If your organization requires Systems and Organizational Controls (SOC) 2 reports to assure your clients their data is protected, get ready for some changes.
The American Institute of CPAs (AICPA) originally developed the Trust Services Criteria for SOC 2 reports to establish clear standards governing how service providers should protect client information. In 2017, the AICPA updated the Trust Services Criteria upon which SOC 2 reports are based to respond to market needs as well as changes in security best practices. These new updates must be implemented for all SOC 2 reports for service organizations with periods ending on or after December 15, 2018, meaning applicable service organizations have a little less than a year to adjust to the new standards.
To understand what has been updated, how it affects your organization, and what you should do to get ready for the changes, we’ve provided the following high-level overview.
Updates to Trust Services Criteria
The Trust Services Criteria include guidance on security, availability, processing integrity, confidentiality, and privacy, and are the basis of SOC 2 audits. The 2017 Trust Services Criteria are based on the NIST, ISO/IEC 27000, HIPAA, and PCI frameworks, and are now fully aligned to the 17 Committee of Sponsoring Organization (COSO) of the Treadway Commission’s principles. These principles target key points related to risk and incident management.
The new updates include an increased focus on the following areas:
- Employee Performance Management
- Addressing Business Risks
- Control Activity Risks
- Information Technology Activities
These changes are mostly aimed to clarify what may have previously been muddled or redundant, so compliance with these updates should not involve a massive overhaul of systems and processes. Still, organizations should plan for transitioning to the new Trust Services Criteria.
What You Should Do Now
SOC 2 compliance is a major investment for most organizations, with some entities spending upwards of 6 figures to align their environment with the controls. If you don’t want to spend the time and money on an audit, only to find out you have more work to do to become compliant, it’s important to prepare before the audit occurs.
Whether you are new to SOC 2 compliance, or are already familiar with the Trust Services Criteria and need to comply with the period end date on or after December 15, 2018, it is highly recommended that you do the following prior to your audit:
Examine the timing for your SOC 2 report issuance date, and when the audit will take place. Depending on when your report is typically issued, you may want to get it done early before the new controls take effect. That way, you can focus on updating your controls for the 2019 report.
Perform a SOC 2 readiness/gap assessment against the updated Trust Services Criteria controls. While only CPAs can perform the audit/issue the report, reviews and readiness assessments can be conducted by any third-party entity familiar with the standard.
Highlight areas of noncompliance based on the current control activities against the updated Trust Service Criteria controls, and prioritize remediation actions to the most efficient path to compliance.
Design and implement controls to address the updated Criteria. The earlier you adjust to the new Criteria through planning, identifying gaps, and remediating, the easier the change will be.
We have provided a timeline below to help those organizations who will need to comply this year.
AICPA’s updates to the Trust Services Criteria tell us that the service organization industry, like most other sectors, is focusing more and more on cybersecurity. SOC 2 compliance can be a major competitive advantage. Therefore, by adopting the new standards early, your organization can transform the challenge of this update into an opportunity.