The 2023 Revisions to SOC 2 Compliance
In 2023, the American Institute of CPAs (AICPA) launched a revision of its SOC 2 standard. This revision focused specifically on security issues and emphasized “points of focus” to boost SOC 2 audits’ ability to address modern security threats.
What Are the 2023 SOC 2 Revisions?
The 2023 revisions to SOC 2 introduced by the AICPA focus on enhancing the interpretive guidance for auditors through updates to the “Points of Focus.” These updates do not alter the Trust Services Criteria established in 2017 but provide additional clarity and relevance to address new technologies, threats, and vulnerabilities. Here’s a summary of the critical updates to the points of focus:
Control Environments and Internal Control Setup
- CC1.3 and CC1.5: These points address newly identified privacy concerns related to organizations’ reporting structures and disciplinary actions that may be undertaken. The revisions aim to guide the setup of internal controls and manage information classification and architecture, data flow, asset inventory, and more to prevent unauthorized access.
Data Management, Privacy, and Communication with Customers
- CC2.1: This revision focuses on data management and classification.
- CC2.2: This section deals with communication issues related to privacy knowledge and awareness, explicitly reporting privacy-based issues.
- CC2.3: Updates requirements for communicating data privacy incidents as defined within the SOC 2 Trust Services Criteria.
Risk Assessments and Vulnerabilities
- CC3.2: Revises how organizations identify vulnerabilities and classify risks to other organizations.
- CC3.4: Evaluates changes in some criteria for how organizations identify external and internal vulnerabilities as they change over time.
Logical and Physical Access
- CC6.1: Addresses accessing and using confidential information for identified purposes when Confidential TSC is applicable.
- CC6.4: Focuses on the recovery of physical devices.
System Operations and Monitoring:
- CC7.3: Addresses the impact on, use of, or disclosure of confidential information in the event of a security incident.
- CC7.4: Defines and executes breach response procedures when physical media is lost or stolen.
Change Management
- CC8.1: Clarifies requirements for patch and change management processes, specifically how to implement changes during test phases without impacting security resilience.
Risk Mitigation
- CC9.2: Defines how to consider risk mitigation when factoring third-party vendor relationships.
These updates aim to provide organizations and auditors with more precise, relevant guidance for conducting SOC 2 audits in the face of evolving technologies and threats, ensuring a comprehensive data protection and compliance approach.
That said, the revisions aren’t dramatic and shouldn’t require organizations to radically rethink their security or compliance standards. Informed and experienced security partners know these changes and should incorporate them into present and future attestations.
What Are the SOC 2 Security Common Criteria (CC)?
The SOC 2 Security criteria, or the Common Criteria (CC), form the foundation of the SOC 2 audit and apply to all SOC 2 reports. The Common Criteria are organized into several categories, each addressing different aspects of information and systems security.
- CC1: Organization and Management: Ensures that the organization has comprehensive management policies for security, personnel management, and data protection that span the internal organizational structure and relationships with external stakeholders and third-party vendors.
- CC2: Communications and Information: This criterion deals with how the entity communicates the roles, responsibilities, and information associated with system internal control effectiveness. It involves communicating the objectives and responsibilities for internal control to everyone involved before, during, and after incidents.
- CC3: Risk Management: Identification, assessment, and mitigation of the risks to data security.
- CC4: Monitoring Activities: Monitoring implies continuous or separate evaluations to check if the five Trust Services Criteria remain met. There is continuous monitoring of the system in compliance, and corrective measures are taken each time they are necessitated due to deviations.
- CC5: Control Activities: This refers to the control activities established to achieve the organization’s objectives and mitigate risks to the internal control system. This involves selecting and developing control activities that contribute to mitigating risks to achieving objectives to acceptable levels, including policies that establish what is expected and procedures that put policies into action.
- CC6: Logical and Physical Access Controls: This standard deals with information throughout life—that is, the controls over information in case of incorrect access, use, or modification. The importance here is that there is a need to ensure that an entity’s property or assets are secure through physical and logical access.
- CC7: System Operations: This area addresses the detection, mitigation, and escalation of incidents that could impact the system’s objectives. It includes managing the system’s operations to ensure the completeness, validity, accuracy, timeliness, and authorization of processes and transactions.
- CC8: Change Management: The process that reduces the probability that changes will occur or manages changes to system components, including their development, testing, sign-off, and deployment of changes. It will guarantee that changes will not cause any negative consequences regarding security and integrity.
- CC9: Risk Mitigation: Covers the activities related to identifying, selecting, and developing risk mitigation activities arising from potential business disruptions and using vendors and other third parties that support the objectives.
Finalize Your SOC 2 Compliance with Lazarus Alliance
With these new revisions, it’s even more critical to ensure you work with a security company that understands SOC 2 and its bigger and smaller changes in detail.
If you’re looking to kickstart your assessment, contact Lazarus Alliance.
- FedRAMP
- StateRAMP
- NIST 800-53
- FARS NIST 800-171
- CMMC
- SOC 1 & SOC 2
- HIPAA, HITECH, & Meaningful Use
- PCI DSS RoC & SAQ
- IRS 1075 & 4812
- ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
- NIAP Common Criteria – Lazarus Alliance Laboratories
- And dozens more!
Related Posts