as expected.
In particular, measures for processing integrity involve:
- Validity and accuracy with respect to legal requirements or industry-wide norms
- Proper authorization from authenticated sources
- Timeliness relative to requests or reasonable expectations
All CC series criteria apply to the Processing Integrity category, along with PI series criteria.
Trust Services Category 4: Confidentiality
Confidentiality in the TSC framework pertains to all information that must be protected to meet a service organization’s and its clients’ needs. A critical exception is personally identifiable information (PII), which generally falls under the Privacy category.
For confidentiality, criteria measure the extent to which a company safeguards its protected information from unauthorized or improper use and disclosure. These protections cover the collection, retention, and disposal of all critical data.
All CC series criteria apply to the Confidentiality category, along with the C series criteria.
Trust Services Category 5: Privacy
Finally, privacy within the TSC framework is similar to confidentiality but applies exclusively to personal information and PII. Like confidentiality, it requires control over all uses and disclosures of personal information. All CC criteria apply, and the additional P series criteria include the following:
- Communication of and notices about objectives
- Communication of choices and guarantee of consent
- Safe collection of personal information, as needed
- Limitations on data use, retention, and disposal
- Guaranteed access to data for data subjects
- Disclosure upon request and breach notification
- Guaranteed quality and up-to-date accuracy
- Continuous privacy monitoring and enforcement
Some data that could be regarded as personal may fall under both confidentiality and privacy controls.
SOC 2 Compliance and Reporting
SOC 2 control areas and criteria pertain to reports that service organizations can generate on the design of their security systems (SOC Type 1) or their operational efficacy (SOC Type 2). There is no SOC 2 Type 2 controls list, per se; instead, the TSC outlines criteria for measuring a company’s controls that apply at a given time for Type 1 or over a duration for Type 2.
To address the question of “what are SOC 2 controls,” the four areas beyond the adapted COSO framework (and to which a label of SOC 2 controls list most apply) include logical and physical access, system and operations, change management, and risk mitigation controls.