Resources

Key Updates to Trust Services Criteria for SOC 2 Reports

Written by: Victoria Caissie

Key Takeaways:

  • The AICPA’s revised points of focus introduce new control requirements for SOC 2 reports.
  • Organizations must create accurate network and data flow diagrams, along with a comprehensive inventory of hardware, for effective system documentation.
  • Revised points of focus address asset retrieval and immediate access restriction for terminated remote employees and partners.
  • Segregation of duties in change processes is critical to ensure that no one can approve or test their own work.
  • The updated criteria emphasize a thorough patch management process, including prompt identification, testing, approval, and verification.

In October 2022, the American Institute of Certified Public Accountants (AICPA) released updated points of focus for the Trust Services Criteria (TSC). This update includes new points of focus for SOC 2 reports, highlighting the best practices organizations should aim for.

Over the past year, we have worked closely with clients to make the adjustments to meet these new requirements. For most clients, these updates have been minor, with many clients already having the necessary controls in place. In this article, we explain the extra controls you might need to implement to comply with the revised points of focus for the following common criteria (CC):

CC2.0 – Communication & Information

The revised points of focus now require organizations to document network and/or data flow diagrams that accurately depict their systems. A network diagram should outline the components supporting the system. Meanwhile, a data flow diagram should show the types of data in use and how it flows between components. These visuals help both internal and external users understand system components and their interactions.

Another new requirement for SOC 2 reports is for service organizations to keep an updated list of physical and virtual hardware components. Many organizations meet this requirement by keeping a comprehensive inventory of hardware and software. The details may vary, but it is important to show auditors that these inventories are accurate and updated regularly.

CC6.0 – Logical & Physical Access Controls

The points of focus also address the shift to remote workforces. Organizations should now consider what processes and controls are in place to recover company assets. This includes computer equipment, badges, and other resources from remote employees, contractors, vendors, and business partners upon termination.

Additionally, organizations should implement controls to restrict both physical and digital access after termination, even before the individual returns company equipment.

CC8.0 – Change Management

The final major updates to the points of focus target the change management criteria. The first revision highlights the importance of service organizations enforcing segregation of duties in change management and/or development processes. This ensures no one can approve or test their own work.

The second update adds a stronger focus on patch management for the infrastructure supporting the system. While many auditors already assess patch management, it’s crucial to have a robust process in place. This process should include:

  • Timely identification of missing patches
  • Thorough testing
  • Approval for deployment
  • Verification to confirm successful application of each patch

Strengthening Your SOC 2 Compliance

In light of these updates to the points of focus, organizations striving for SOC 2 compliance should take a close look at their controls to confirm they meet these evolving requirements. While many organizations may already have some of the necessary infrastructure and controls in place, understanding and addressing these revised criteria can strengthen security practices and improve audit readiness.

To learn more about these changes and how your organization should prepare, contact our SOC team today.