SOC 2 trust services criteria points of focus
The guide addresses several issues, including that not every point of focus needs to be addressed by a service organization’s controls. Instead, the service organization and auditor should determine if the criteria are materially met by the controls of the service organization. There are also several specific updates to the points of focus.
Definition of board of directors
The definition of board of directors used in the criteria has been clarified, and the guide recognizes that smaller, less complex organizations may meet governance and oversight objectives with a simplified organizational structure.
Common criteria and privacy
The document offers additional guidance for which common criteria have additional points of focus when the Privacy Category is in scope for SOC 2 audit.
Obtaining or generating and using relevant, quality information
Additional points of focus add clarity for meeting common criteria 2.1, which reads, “The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.”
These points of focus are:
- Documented data flow diagrams
- Manages assets through identification, documentation, and maintenance of records
- Classifies information by relevant characteristics
- Use of information in performing controls is complete and accurate
- Manages location of devices especially for those outside the physical security control of the service organization, such as software and data stored on vendor devices or employee bring your own device (BYOD)
Assess changes in threats
An additional point of focus is offered on assessing changes in threats and vulnerabilities through the risk assessment process.
Logical access
There’s a new point of focus in logical access in considering new or significantly updated architectures and assessing their impact on security prior to implementation.
Physical devices
A new point of focus was added to recover physical devices when access to those devices is no longer required by an authorized user.
Change management
Clarified guidance was added related to the change management points of focus including segregation of duties, testing of system changes, and managing patch changes.
Identify and assess vulnerabilities
A point of focus was added on identifying and assessing vulnerabilities associated with the use of vendors, business partners, and other third parties.
Data recoverability
A point of focus was added for the service organization to consider data recoverability and threats like ransomware.
Data retention
An added point of focus deals with data retention of confidential information and that data shouldn’t be retained for longer than is necessary to fulfill the identified purpose.
Privacy notices
Further guidance is offered regarding using clear language in privacy notices.
This includes:
- Making notices easily accessible and available
- Reviewing the notice on a periodic basis
- Communicating any changes to the notice
- Retaining prior notices
Data controllers versus data processors
Clear identifiers were added in the privacy criterion of each point of focus and its applicability to data controllers versus data processors.