logo
+1 619 559 3838
Image
BLOG

Everything You Need to Know About the Revised Points of Focus for the SOC 2 Trust Services Criteria

In this Blog, the Securis360 GRC team explains the SOC 2 Points of Focus revisions and their impact on organizations pursuing or maintaining a SOC 2 compliance program.

Contents:

  • What Are the Trust Services Criteria?
  • How Are the Trust Services Criteria Relevant for SOC 2 Examinations?
  • What Are the Points of Focus of the Trust Services Criteria?
  • What Were the Updates to the Points of Focus?

In 2022, the American Institute of Certified Public Accountants (AICPA) revised the points of focus for the SOC 2 trust services criteria. This article explores these revisions and their implications for organizations pursuing or maintaining a SOC 2 compliance program.

What Are the Trust Services Criteria?

The trust services criteria are standards established by the AICPA’s Assurance Services Executive Committee (ASEC) to evaluate and report on controls related to security, availability, processing integrity, confidentiality, and privacy—the trust services categories.

These criteria define the outcomes organizations’ controls should achieve to meet their objectives. The trust services criteria are categorized as:

  • Common Criteria: Applicable to all five trust services categories.
  • Specific Criteria: Tailored for availability, processing integrity, confidentiality, and privacy.

How Are the Trust Services Criteria Relevant for SOC 2 Examinations?

SOC 2 examinations assess the design and operating effectiveness of an organization’s controls based on the trust services criteria. Auditors provide an opinion on whether the controls effectively ensure the organization’s system commitments and service requirements are met.

The trust services criteria serve as the foundational framework for conducting SOC 2 examinations.

What Are the Points of Focus of the Trust Services Criteria?

The points of focus are important characteristics that accompany each trust services criterion, assisting management and auditors in designing and evaluating controls. These points are not prescriptive requirements but offer guidance.

Per the AICPA:

  • The use of trust services criteria does not mandate assessing each point of focus.
  • Organizations can customize points of focus or identify other relevant characteristics based on their unique circumstances.

Points of focus provide valuable insights for achieving compliance objectives while considering the organization’s risks and environment.

What Were the Updates to the Points of Focus?

The AICPA’s updates aim to enhance the applicability of the trust services criteria amidst evolving technologies, threats, and legal requirements. These revisions do not change the criteria themselves but update the points of focus to better guide organizations.

Key updates include:

1. Logical Access Control:

  • Enhanced guidance for modern technologies, such as multi-factor authentication and zero trust architectures.
  • Emphasis on credential creation authorization and periodic access reviews for all user accounts.

2. Configuration Management:

  • Focus on establishing baseline configuration hardening processes.
  • Adoption of infrastructure-as-code practices to maintain and monitor configuration changes.

3. Data Management:

  • Guidance on documenting data flows, maintaining asset inventories, and classifying information assets.
  • Emphasis on managing confidential data retention policies and ensuring data is retained only as needed.

4. Third-Party Risk Management:

  • Highlights the importance of assessing vendor risks, such as security vulnerabilities and operational disruptions.
  • Encourages periodic evaluations of vendor performance against security and regulatory expectations.

5. Privacy:

  • Clarification on privacy requirements for data controllers versus data processors.
  • Emphasis on appointing Data Protection Officers, implementing privacy by design, and maintaining personnel awareness.
  • New guidance on secure software development and managing data subject rights.

Implications of These Revisions for Your Organization

Whether preparing for your first SOC 2 examination or maintaining continuous compliance, understanding these revisions is crucial. While the trust services criteria remain unchanged, the updated points of focus provide an opportunity to revisit your risk assessment processes. Organizations should:

  1. Evaluate risks based on the updated points of focus.
  2. Identify gaps in existing controls and address newly identified risks.
  3. Use the updated guidance to align their controls with evolving industry standards.

The revisions emphasize the importance of “back to basics” compliance—aligning risk management with organizational objectives.

How Securis360 Can Help

Securis360’s SOC 2 framework has been updated to incorporate the 2022 revisions to the points of focus. Our proprietary control library reflects modern technologies and evolving best practices, offering enhanced controls in areas like:

  • Software composition analysis
  • Static application security testing
  • Phishing simulations
  • Cloud deletion protection
  • Cryptographic key and secret management

Our solutions empower organizations to evaluate and implement controls tailored to their unique objectives, streamlining compliance efforts and reducing fatigue.

For more SOC 2 and GRC resources, explore Securis360’s comprehensive library. Together, we’ll navigate the complexities of compliance with confidence.