Good Morningπ
It’s Tuesday and it’s time for our TPRM Tuesday email. Today we will be discussing the many different types of SOC examinations.
π€― Did you know there are additional SOC examinations beyond the traditional SOC1, SOC2, and SOC3 examinations?
π¨ Here is a quick summary of the SOC suite of examinations:
π° SOC1 – Report on Controls at a service organization relevant to user entities’ internal control over financial reporting (ICFR). Intended to provide external parties with assurance over the controls in place that impact external parties’ financial reporting controls.
π SOC2 – Report on Controls at a service organization relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. Intended to provide external parties with assurance over the controls in place to protect external parties’ data.
π’ SOC3 – Same as the SOC2, however, the SOC3 report will not include the details of controls and tests performed. Intended to enable a service organization to freely distribute an abbreviated version of the SOC2 report without divulging specific details on the system and controls. Some external parties may not need the specific details to obtain assurance.
πβ SOC2+ – Same as the SOC2, with additional subject matter (e.g. HIPAA, HITRUST, NIST 171, ISO, etc.) also included as part of the audit.
π SOC for Cybersecurity – Report on the effectiveness of an entity’s cybersecurity risk management program. Intended to provide external parties with assurance over the effectiveness of an entity’s policies, processes, and controls designed to protect information and systems from security events and to detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.
π₯π¨ Entity may choose the control criteria to use as long as the criteria are suitable (ISO27002, NIST 800-53. NIST 800-171, NIST CSF) – they do not need to use trust services criteria.
βSOC for Supply Chain – Intended to provide external parties with assurance over the effectiveness of a manufacturer, producer, or distribution companyβs controls relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. This could also apply to a software company that provides customers with on-prem solutions.
π€― What will the future bring?!
We are glad to bring you these postings. Please let us know if you have questions and how we can help you continue to have an effective and efficient third party risk management program.
