What’s New with SOC 2 Compliance?—An Overview of the Revised Security Points of Focus

In September 2022, the American Institute of Certified Public Accountants (AICPA) released revised points of focus to the 2017 trust services criteria. According to the AICPA, a portion of these changes are focused on providing better support for the application of the five trust services criteria (TSC) categories that may be applied during a SOC 2 compliance audit—security, availability, confidentiality, processing integrity, and privacy. Security is a required TSC for SOC 2, and availability, confidentiality, processing integrity, and privacy may be recommended depending on your organization’s needs.

Each TCS category includes specific criteria along with points of focus, which are important characteristics of that criteria that may assist both management and the practitioner when they are evaluating whether controls were suitably designed and operating effectively to achieve the service organization’s objectives based on the scoped TSCs.

The TSC points of focus are not requirements but act more like guidelines to help you better understand what you can do to meet each criteria to meet SOC 2 compliance standards. They’re also a good resource for understanding how a SOC 2 auditor will think about each TSC when evaluating and testing your organization’s security controls during your SOC 2 compliance audit.

The 2022 SOC 2 points of focus revisions, overall, provide clarity on recent and emerging industry topics.

SOC 2 Updates to the Security TSC Points of Focus

Overall, the changes to the SOC 2 compliance points of focus are minimal. The AICPA states that “The changes to the points of focus in the 2022 revisions do not, in any way, alter the criteria in the 2017 TSC. Such criteria continue to be suitable criteria for use when evaluating controls in any trust services engagement.”

Below is a breakdown of the security TSC points of focus SOC 2 changes. Let’s dive in.

CC1: Control Environments

The revisions provide additional clarity on governance, including:

• Establishing reporting lines and structures (CC1.3)
• Disciplinary actions and sanctions (CC1.5)

CC2: Communication and Information

The revisions to the points of focus for CC2.1, 2.2, and 2.3 provide additional guidance on information relevant to internal control systems, such as:

• Asset inventory and location
• How to classify information
• Clarity on data flow
• Complete and accurate information
• Information and incident communication

CC3: Risk Assessments

The revisions of the risk assessment ‘points of focus’ outline a more detailed approach to evaluating risks by defining the components of a risk assessment as identifying threats and vulnerabilities and evaluating the likelihood and impact of a threat intersecting with a vulnerability. (CC3.2 and CC 3.4)

CC4: Monitoring Activities

The revisions of the monitoring points of focus details additional guidance regarding ongoing and separate evaluations. (CC4.1)

CC5: Control Activities

There were no revisions to points of focus.

CC6: Logical and Physical Access Controls

Updated points of focus for logical and physical access (CC6.1 – 6.8) encourage program participants to evaluate all logical access controls across an organization, including:

• Infrastructure
• Types of access (e.g. employee, contractor, vendor, or partner)
• Device recovery (e.g. laptops and work phones)
• IT tools
• System and service accounts

CC7: System Operations

The revisions for system operations encourage organizations to consider the impact, use, and disclosure of confidential information (CC7.3).

CC8: Change Management

Points of focus revisions to CC8.1 include identification, testing, and implementation of software patches and system resiliency considerations. 

CC9: Risk Mitigation

The updated ‘points of focus’ for CC9.2 provide additional guidance on the assessment and management of risk, such as considering the evaluation of vulnerabilities arising from  vendors and business relationships.

Summary of SOC 2 Compliance Changes

The changes to the SOC 2 points of focus are relatively minor and don’t impact the original trust services criteria (TSC) of security, availability, confidentiality, processing integrity, and privacy.

The revisions to the SOC 2 points of focus primarily provide more detailed guidance across several key areas, including governance, communication, risk assessment, and monitoring. They emphasize clearer reporting structures, better classification and flow of information, and a more structured approach to evaluating risks and security vulnerabilities. Additionally, they encourage evaluation of logical and physical access controls, system operations, and risk management to protect customer data and improve data privacy.

Although there have been updates, these changes do not affect the essential guidelines that organizations should follow when reviewing their controls under SOC 2.

What’s Changed with BARR’s SOC 2 Compliance Audit Process?

The good news is, not much! The changes outlined above are updated guidance for service organizations and SOC 2 auditors alike. For many, the revisions will have a small impact on SOC 2 compliance and audit engagements. As a reminder, let’s review what the SOC 2 attestation process looks like: 

The SOC 2 attestation, or SOC 2 examination, is the core process for obtaining your SOC report. After your readiness assessment, you’ll collaborate with your SOC 2 auditor to develop a plan and evaluate your controls through walkthroughs, leading to your final deliverable. The SOC 2 examination typically takes between 3 and 12 months to complete.

To kick off the process, a call is scheduled to align you and your SOC 2 auditor on the scope, timelines, deliverables, and personnel required for the examination. You’ll be responsible for confirming the control wording and drafting your system description. Your auditor will issue information requests based on the agreed scope and controls, typically occurring within 60 to 120 days before the examination period ends.

Next, your SOC 2 auditor will schedule a walkthrough with your team to evaluate the controls against the trust services criteria of security, availability, confidentiality, processing integrity, and privacy and identify any initial issues. BARR leverages efficiencies by reviewing the information requests and control activity you provide through compliance automation software before the walkthroughs to save you time. The duration of these walkthroughs depends on the complexity and size of your environment, but they usually require about four hours.

After the walkthroughs and BARR’s review of your information requests and control activities, you’ve completed your SOC 2 examination. So, what comes next? BARR will provide a draft of your SOC 2 report within 30 days after the examination period concludes. After you review the draft, we conduct a final editorial and quality review before you sign off on the management representation letter.

Finally, BARR presents you with your SOC 2 report, a valuable asset in building customer trust. In fact, BARR’s SOC reporting clients report that services lead to a 70% reduction in customer compliance questionnaires. We don’t just celebrate your SOC 2 compliance; we also enhance your experience by improving security and outlining next steps for ongoing success.

 

BARR is here to help guide you through the SOC 2 compliance process. Contact us today for more information on BARR’s SOC 2 attestation services and how we can help your service organization achieve a successful SOC 2 report.