SOC 2 Type 2
SOC 2 Type 2
SOC 2 Type 2 is a rigorous framework designed by Certified Public Accountants (AICPA). It is an auditing standard that evaluates the operational effectiveness of an organization’s internal controls.
Control Environment
-
Disciplinary Process - CC 1.1-01
Formal disciplinary process for non-compliance
-
Performance Reviews - CC 1.1-02
Annual performance reviews
-
Policy Review - CC 1.1-03
Annual policy review and approval
-
Security Awareness - CC 1.1-04
Security awareness training program
-
Job Descriptions - CC 1.1-05
Defined job responsibilities
-
New Hire Acknowledgement - CC 1.1-06
Policy acknowledgement for new hires
-
Executive Charter - CC 1.2-01
Executive Management Team Charter
-
Org Chart Review - CC 1.2-02
Annual organizational chart review
-
Security Changes - CC 1.3-01
Communication of security practice changes
-
Vendor Risk Assessment - CC 1.3-02
Annual vendor risk evaluation
-
Vendor Contracts - CC 1.3-03
Standard vendor security agreements
-
Contract Approval - CC 1.3-04
Management review of vendor contracts
-
Policy Review - CC 1.3-05
Annual policy review and approval
-
Job Descriptions - CC 1.3-06
Defined job responsibilities
-
Background Checks - CC 1.4-01
Pre-employment background checks
-
Disciplinary Process - CC 1.4-02
Formal disciplinary process for non-compliance
-
Performance Reviews - CC 1.4-03
Annual performance reviews
-
Policy Review - CC 1.4-04
Annual policy review and approval
-
Security Awareness - CC 1.4-05
Security awareness training program
-
Job Descriptions - CC 1.4-06
Defined job responsibilities
-
Quarterly Control Audit - CC 1.5-01
Quarterly internal control self-assessment
-
Disciplinary Process - CC 1.5-02
Formal disciplinary process for non-compliance
-
Org Chart Review - CC 1.5-03
Annual organizational chart review
-
Performance Reviews - CC 1.5-04
Annual performance reviews
-
Policy Review - CC 1.5-05
Annual policy review and approval
-
Job Descriptions - CC 1.5-06
Defined job responsibilities
Communication and Information
-
Network Monitoring - CC 2.1-01
Network intrusion detection and review
-
Process Monitoring - CC 2.1-02
Process failure monitoring and response
-
Vulnerability Scanning - CC 2.1-03
Monthly vulnerability scanning
-
Penetration Testing - CC 2.1-04
Annual external penetration testing
-
Risk Assessment - CC 2.1-05
Annual enterprise risk assessment
-
Policy Review - CC 2.1-06
Annual policy review and approval
-
Job Descriptions - CC 2.1-07
Defined job responsibilities
-
Quarterly Control Audit - CC 2.1-08
Quarterly internal control self-assessment
-
Customer Commitments - CC 2.2-01
Security commitments in contracts
-
Incident Reporting - CC 2.2-02
Public incident reporting channel
-
Security Changes - CC 2.2-03
Communication of security practice changes
-
Policy Review - CC 2.2-04
Annual policy review and approval
-
Security Awareness - CC 2.2-05
Security awareness training program
-
Job Descriptions - CC 2.2-06
Defined job responsibilities
-
New Hire Acknowledgement - CC 2.2-07
Policy acknowledgement for new hires
-
Security Changes - CC 2.3-01
Communication of security practice changes
-
Customer Commitments - CC 2.3-02
Security commitments in contracts
-
Incident Reporting - CC 2.3-03
Public incident reporting channel
Risk Assessment
-
Policy Review - CC 3.1-01
Annual policy review and approval
-
Job Descriptions - CC 3.1-02
Defined job responsibilities
-
Risk Assessment - CC 3.1-03
Annual enterprise risk assessment
-
Risk Assessment - CC 3.2-01
Annual enterprise risk assessment
-
Vendor Risk Assessment - CC 3.2-02
Annual vendor risk evaluation
-
Vendor Contracts - CC 3.2-03
Standard vendor security agreements
-
Fraud Risk Assessment - CC 3.3-01
Fraud risk assessment
-
Org Chart Review - CC 3.4-01
Annual organizational chart review
-
Policy Review - CC 3.4-02
Annual policy review and approval
-
Risk Assessment - CC 3.4-03
Annual enterprise risk assessment
-
Vendor Risk Assessment - CC 3.4-04
Annual vendor risk evaluation
Monitoring Activities
-
Incident RCA - CC 4.1-01
Incident Root Cause Analysis
-
Access Review - CC 4.1-02
Semi-annual access review
-
Network Monitoring - CC 4.1-03
Network intrusion detection and review
-
Process Monitoring - CC 4.1-04
Process failure monitoring and response
-
Vulnerability Scanning - CC 4.1-05
Monthly vulnerability scanning
-
Penetration Testing - CC 4.1-06
Annual external penetration testing
-
Incident Reporting - CC 4.1-07
Public incident reporting channel
-
Quarterly Control Audit - CC 4.1-08
Quarterly internal control self-assessment
-
Network Monitoring - CC 4.2-01
Network intrusion detection and review
-
Process Monitoring - CC 4.2-02
Process failure monitoring and response
-
Vulnerability Scanning - CC 4.2-03
Monthly vulnerability scanning
-
Penetration Testing - CC 4.2-04
Annual external penetration testing
-
Incident RCA - CC 4.2-05
Incident Root Cause Analysis
-
Disciplinary Process - CC 4.2-06
Formal disciplinary process for non-compliance
-
Incident Reporting - CC 4.2-07
Public incident reporting channel
-
Quarterly Control Audit - CC 4.2-08
Quarterly internal control self-assessment
-
Access Review - CC 4.2-09
Semi-annual access review
Control Activities
-
Network Monitoring - CC 5.1-01
Network intrusion detection and review
-
Process Monitoring - CC 5.1-02
Process failure monitoring and response
-
Vulnerability Scanning - CC 5.1-03
Monthly vulnerability scanning
-
Penetration Testing - CC 5.1-04
Annual external penetration testing
-
Org Chart Review - CC 5.1-05
Annual organizational chart review
-
Policy Review - CC 5.1-06
Annual policy review and approval
-
Risk Assessment - CC 5.1-07
Annual enterprise risk assessment
-
Change Testing - CC 5.2-01
Non-production change testing
-
Source Code Access - CC 5.2-02
Restricted production code promotion
-
Change Approval - CC 5.2-03
Management change approval
-
Change Policy - CC 5.2-04
Formal SDLC and Change Management policy
-
App Admin Access - CC 5.2-05
Restricted application admin access
-
Network Admin Access - CC 5.2-06
Restricted network admin access
-
Separate Admin Accounts - CC 5.2-07
Dedicated administrative accounts
-
User Authentication - CC 5.2-08
Unique user authentication
-
Customer Authentication - CC 5.2-09
External customer authentication
-
Patch Management - CC 5.2-10
Automated patch management
-
Network Monitoring - CC 5.3-01
Network intrusion detection and review
-
Process Monitoring - CC 5.3-02
Process failure monitoring and response
-
Vulnerability Scanning - CC 5.3-03
Monthly vulnerability scanning
-
Penetration Testing - CC 5.3-04
Annual external penetration testing
-
Incident RCA - CC 5.3-05
Incident Root Cause Analysis
-
Performance Reviews - CC 5.3-06
Annual performance reviews
-
Security Changes - CC 5.3-07
Communication of security practice changes
-
Policy Review - CC 5.3-08
Annual policy review and approval
-
Job Descriptions - CC 5.3-09
Defined job responsibilities
Logical and Physical Access Controls
-
Asset Inventory - CC 6.1-01
Asset inventory maintenance
-
Backup Tool Access - CC 6.1-02
Restricted backup tool access
-
Backup Encryption - CC 6.1-03
AES encryption for backups
-
Removable Media - CC 6.1-04
Removable media protection
-
Disk Encryption - CC 6.1-05
Workstation hard drive encryption
-
Database Encryption - CC 6.1-06
Database encryption at rest
-
Build Standards - CC 6.1-07
Server build standards
-
Database Access - CC 6.1-08
Restricted database access
-
Termination Access - CC 6.1-09
Timely access revocation
-
App Password Policy - CC 6.1-10
Application password parameters
-
Net Password Policy - CC 6.1-11
Network password parameters
-
Protocol Modification - CC 6.1-12
Restricted protocol modification
-
VPN Access - CC 6.1-13
Remote access via VPN
-
Data Separation - CC 6.1-14
Logical data separation
-
Azure Portal Access - CC 6.1-15
Restricted cloud portal access
-
App Admin Access - CC 6.1-16
Restricted application admin access
-
Network Admin Access - CC 6.1-17
Restricted network admin access
-
Separate Admin Accounts - CC 6.1-18
Dedicated administrative accounts
-
User Authentication - CC 6.1-19
Unique user authentication
-
Customer Authentication - CC 6.1-20
External customer authentication
-
Cust Admin Approval - CC 6.2-01
Customer admin approval
-
Access Approval - CC 6.2-02
Internal access request approval
-
Access Review - CC 6.2-03
Semi-annual access review
-
Termination Access - CC 6.2-04
Timely access revocation
-
Cust Admin Approval - CC 6.3-01
Customer admin approval
-
Termination Access - CC 6.3-02
Timely access revocation
-
Access Approval - CC 6.3-03
Internal access request approval
-
Access Review - CC 6.3-04
Semi-annual access review
-
Data Center - CC 6.4-01
Azure Data Center reliance
-
Data Purge - CC 6.5-01
Data purging upon termination
-
Hardware Destruction - CC 6.5-02
Hardware destruction approval
-
Retention Standards - CC 6.5-03
Data retention standards
-
Network Defense - CC 6.6-01
Network device deployment
-
Network Monitoring - CC 6.6-02
Network intrusion detection and review
-
Process Monitoring - CC 6.6-03
Process failure monitoring and response
-
Backup Tool Access - CC 6.6-04
Restricted backup tool access
-
Network Admin Access - CC 6.6-05
Restricted network admin access
-
Separate Admin Accounts - CC 6.6-06
Dedicated administrative accounts
-
Protocol Modification - CC 6.6-07
Restricted protocol modification
-
Transit Encryption - CC 6.7-01
Encryption in transit
-
DB Monitoring - CC 6.7-02
Database activity monitoring
-
Backup Tool Access - CC 6.7-03
Restricted backup tool access
-
Backup Encryption - CC 6.7-04
AES encryption for backups
-
Removable Media - CC 6.7-05
Removable media protection
-
Disk Encryption - CC 6.7-06
Workstation hard drive encryption
-
Database Access - CC 6.7-07
Restricted database access
-
Network Admin Access - CC 6.7-08
Restricted network admin access
-
Separate Admin Accounts - CC 6.7-09
Dedicated administrative accounts
-
VPN Access - CC 6.7-10
Remote access via VPN
-
Antivirus - CC 6.8-01
Antivirus deployment
-
Code Scan - CC 6.8-02
Annual static code analysis
-
Source Code Access - CC 6.8-03
Restricted production code promotion
-
Build Standards - CC 6.8-04
Server build standards
-
App Admin Access - CC 6.8-05
Restricted application admin access
-
Network Admin Access - CC 6.8-06
Restricted network admin access
-
Separate Admin Accounts - CC 6.8-07
Dedicated administrative accounts
-
DB Monitoring - CC 6.8-08
Database activity monitoring
Systems Operations
-
Network Monitoring - CC 7.1-01
Network intrusion detection and review
-
Process Monitoring - CC 7.1-02
Process failure monitoring and response
-
Vulnerability Scanning - CC 7.1-03
Monthly vulnerability scanning
-
Penetration Testing - CC 7.1-04
Annual external penetration testing
-
DB Monitoring - CC 7.1-05
Database activity monitoring
-
Code Scan - CC 7.1-06
Annual static code analysis
-
Vulnerability Scanning - CC 7.2-01
Monthly vulnerability scanning
-
Penetration Testing - CC 7.2-02
Annual external penetration testing
-
Incident RCA - CC 7.2-03
Incident Root Cause Analysis
-
DB Monitoring - CC 7.2-04
Database activity monitoring
-
Incident Reporting - CC 7.2-05
Public incident reporting channel
-
Code Scan - CC 7.2-06
Annual static code analysis
-
Network Monitoring - CC 7.2-07
Network intrusion detection and review
-
Cyber Insurance - CC 7.3-01
Cyber liability insurance
-
Network Monitoring - CC 7.3-02
Network intrusion detection and review
-
Process Monitoring - CC 7.3-03
Process failure monitoring and response
-
Vulnerability Scanning - CC 7.3-04
Monthly vulnerability scanning
-
Penetration Testing - CC 7.3-05
Annual external penetration testing
-
Incident RCA - CC 7.3-06
Incident Root Cause Analysis
-
DB Monitoring - CC 7.3-07
Database activity monitoring
-
Policy Review - CC 7.3-08
Annual policy review and approval
-
Incident Reporting - CC 7.3-09
Public incident reporting channel
-
Risk Assessment - CC 7.3-10
Annual enterprise risk assessment
-
Restore Test - CC 7.4-01
Annual data restore test
-
Network Monitoring - CC 7.4-02
Network intrusion detection and review
-
Process Monitoring - CC 7.4-03
Process failure monitoring and response
-
Vulnerability Scanning - CC 7.4-04
Monthly vulnerability scanning
-
Penetration Testing - CC 7.4-05
Annual external penetration testing
-
Incident RCA - CC 7.4-06
Incident Root Cause Analysis
-
DB Monitoring - CC 7.4-07
Database activity monitoring
-
Policy Review - CC 7.4-08
Annual policy review and approval
-
Incident Reporting - CC 7.4-09
Public incident reporting channel
-
Risk Assessment - CC 7.4-10
Annual enterprise risk assessment
-
Cyber Insurance - CC 7.4-11
Cyber liability insurance
-
BC/DR Plan - CC 7.5-01
BC/DR plan documentation and testing
-
Backup Schedule - CC 7.5-02
Daily backups
-
Restore Test - CC 7.5-03
Annual data restore test
-
Incident RCA - CC 7.5-04
Incident Root Cause Analysis
-
Incident Reporting - CC 7.5-05
Public incident reporting channel
Change Management
-
Version Control - CC 8.1-01
Source code version control
-
Asset Inventory - CC 8.1-02
Asset inventory maintenance
-
Change Testing - CC 8.1-03
Non-production change testing
-
Source Code Access - CC 8.1-04
Restricted production code promotion
-
Change Approval - CC 8.1-05
Management change approval
-
Change Policy - CC 8.1-06
Formal SDLC and Change Management policy
-
Build Standards - CC 8.1-07
Server build standards
-
Patch Management - CC 8.1-08
Automated patch management
-
Code Scan - CC 8.1-09
Annual static code analysis
Risk Management
-
Cyber Insurance - CC 9.1-01
Cyber liability insurance
-
BC/DR Plan - CC 9.1-02
BC/DR plan documentation and testing
-
Backup Schedule - CC 9.1-03
Daily backups
-
Restore Test - CC 9.1-04
Annual data restore test
-
Risk Assessment - CC 9.1-05
Annual enterprise risk assessment
-
Risk Assessment - CC 9.2-01
Annual enterprise risk assessment
-
Vendor Risk Assessment - CC 9.2-02
Annual vendor risk evaluation
-
Vendor Contracts - CC 9.2-03
Standard vendor security agreements
-
Policy Review - CC 9.2-04
Annual policy review and approval