Comprehensive Guide to SOC 2 Controls List

For now, let’s forget about SOC 2 and try to understand what control is. Control is a way of making sure something is done correctly or that something is prevented from happening. In simple terms, it means a measure that is taken to achieve a desired outcome. For instance, a password policy that requires users to create strong passwords and change them regularly is a control to prevent unauthorized access to systems and data.

What Are SOC 2 Controls?

Now, SOC 2 (Systems and Organizations Controls 2) represents a set of requirements, procedures, and policies that organizations must implement to comply with the SOC 2 framework. The SOC 2 framework was designed by the American Institute of Certified Public Accountants (AICPA) to help service organizations demonstrate to their customers that they have implemented effective controls to protect their data.

The SOC 2 framework consists of five Trust Services Criteria (formerly Trust Service Principles) organized into 64 individual requirements. These 64 individual requirements are not the ‘controls’ rather, controls are the security measures you put in place in your service organization ‌to satisfy these individual requirements. 

To assess whether these controls are designed and operating perfectly, an auditor independently prepares a SOC 2 audit report. This report will include the auditor’s opinion on whether the organization meets the SOC 2 criteria for the trust services principles it chose to report on.

So, instead of having customers invest time and resources to inspect the security measures and systems in place to protect their data in your SaaS company, you can simply provide customers with a copy of your SOC 2 report, which details the controls in place to protect their data.

A Detailed SOC 2 Controls List

The SOC 2 controls list is a complete set of control goals that companies can use to meet the SOC 2 standard. The list is organized by the five trust service principles and includes specific requirements explained as follows 

SOC 2 Controls for Security

SOC 2 security controls are those measures an organization takes to protect its systems and data from unauthorized access, use, disclosure, disruption, modification, or destruction. Security is the basic requirement/criteria for SOC 2 compliance. When your customers or prospects ask for your SOC 2 report, they are more concerned about security. They want to know what effective control measures you have implemented in your service organization to protect their data.

• Are your systems secure? 
• Do you implement security best practices in your systems?
• Why should they trust you with their data? 
• Can you protect their data? 
• Are you vulnerable to breaches? 

Questions like these are what linger in the minds of your customers. The things you put in place to answer these questions are your controls, and a SOC 2 security audit report is prepared to also answer these questions. 

There are a wide variety of security controls that organizations can implement, depending on their specific needs and requirements. Some common examples include:

• Logical access controls: These SOC 2 access controls restrict access to systems and data to authorized individuals. Examples include passwords, multi-factor authentication, and role-based access control.
• Physical access controls: These controls restrict physical access to systems and data. Examples include key cards, security guards, and video surveillance.
• System and operations controls: These controls are meant to assess the security and reliability of systems and data. Some examples include firewalls, intrusion detection systems, and system logs.
• Change management controls: Change management controls help ensure that modifications made to systems and data are by authorized users and have been tested beforehand. Examples include change requests, change approvals, and change testing.
• Risk mitigation controls: Controls like disaster recovery plans, business continuity plans, and security awareness training must be in place to help mitigate risk.

Security controls can be implemented at a variety of levels, including the network level, the system level, and the application level. They can also be preventive, detective, or corrective.

SOC 2 Controls for Availability 

Availability controls are SOC 2 controls that are designed to ensure that your organization’s systems and data are available when needed. They are essential for organizations that rely on their systems and data to conduct business and provide services to their customers.

Some examples of availability controls include:

• System capacity planning: This type of planning aims to provide systems with the right amount of resources needed to meet performance requirements. It involves monitoring system resources and identifying bottlenecks.

• Disaster recovery planning: This type of proactive thinking develops and tests out strategies for recovering systems and data in the event of a disaster.

• Business continuity planning: With the main goal of maintaining business operations if the company ever experiences a disruption, business continuity planning includes identifying critical business processes and developing alternate procedures to avoid downtime.

• Monitoring of systems and networks: This involves monitoring systems and networks for potential problems, such as outages, performance issues, and security threats.

Here are some specific examples of availability controls that service organizations can implement:

• Use load balancers to distribute traffic across multiple servers.
• Implement redundant systems and components.
• Use cloud-based services to provide high availability.
• Have a plan in place to quickly scale up or down systems as needed.
• Regularly test systems and disaster recovery plans.

SOC 2 Controls for Processing Integrity

SOC 2 controls for processing integrity are designed to ensure that systems and data are processed accurately and completely. They are important for organizations that store, process, or transmit sensitive data, such as financial data, healthcare data, or personal identifiable information (PII).

Some examples of SOC 2 controls for processing integrity include:

• Input validation, which involves checking input data for completeness, accuracy, and validity to prevent errors from being introduced into the system.
• Output reconciliation that compares output data to source data to ensure it is complete and accurate.
• Data processing monitoring necessitates an overview of data processing activities and security tools for identifying potential problems, such as errors, omissions, or unauthorized access.
• Data archiving and retrieval controls ensure that data is stored and accessed properly to prevent loss, corruption, or unauthorized access.

Organizations can choose to implement all of the SOC 2 controls for processing integrity or just a subset of them, depending on their specific needs and requirements. The scope of the SOC 2 audit will also determine which controls are assessed.

SOC 2 Controls for Confidentiality

SOC 2 controls for confidentiality are designed to protect customer data from unauthorized access, use, disclosure, disruption, modification, or destruction. They are essential for organizations that store, process, or transmit sensitive data, such as financial data, healthcare data, or personal identifiable information (PII).

• Data encryption controls (e.g., encrypting data at rest and in transit)
• Data access controls (e.g., role-based access control, access control lists, encryption)
• Data disposal controls (e.g., developing data disposal policies and procedures, securely erasing data)
• Data loss prevention controls (e.g., data encryption, access control, data loss prevention software)

SOC 2 Controls for Privacy

Privacy applies to any information that is considered sensitive. SOC 2 requires organizations to communicate their privacy policies to anyone whose customer data they store. If an organization collects any sensitive information, it must:

• Get consent from the person whose information is being collected.
• Only collect the amount of information that is necessary for the specific purpose for which it is being collected.
• Lawfully collect the information.
• Only use the information for the purposes for which it was collected.
• Dispose of the information when it is no longer needed

Organizations can choose to implement all of the SOC 2 controls or just a subset of them, depending on their specific needs and requirements. The scope of the SOC 2 audit will also determine which controls are assessed.

In addition to the above controls, there are several other controls that organizations may want to consider implementing to improve their security, availability, processing integrity, confidentiality, and privacy. For example, organizations may want to implement controls for the following:

• Incident response
• Vulnerability management
• Third-party risk management
• Security awareness training
• Physical security

Not every SOC 2 report must include all five trust services principles. You have to figure out which of these principles applies to your organization and create your controls and SOC 2 report accordingly. 

For example, if you run an organization that provides cloud storage services, you may choose to report on the security, availability, and confidentiality principles. However, an organization that provides payroll processing services may choose to report on the security, availability, processing integrity, and confidentiality principles.

What Is an Example of a SOC 2 Control?

An example of a SOC 2 control is role-based access control (RBAC). RBAC is a security control that assigns users specific roles within an organization and grants them access to resources based on their roles. This helps to ensure that users can only access the resources they need to do their jobs, and it reduces the risk of unauthorized access to sensitive data.

Another example of a SOC 2 control is multi-factor authentication (MFA). MFA is a security measure that requires users to provide two or more factors of authentication to log in to a system or application. This can include a password and a one-time code generated by a mobile app or a biometric factor such as a fingerprint or facial scan. MFA makes it more difficult for attackers to gain unauthorized access to systems and data, even if they have compromised one user’s credentials.

How to Become SOC 2 Compliant

The process of implementing SOC 2 controls can get very complex and overwhelming because of the numerous requirements and the demand for constant monitoring. As a service organization, you need to ensure that your security, availability, processing integrity, privacy, and confidentiality controls are in alignment with the demands of the Trust Service Criteria. 

I.S. Partners delivers specialized SOC 2 audit services, expertly navigating your organization through the compliance procedure, thereby enhancing your competitive advantage in the market. Get in touch today to become SOC 2 compliant.

Get a Quote

FAQs About SOC 2 Controls

SOC 1®, SOC 2® and SOC 3® are registered trademarks of the AICPA (American Institute of Certified Public Accountants). The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.

About The Author

Joe Ciancimino

Joe is a Director in the I.S. Partners SOC practice. He is a Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Controls (CRISC) practitioner and a member of the ISACA Philadelphia Chapter. Joe has been performing IT audit and attestation services for the last 6 years and continues to assist clients in performing a variety of engagements. These include System & Organization Controls (SOC) Reports (SOC 1/SOC 2), Information Technology and Information Systems Audits, IT General Controls / IT Application Controls Testing, ISO/IEC 27001:2013 Internal Audit/Compliance, Internal Audits on a outsourced/co-sourced basis