SOC 2 has been updated to meet the needs of a wider-range of Organizations, improve the overall quality and usefulness of the report, and to assist in reporting at an entity-level, rather than for a specific process or system. These updates will also bring a large number of decisions, changes, and enhanced responsibility and accountability to Service Organizations.
Key changes to the standard include:
Services criteria updated to align with the 17 principles in the COSO framework, some include:
- Demonstrate commitment to integrity and ethical values
- Ensure that board exercises oversight responsibility
- Establish structures, reporting lines, authorities and responsibilities
- Select and develop control activities that mitigate risks
- Select and develop technology controls
- Deploy control activities through policies and procedures
- Perform ongoing or periodic evaluations of internal controls (or a combination of the two)
Ability to evaluate control effectiveness in examinations of various subject matters, in addition to, those over security, availability, processing integrity, confidentiality, or privacy of information and systems across:
- entire entity;
- at a subsidiary, division, or operating unit level;
- within a function or system; or
- a particular type of information used by the entity.
The trust services principles and criteria are now referred to as the trust services criteria, and the principles are now referred to as the trust services categories, to not be confused with the COSO principles.
Information security requirements have been organized more logically and broken down into the following areas:
- Logical and physical access controls – the criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access to meet the entity’s objectives addressed by the engagement
- System operations – the criteria relevant to how an entity manages the operation of systems and detects and mitigates processing deviations, including logical and physical security deviations, to meet the entity’s objectives addressed by the engagement
- Change management – the criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made, to meet the entity’s objectives addressed by the engagement
- The trust services criteria also now address risk management, incident management, and certain other areas at a more detailed level than in the past.
Points of focus were added to all criteria to better clarify and help users apply the criteria.