More changes are ahead for SOC 2 reports. Initial reporting changes outlined in SSAE No. 18 went into effect on May 1, 2017. Now, two additional significant changes are required after December 15, 2018.
Revisions to Trust Services Criteria
In April 2017, the AICPA issued revisions to the trust services criteria for security, availability, processing integrity, confidentiality, and privacy. Key changes include the following:
- Restructuring and alignment with the COSO 2013 framework. The 2017 trust services criteria are now aligned with the 17 principles in the COSO framework to facilitate their use in an entity-wide engagement. The criteria may be used to evaluate controls across an entire entity, at a subsidiary, division, or operating unit level, within a function or system; or for a particular type of information used by the entity.
- Renaming the trust services principles and criteria. Previously known as Trust Services Principles and Criteria, this has now been shortened to Trust Services Criteria. The COSO framework uses the term principlesto refer to the elements of internal control that must be present or functioning for the entity’s internal control to be considered effective, so to avoid confusion in terminology, the name was updated. In addition, the five principles (security, availability, processing integrity, confidentiality, and privacy) are now referred to as the trust services categories.
- The addition of supplemental criteria to better address cybersecurity risks. The 2017 trust services criteria address risk management, incident management, and certain other areas that are increasingly important to information security at a more detailed level than the previous version of the criteria. The new criteria are organized into the following categories—logical and physical access controls, system operations, and change management.
- The addition of points of focus for each criterion. These represent important characteristics of the criteria and were added to provide additional guidance on potential design and implementation of controls. There are nearly 300 points of focus in total; some may not be suitable or relevant to the entity or to the engagement being performed. While the number of points of focus can be overwhelming, it is important to remember they are to be used for guidance and considerations for controls that address the specifics of the criteria, but they are not required.
The new 2017 Trust Service Criteria are required for use for as of dates after December 15, 2018 for type 1 examinations, or for periods ending after December 15, 2018 for type 2 examinations.
Revisions to Description Criteria
In February 2018, the AICPA issued revised description criteria for a description of a service organization’s system in a SOC 2 report. There are two major changes to the description criteria you should be aware of.
- Service organizations must be more transparent about service commitments and system requirements. The new description criteria require service organizations to describe their principal service commitments and system requirements in the description. Service commitments are declarations made by service organization management to user entities and others (such as user entities’ customers) about the system used to provide the service. System requirements are specifications about how the system should function to meet service commitments to customers, vendors, and business partners, and to comply with relevant laws and regulations and guidelines.
This is important, because one of the main purposes of a SOC 2 report is to allow users to make informed decisions about using the services provided by the organization. A clear description of service commitments and system requirements enables users to understand the objectives that drive the operation of the system and gives users a standard against which they can measure the effectiveness of the organization’s controls.
- Service organizations must disclose certain incidents. If an incident occurred during the audit period, or if it affected the service organization’s ability to meet its service commitments or system requirements, the organization is required to disclose the incident.
With that said, the description criteria specifically notes that descriptions of incidents should not be so detailed that they may provide information that could potentially assist future attackers. Rather, the disclosures are intended to enable report users to understand the nature of the risks faced by the service organization and the impact of the realization of those risks.
When preparing a description of the service organization’s system as of or after December 16, 2018, (type 1 examination) or a description of the system for periods ending as of or after that date (type 2 examination), the 2018 description criteria should be used.
What Are the Main Implications?
For users, the main implications of these changes are an increase in report clarity and a greater level of transparency between service organizations and their users. For assessors, these changes are likely to result in a more thorough audit. For service organizations, the revisions issued over the past 15 months represent new compliance challenges, which will likely require additional controls, as well as additional effort preparing the system description.
How Can LBMC Information Security Help?
If you want additional guidance on how these updates will affect your organization, or what you can do to prepare for your next SOC 2 audit, we’d love to help. Just click here to contact us to learn more about how we can help you achieve compliance with the updated SOC 2 framework.