SOC 2 – Changes Effective December 2018

SOC 2 has been updated to meet the needs of a wider-range of Organizations, improve the overall quality and usefulness of the report, and to assist in reporting at an entity-level, rather than for a specific process or system. These updates will also bring a large number of decisions, changes, and enhanced responsibility and accountability to Service Organizations.

Key changes to the standard include:

Services criteria updated to align with the 17 principles in the COSO framework, some include:

Demonstrate commitment to integrity and ethical values
Ensure that board exercises oversight responsibility
Establish structures, reporting lines, authorities and responsibilities
Select and develop control activities that mitigate risks
Select and develop technology controls
Deploy control activities through policies and procedures
Perform ongoing or periodic evaluations of internal controls (or a combination of the two)

Ability to evaluate control effectiveness in examinations of various subject matters, in addition to, those over security, availability, processing integrity, confidentiality, or privacy of information and systems across:

entire entity;
at a subsidiary, division, or operating unit level;
within a function or system; or
a particular type of information used by the entity.

The trust services principles and criteria are now referred to as the trust services criteria, and the principles are now referred to as the trust services categories, to not be confused with the COSO principles.

Information security requirements have been organized more logically and broken down into the following areas:

Logical and physical access controls – the criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access to meet the entity’s objectives addressed by the engagement
System operations – the criteria relevant to how an entity manages the operation of systems and detects and mitigates processing deviations, including logical and physical security deviations, to meet the entity’s objectives addressed by the engagement
Change management – the criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made, to meet the entity’s objectives addressed by the engagement
The trust services criteria also now address risk management, incident management, and certain other areas at a more detailed level than in the past.

Points of focus were added to all criteria to better clarify and help users apply the criteria.

Get Our Emails

SOC Reporting Guide

Popular Resources

Breaking Down SOC 2 CC6.3 Requirements – Controlling Access Control

SOC 2 – CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes,

Are Service Provider Contract Updates Needed with SSAE 18?

While some companies still request a SAS 70 report (why, who knows…), many contracts now require a SSAE 16 report, and with the change to SSAE 18 many are now

Best Practice Strategies for SOC 2 User Access Reviews

User access reviews are a critical control in almost any IT control framework because they help ensure that users have the appropriate level of access to sensitive data and systems.

The SSAE16 Auditing Standard

SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70. The changes made to the standard will bring your company, and

SOC 1 Report

A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities’ internal control over financial reporting. The

SSAE 16 vs ISAE 3402 – Part 1

Introduction SSAE 16 and ISAE 3402 are two widely used auditing standards for service organizations. Many assume SSAE 16 is just the U.S. version of the international ISAE 3402 standard,