What’s New with SOC 2?—An Overview of the Revised Security Points of Focus

November 30, 2023 | SOC 2

In October of 2022, the American Institute of Certified Public Accountants (AICPA) released an updated SOC 2 guide that includes critical changes to the popular framework. According to the AICPA, a portion of these changes are focused on providing better support for the application of the five trust services criteria (TSC) that may be applied during a SOC 2 audit—security (required), availability, confidentiality, processing integrity, and privacy.

The AICPA established the five TSCs in 2017 to create a process for issuing SOC 2 reports to organizations that complete a successful SOC 2 audit. Each criteria comes with its own set of unique objectives and a certain number of points of focus, which are examples of how organizations can design and implement their control environments. For instance, the availability TSC includes three points of focus while the privacy TSC includes eight additional points of focus. 

The TSC points of focus are not requirements but act more like guidelines to help you better understand what you can do to meet each criteria. They’re also a good resource for understanding how an auditor will think about each TSC when evaluating and testing your organization’s controls.

While the 2022 SOC 2 revisions, overall, provide clarity on recent and emerging industry topics, one of the most significant changes is adjustments to the security TSC points of focus Let’s take a look at the specific security TSC objectives and the AICPA changes to its points of focus so you can confidently go into your SOC 2 audits under the new revisions.  

Security TSC Points of Focus

Unlike the TSC categories of availability, confidentiality, processing integrity, and privacy, the security TSC is required for all SOC 2 reports. The objective of the security TSC is to ensure that information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems.

There are a total of nine security points of focus organizations should adhere to in order to meet the security criteria, including:

  • CC1: Control Environment
  • CC2: Communication and Information
  • CC3: Risk Assessment
  • CC4: Monitoring Activities
  • CC5: Control Activities
  • CC6: Logical and Physical Access Controls
  • CC7: System Operations
  • CC8: Change Management
  • CC9: Risk Mitigation

Organizations should implement at least two to three controls to support each point of focus for the security TSC. That way, if one control fails, the additional control activities still support the criteria and will not result in a qualified opinion

SOC 2 Updates to the Security TSC Points of Focus

Overall, the changes to the SOC 2 points of focus are minimal. If your organization has already identified and mitigated your primary risks, many of the affected controls will already be in place. The adjusted points of focus should only result in new or revised controls if you and your auditor determine that your existing controls do not adequately address the criteria. Additionally, organizations who’ve completed past versions of a SOC 2 audit are not required to update to the new version.

The AICPA states that “The changes to the points of focus in the 2022 revisions do not, in any way, alter the criteria in the 2017 TSC. Such criteria continue to be suitable criteria for use when evaluating controls in any trust services engagement.”

Below is a breakdown of the security TSC points of focus revisions. Let’s dive in.

CC1: Control Environments

The revisions provide additional clarity on information relevant to internal control systems, such as:

  • Asset inventory and location
  • How to classify information
  • Clarity on data flow
  • Certification and accreditation of information used in a system

CC2: Communication and Information

The revisions provide additional guidance on managing and identifying threats to data recovery, creating more effective mitigation strategies, and better aligning with other privacy best practices.

CC3: Risk Assessments

The revisions of the risk assessment points of focus outline a more detailed approach to evaluating risks by defining the components of a risk assessment as identifying threats and vulnerabilities and evaluating the likelihood and impact of a threat intersecting with a vulnerability.

CC6: Logical and Physical Access Controls

Updated points of focus for logical and physical access encourage program participants to evaluate all logical access controls across an organization, including:

  • Infrastructure
  • Types of access (e.g. employee, contractor, vendor, or partner)
  • Device recovery (e.g. laptops and work phones)
  • IT tools
  • System and service accounts

CC7: System Operations

The revisions for system operations and monitoring encourage organizations to consider activities performed by the first and second lines of defense in addition to internal audit functions and other IT assessments historically identified in SOC 2 reports.

CC8: Change Management

Previously, identification, testing, and implementation of software patches and resilience requirements were not included in the change management category, and these have been added as points of focus to provide more clarity.

CC9: Risk Mitigation

The updated points of focus for risk mitigation provide guidance on residual risks that remain after internal controls are in place and management has evaluated whether to accept, reduce, or share risks.

What’s Changed with BARR’s SOC 2 Audit Process?

The good news is, not much! The changes outlined above are updated guidance for organizations and auditors alike. For many, the revisions will have a small impact on audit engagements. Your BARR auditor may ask you to tailor existing controls to cover these changes or provide revised evidence. In other cases, we might determine that new controls are needed to address the revised points of focus.

Either way, BARR is here to help guide you through the process. Organizations operating on the previous version of SOC 2 are not required to update to the new version. However, these revised points of focus have been added to the existing requirements and will be implemented for organizations who would like to adhere or update to the newest version of SOC 2. 

Contact us today for more information on BARR’s attest services and how we can help your organization achieve a successful SOC 2 report.

Let's Talk