SOC 2 common criteria: Addressing key changes in updated guidance
WHITE PAPER |
The AICPA recently released key changes to service organization control (SOC) 2 guidelines, addressing evolving risks and how to increase reporting efficiency. Service organizations must be aware of new demands from the new guidance, as well as necessary framework adjustments to address any deficiencies. While the AICPA’s common criteria guidelines streamline many processes, they can also create challenges and vulnerabilities without the proper approach.
In the initial SOC 2 criteria, organizations recognized significant overlap in criteria requirements across the majority of the principles. Through adopting SOC 2 guidance and implementing reporting processes, service organizations and service auditors discovered efficiencies from reporting on a set of common criteria that applied to all principles, and adding the unique criteria specific to a principle.
As a result, the AICPA issued TSP Section 100: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy in February 2014. The publication includes guidance for adopting the common criteria, with a mandatory implementation date set for periods ending on or after Dec. 15, 2014.
With the new TSP Section 100 guidance, service organizations must re-evaluate SOC 2 reporting processes to implement new processes and mitigate risks. A key step to help ensure proper alignment with the common criteria is undergoing a readiness assessment, mapping existing internal controls to the relevant criteria under the new AICPA guidelines.