Select Page

SOC 2 Criteria and Positive Cybersecurity Impacts

February 21, 2019 | Security and Business

In January 2018, the AICPA released detailed guidance on its newest SOC 2 Common Criteria (based on COSO 2013 Framework for an entity-wide reporting level). The new framework officially went into effect on December 15, 2018. Many organizations, including some of my clients, were early adopters of the new framework and have already benefited greatly from its guidance.

Let’s review the new changes and how they can benefit your cybersecurity model and service organization.

New Incident Reporting Requirements

In the past, service organizations were not required to disclose major information security incidents that occurred during the period covered by the audit, unless the incident occurred as a result of a control failure.

As part of the new requirements, management is now required to include specific information about incidents that (1) occurred as a result of a failure in the design or operating effectiveness of one or multiple controls or (2) upon occurrence resulted in the company not being able to meet service commitments and system requirements.

The AICPA says that security incidents should include the following information:

  • Nature or description of the incident
  • Timing related to the incident (when the incident occurred)
  • The consequence and impact the incident will have on the service organization, service organization’s users and any disruption to service commitments and system requirements

The largest benefit is that service organizations will be required to show explicit transparency in their report around incidents and how they were handled. Increasing transparency, if incidents were handled properly, can maintain trust in the organization and showcase company strength to potential new customers.

Increased Risk Assessment and Management Requirements

With an increased focus on risk management, the new criteria highlight the need for risk assessments to align with business objectives.

Regular, ongoing, and meaningful risk assessments aligned to business objectives will allow your company to take control of inherent and potential risks at every level of the organization.

From our perspective, we’ve noticed that companies who perform internal risk assessments frequently are less likely to encounter major incidents or issues during the period. We believe this is because management has taken an active (rather than passive) role in risk assessment, management, and acceptance, and know their company better as a result.

Vendor Management Requirements

With the connectivity of services and the reliance on vendors by service organizations for cloud services (e.g. Amazon Web Services, Azure, etc.), companies must identify and assess the effect the delivery of services may have on users. At the very least, the service organization should monitor its vendors’ services and controls to ensure the service organization can meet its customer commitments.

Maintaining an agile vendor management system that is regularly reviewed by management allows key processes and internal changes to occur while minimizing the negative impact on customers.

The AICPA is currently developing its SOC for Vendor Supply Chain framework with an expected release in Q2 2019. We can expect to see stricter requirements for service organizations upon its release. This will lead to additional expectations from customers considering today’s reliance on cloud-based services.

In Closing

Although it’s still early on in the required use of the new framework in reporting, we’re hopeful that internal risk assessment enhancements and incident management requirements will allow companies to better manage and report their risk resilience to their customers.

I see you. I hear you. Your words matter.

Add your own thoughts below.

0 0 votes
Article Rating
Would love your thoughts, please comment.x