Step 2

Based upon the above findings, Risk Crew shall then recommend the specific TSC to be validated in the audit and confirm this with you. At a minimum, SOC 2 reports must include the Security or Common Criteria — any other TSCs selected depend upon your business requirements.

The Trust Services Criteria are selected from the following:

• Security: The system is protected against unauthorised access (both physical and logical). The system is protected from unauthorised access — both physical and logical. Examples of commonly examined SOC 2 security controls are logical access to infrastructure and vital systems such as source code repositories. Additionally, this could include password parameters, network devices configurations, firewalls and physical security controls that protect key infrastructure.
• Availability: The system is accessible for operation and use as intended and agreed. The accessibility criteria require that the organisation have documented business continuity and disaster recovery plan and procedures. Additionally, it requires periodic backups and recovery tests.
• Confidentiality: Information, which is designated as ‘Confidential’ is protected according to policy or agreement. Confidentiality criteria are often mistaken with privacy criteria. Most organisations have a requirement to protect Confidential information that is shared with them by other companies they do business with such as the protection of intellectual property.
• Processing Integrity: System processing is complete, accurate, and authorised. Processing integrity is not involved within SOC 2 as often as the availability and confidentiality TSCs. Processing integrity is usually addressed in systems that process transaction such as payments.
• Privacy: The privacy criteria should be considered when ‘personal information’ is processed, stored or transmitted by the system. It is imperative to note that the privacy criteria applies to personal information. This differs from the confidentiality criteria, which applies to other types of sensitive information.

Step 3

• • • Identify Controls: Identify and document the policy reference that mandates the control, the applicable SOC 2 TSC, the actual control used to ensure the criteria is met, the control’s objective and key performance indicators and associated testing procedures used to verify the effectiveness of the control over time.
    • Mapping: By clearly depicting the relationship between policies and testing you will be able to provide clear evidence that SOC 2 TSCs are being met to your Auditor. Connecting the dots in this way simplifies and streamlines the Auditor’s work providing the essential data needed for the report.

Step 4

• • • Assessment and Remediation: Where controls are insufficient or not present to demonstrate compliance to a selected TSC, Risk Crew shall recommend cost-effective remedial actions to ‘fill the gap’ and demonstrate compliance. We will also recommend controls that are most effective in the people, process or technology.
    • Recommendations: Risk Crew shall provide a recommended policy statement, the applicable TSC, a control, a control objective, KPI and testing procedures to be included in the map described above.

Step 5

Upon completion of the first four steps, Risk Crew shall conduct a workshop with your business’ stakeholders to ensure their understanding of the findings and SOC 2 compliance requirements. The workshop seeks to guide attendees through the steps required to obtain a favourable Type 1, SOC 2 Report.