To help service organizations assure their clients of data safety, the American Institute of Certified Public Accountants (AICPA) has developed several System and Organization Controls (SOC) audits. There are three variations, but SOC 2 is the most common for evaluating whether a company’s security practices are up to par. Another critical component of SOC 2 reporting is the SOC 2 common criteria mapping, which facilitates all compliance.
What is SOC 2 Common Criteria Mapping?
Regulatory compliance is one of the most essential areas of cybersecurity, and companies need to ensure they adhere to all applicable requirements—potentially across multiple standards. AICPA provides guidance that maps SOC 2 trust services criteria onto several other frameworks, including:
- SOC 2 to ISO 27001 mapping
- SOC 2 to NIST CSF mapping
- SOC 2 to COBIT 5 mapping
- SOC 2 to NIST 800-53 mapping
- SOC 2 to EU GDPR mapping
Understanding the relationships between SOC 2 and these frameworks simplifies the SOC 2 common criteria and supplemental criteria, as you’ll know what is being mapped and how to meet all requirements. It’s also important to note that SOC 2 audits follow the Trust Services Criteria (TSC). Therefore, SOC 2 common criteria refers to the TSC specifications used when conducting a SOC 2 audit.
SOC 2 Common Criteria Mapping to ISO 27001
The first framework AICPA maps the SOC 2 criteria onto is ISO/IEC 27001 – Information Security Management. This international standard is widely used outside the US, and any company with a global network of clients should consider ISO 27001 compliance. Its core comprises ten clauses and an Annex that breaks down into 114 controls across 14 groups:
- A.5: Information security (two controls)
- A.6: Security organization (seven controls)
- A.7: Human resources security (six controls)
- A.8: Asset management (10 controls)
- A.9: Access control (14 controls)
- A.10: Cryptography (two controls)
- A.11: Environmental security (15 controls)
- A.12: Operational security (14 controls)
- A.13: Communication security (seven controls)
- A.14: Acquisition and maintenance (13 controls)
- A.15: Third-party security (five controls)
- A.16: Incident management (seven controls)
- A.17: Business continuity (four controls)
- A.18: Regulatory compliance (eight controls)
AICPA’s ISO 27001 mapping spreadsheet charts overlap between these controls and the Trust Services Criteria.
SOC 2 Common Criteria Mapping to NIST CSF
Another widely applicable framework that the TSC maps onto neatly is the Cybersecurity Framework (CSF), published by the National Institute for Standards and Technology (NIST). NIST’s CSF is a comprehensive guide that stipulates protections and best practices for all enterprises and provides the foundation for many other frameworks used by the US government.
At the core of the NIST CSF are five Functions, which break down into 23 Categories:
- Identify (ID)
- Asset Management (ID.AM)
- Business Environment (ID.BE)
- Governance (ID.GV)
- Risk Assessment (ID.RM)
- Risk Management (ID.RM)
- Supply Chain RM (ID.SC)
- Protect (PR)
- Identity/Access Control (PR.AC)
- Awareness Training (PR.AT)
- Data Security (PR.DS)
- Maintenance (PR.MA)
- Protective Technology (PR.PT)
- Detect (DE)
- Anomalies and Events (DE.AE)
- Continuous Monitoring (DE.CM)
- Detection Processes (DE.DP)
- Respond (RE)
- Response Planning (RE.RP)
- Response Communications (RE.CO)
- Response Analysis (RP.AN)
- Mitigation Efforts (RP.MI)
- Response Improvements (RP.IM)
- Recover (RC)
- Recovery Planning (RC.RP)
- Recovery Improvements (RC.IM)
- Recovery Communications (RC.CO)
Each Category breaks down further into subcategories, many of which are based on other frameworks’ controls. AICPA’s NIST CSF mapping spreadsheet maps the TSC across these.
SOC 2 Common Criteria Mapping to COBIT 5
Another prominent cybersecurity framework AICPA maps the SOC 2 common criteria onto is ISACA’s Control Objectives for Information and Related Technologies (COBIT). In particular, the AICPA COBIT mapping spreadsheet maps the TSC onto COBIT 5’s 37 Processes. The Processes are distributed across five Domains, which fall under two categories. The breakdown is as follows:
- Governance (EDM)
- Evaluate, Direct, and Monitor (EDM): five Processes
- Management (PBRM)
- Align, Plan, and Organize (APO): 13 Processes
- Build, Acquire, and Implement (BAI): ten Processes
- Deliver, Service, and Support (DSS): six Processes
- Monitor, Evaluate, and Assess (MEA): three Processes
Critically, COBIT 5 (2012) is currently out-of-date, superseded by COBIT 2019. Still, AIPCA includes it within its dedicated mapping resources. Per ISACA’s comparison of the two COBIT versions, the latter is based upon a six-principle core rather than COBIT 5’s five principles. But both versions share the Domain scheme, with three additional Processes present in COBIT 2019. Mapping SOC 2 onto COBIT 2019 is thus straightforward.
SOC 2 Common Criteria Mapping to NIST 800-53
The CSF isn’t the only NIST framework onto which AICPA maps SOC 2 trust services criteria. It also provides the NIST SP 800-53 mapping spreadsheet to cover the common ground between SOC 2 and Special Publication (SP) 800-53: Security and Privacy Controls for Information Systems and Organizations. SP 800-53 comprises over 300 Controls across 20 Families:
- Access Control (AC1 – AC25)
- Awareness Training (AT1 – AT6)
- Audit Accountability (AU1 – AU16)
- Assessment Monitoring (CA1 – CA9)
- Configuration Management (CM1 – CM14)
- Contingency Planning (CP1 – CP13)
- Identification Authentication (IA1 – IA12)
- Incident Response (IR1 – IR10)
- Maintenance (MA1 – MA7)
- Media Protection (MP1 – MP8)
- Physical/Environmental Protection (PE1 – PE23)
- Planning (PL1 – PL11)
- Program Management (PM1 – PM32)
- Personnel Security (PS1 – PS9)
- PII Processing Transparency (PT1 – PT8)
- Risk Assessment (RA1 – RA10)
- System Acquisition (SA1 – SA23)
- Communication Protection (SC1 – SC51)
- Information Integrity (SI1 – SI23)
- Supply Chain Risk Management (SR1 – SR12)
These SP 800-53 Controls are also dynamic. Each breaks down into several sub-controls, totaling over 1000—and all are often updated to account for evolving cybersecurity threats.
SOC 2 Common Criteria Mapping to EU GDPR
Finally, AICPA also maps the SOC 2 onto the European Union (EU) General Data Protection Regulation (GDPR) in its EU GDPR mapping spreadsheet. The EU GDPR exists to protect the personal data rights of EU citizens and applies unilaterally to all companies that come in contact with protected individuals’ data. It’s massive in scale, with 99 articles across 11 Chapters.
The most critical elements of the EU GDPR break down across its second and third chapters:
- Chapter 2: Principles
- Article 5: Fair data processing must minimize the extent of identifiability.
- Article 6: Lawful data processing requires subjects’ consent and necessity.
- Article 7: Consent should be formal and informed, and it’s subject to withdrawal.
- Article 8: Children can provide data consent at 16 years old (in most cases).
- Article 9: Processing of special personal data (e.g., race, ethnicity) must be consented to distinctly.
- Article 10: Processing of data related to criminal convictions must be consented to distinctly.
- Article 11: Unidentifiable data may not be restricted by preceding principles.
- Chapter 3: Data Subjects’ Rights
- Section 1: Rights to transparency and communication modalities, per Article 12.
- Section 2: Rights to information on data processing (Article 13) or the lack thereof (Article 14), and access to all data pertaining to the subject (Article 15).
- Section 3: Rights to rectification (Article 16), erasure (Article 17), restrictions (Article 18), change notification (Article 19), and data portability (Article 20).
- Section 4: Rights to object to processing (Article 21) and automation (Article 22).
- Section 5: Restrictions on above rights, subject to applicable laws (Article 23).
Most of these elements map directly onto the TSC, per AICPA’s spreadsheet. All GDPR Articles are accounted for, with indicators of gaps between the two frameworks, given GDPR’s scope.
What Are the SOC 2 Common Criteria?
The criteria that AICPA has mapped across all of the above frameworks come from the Trust Services Criteria (TSC) framework used to conduct SOC 1, 2, and 3 audits. The common criteria (CC Series) apply across all five TSC categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
There are nine CC Series subcategories:
- CC1: Control Environment
- CC2: Communication and Information
- CC3: Risk Assessment
- CC4: Monitoring Activities
- CC5: Control Activities
- CC6: Logical and Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: and Risk Mitigation
The CC subcategories are based on principles from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. Four TSC categories also have supplemental criteria (Series A, PI, C, and P, respectively designated by the category-matching initial) while remaining subject to the CC Series. The Security category does not have specific supplemental criteria outside those specified in the CC Series.
Professional SOC 2 Compliance Services
If your company is currently preparing for a SOC 2 audit and report, RSI Security’s SOC 2 compliance services offer robust implementation and assessment advisory. Our comprehensive regulatory compliance services suite adds on mapping for SOC 2 common criteria for all frameworks detailed above, along with any other your company may need to follow.
To get started with mapping and meeting all your requirements, contact RSI Security today!