The SOC2 type II examination assesses an organization's internal controls related to security, availability, processing integrity, confidentiality, and privacy. Here is a list of the criteria for each of these trust service categories, along with some technical recommendations for each one:
- Security
- Criteria: Develop and implement controls to protect against unauthorized access (both physical and logical), ensure system security, and maintain the confidentiality and integrity of information.
- Technical recommendation: Use multi-factor authentication, intrusion detection systems, firewalls, and encryption technologies to secure access to systems and protect against data breaches.
- Availability
- Criteria: Develop and implement controls to ensure that the system is available for operation and use as committed or agreed.
- Technical recommendation: Use load balancing, failover, and disaster recovery technologies to ensure high availability of systems and minimize downtime.
- Processing integrity
- Criteria: Develop and implement controls to ensure that system processing is complete, accurate, timely, and authorized.
- Technical recommendation: Use audit logs, monitoring tools, and automated testing to detect and prevent unauthorized changes to data or system processes.
- Confidentiality
- Criteria: Develop and implement controls to protect confidential information from unauthorized access, use, or disclosure.
- Technical recommendation: Use data classification, access controls, and encryption technologies to protect sensitive data and ensure that only authorized personnel can access it.
- Privacy
- Criteria: Develop and implement controls to protect personal information in accordance with the privacy notice(s) and criteria established by the entity's management.
- Technical recommendation: Use privacy management software to track and manage privacy policies, ensure compliance with regulations such as GDPR and CCPA, and provide user consent management.
In addition to the above categories, SOC2 type II also includes general criteria for management, which include:
- Risk management
- Criteria: Develop and implement a risk management process that identifies, assesses, and manages risks to the achievement of objectives.
- Technical recommendation: Use risk management software to identify and prioritize risks, assess their likelihood and impact, and develop risk mitigation strategies.
- Governance
- Criteria: Develop and implement governance structures and processes to provide oversight, accountability, and direction to achieve the entity's objectives.
- Technical recommendation: Use governance software to define and document governance structures and processes, track compliance with governance requirements, and provide executive reporting.
- Outsourcing
- Criteria: Develop and implement a process to manage the risks associated with outsourcing to service organizations.
- Technical recommendation: Use vendor risk management software to assess the risks associated with outsourcing, establish vendor management processes and controls, and track vendor compliance with contractual obligations.
- Information and communication
- Criteria: Develop and implement a process to capture, communicate, and report relevant information to support the functioning of internal control.
- Technical recommendation: Use information management software to capture, store, and manage relevant information, and provide access to that information to authorized personnel.
- Monitoring
- Criteria: Develop and implement a process to monitor the effectiveness of internal control over time and take necessary corrective action.
- Technical recommendation: Use monitoring and audit software to continuously monitor and report on the effectiveness of internal controls, identify areas for improvement, and track corrective actions.