As we discussed in an earlier post, the primary requirement for a SOC 2 audit is when a company provides services to a third party. As per the AICPA, the SOC 2 consists of the following Trust Services Principles (TSPs):
- Security (also known as Common Criteria)
- Availability
- Processing Integrity
- Confidentiality
- Privacy
The scope for each company will be different per the services provided; however, following policies and procedures are the most common documentation that should form the basis of SOC 2 audit:
- Information Security (IS) Policy
An IS policy provides a holistic view of all the security controls for all the assets – physical or data. The ISP includes procedures for controls for unauthorized users, unauthorized access to data, programs, systems, and the organization’s infrastructure. The ISP may be the most important policy as it forms the basis of all the other policies and controls to be developed. - Access Control Policy
The Access Control Policy includes requirements for authenticating users, authorizing, modifying and removing users and access using the role-based access control. This policy also guides how to provide privileged access and how to treat service accounts. - Password Policy
The policy includes requirements for minimum length, complexity, restricting the use of old passwords, and expiration. This policy also includes requirements for password storage and password requirements for privileged accounts. - Data Classification Policy
A data classification policy dictates how the data should be secured and what controls should be put in place to protect the data. The classification of data helps determine what baseline security controls should be put in place to safeguard the data. - Physical Security Policy
A physical security policy defines the requirements for protecting information and technology resources from physical and environmental threats in order to reduce the risk of loss, theft, damage, or unauthorized access to those resources. - Acceptable Use Policy
This policy dictates how company resources should be used. This policy is applicable for internal employees as well as the contractors. Backup Policy – Information, Software, System - Backup Policy – Information, Software, System
A backup policy defines an organization’s requirements for backup of company data and systems. The backup policy should dictate the extent and frequency of backups per the criticality of the data. - Logging and Monitoring Policy
This policy documents the requirements for logging user activity and the procedures for reviewing the logs. - Risk Assessment Policy
A risk assessment policy documents the procedures for performing periodic risk assessments. The policy includes how the organization identifies potential threats (logical and physical), analyzes the significance of risks associated with the identified threats, and determines the mitigation strategies for the identified risks. The process of identifying the risks and performing control assessments is also called ‘Risk & Control Assessments’. - Change Management Policy
A change management policy documents the procedures for making changes to IT infrastructure and applications. The policy includes the standard processes for requesting, testing and approving changes prior to implementing them into production. - Incident Response Policy
An incident response policy documents the procedures that security personnel should follow when a security incident has been identified. The procedure also includes detection, containment, evaluation, & reporting. - Business Continuity Plan
A business continuity plan is a plan to continue operations if a place of business is affected by different levels of disaster which can be localized short term disasters, to days long building-wide problems, to a permanent loss of a building. It should be noted that the Disaster Recovery Plan (DRP) which mostly deals with is a part of the BCP.
The above post is absolutely applicable for ISO 27001 audit as well.