The Next Challenge in IT Compliance Reporting: SOC2 2017 Trust Services Criteria

In the aftermath of GDPR, the next big change in the IT compliance standards landscape is here. The period of applicability for the new System and Organization Controls for Service Organizations: Trust Services Criteria (SOC2 2017 Trust Services Criteria) has just begun – all SOC2 reports with an examination period ending on or after 15 December, 2018 will have to be issued as per the new standard.

What is SOC2?
As stated by AICPA, SOC2 reports provide “detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.” Over the past couple of years, there has been an increased awareness around SOC2, with more organizations looking to get a SOC2 report to demonstrate a solid system of controls around the product or service they offer.

Shifting goalposts
Regulatory and standards bodies keep revisiting existing mandates to see if they need an update in order to make it more meaningful, relevant and useful for the consumer. The AICPA has recognized the need for a solid system of internal processes and controls, including monitoring and reporting, to enable a service organization to fulfill its service commitments. Hence, at this time, the SOC2 criteria has been modified to include broader entity-level controls around management oversight and risk management processes, and other technical controls to specifically address cybersecurity risks. The Trust Service Principles – the security, availability, processing integrity and privacy on which reports are issued – are now referred to as Trust Service Categories in the update.

The key changes
The earlier set of Trust Services Principles and Criteria is now classified as Trust Services Criteria (TSC) and codified differently to align with the COSO 2013 framework. There are distinct common criteria that map to each of the COSO framework’s five COSO components and 17 principles. Further, as per COSO Principle 12 that requires entities to deploy controls, there are additional criteria for certain key control areas. As in the past, the common criteria pertains to the security category, and there are additional criteria for each of the other categories. The table below better illustrates this.

TSC Ref. # Criteria/COSO Component COSO Principles covered
CC 1.0 Control Environment Principles 1-5
CC 2.0 Communication and Information Principles 13-15
CC 3.0 Risk Assessment Principles 6-9
CC 4.0 Monitoring Activities Principles 16-17
CC 5.0 Control Activitities Principles 10-12
CC 6.0 Logical and Physical Access Controls Principle 12
CC 7.0 System Operations Principle 12
CC 8.0 Change Management Principle 12
CC 9.0 Risk Mitigation Principle 12
C 1.0 Additional Criteria for Confidentiality N/A
P1 1.0 Additional Criteria for Processing Integrity N/A
A 1.0 Additional Criteria for Availability N/A
P 1.0 Additional Criteria for Privacy N/A

Staying in line with the COSO framework, each criterion has a list of points of focus (POF) associated with it. According to the AICPA, the POFs help management in implementing the right controls. It may also assist both management and the service auditor when they are evaluating whether the controls were suitably designed and operated effectively to meet the TSC.

The final change that’s important to mention here is that as part of the system description, the service organization is now required to document its service commitments and also to disclose any system or security incidents that resulted from one of the control failures, or caused the service organization to not meet one of the stated service commitments. This is significant as it requires entities to track, evaluate the impact and remediate every incident that occurs for effective reporting.

What’s the effect?
From a practicality perspective, one important difference is that as part of the earlier version of the standard, the Trust Services Principle and Criteria had illustrative controls specified for every criterion. However, in the latest update, there are no example controls provided by AICPA for the TSCs. Interestingly, this could have been a conscious move, as there was this fear of the temptation to just include the bare minimum set of illustrative controls required for each criterion and seek an assurance report. As indicated by AICPA, applying the new TSC requires judgment. The current SOC2 TSC requires service organizations to think critically about each criterion and to evaluate the applicability of each of the POFs in the context of the services provided; and identify and implement controls corresponding to every relevant POF. The new SOC2 involves additional time and effort.

Overall, the scope of the new SOC2 covers more in breadth rather than depth. With a lot of emphasis on cyber risks, the new criteria rightly require a comprehensive risk assessment process, an appropriate mix of controls for risk mitigation (with a focus on incident monitoring and handling) and an overarching corporate governance structure as a crucial layer of defense. Definitely, the bar has gone up for the SOC2, and it mandates the existence and operation of a well-rounded internal system of controls related to reporting on the trust service category.

Author’s note: This post reflects the author’s personal views and does not necessarily reflect the views of any organization of which he is a part.

Written by Varun Prasad, CISA CCSK PMP, Manager – IT Security Compliance, Boeing, India; excerpted from the ISACA Now Blog