AICPA TSC / SOC 2 Compliance
One of the most common questions we receive is about "What products do I need for SOC 2 certification?" That is a bit of a loaded question, since there are a few missing pieces of information that need to be clarified before we can answer what ComplianceForge product will work best for your your specific needs.
SOC auditors must adhere to specific professional standards established by the AICPA. For companies that undergo “SOC 2 certification” it involves an assessment against AICPA’s Trust Services Criteria (TSC). The good news is the TSC controls maps to most common frameworks (e.g., ISO 27002, NIST 800-53, etc.).
Since Certified Public Accountant (CPA) firms are the only entities permitted to perform a SOC 2 certification, your first step must be to discuss what is in scope for the assessment with the CPA firm you’ve selected. The reason for this is certain control areas might not be applicable to your organization. Most companies do not do ALL of the TSC controls when undergoing a SOC 2 certification. In addition to covering the 17 Committee of Sponsoring Organizations (COSO) principles, the TSC covers dozens of controls associated with designing, implementing and operating controls that cover these functional areas:
- Processing Integrity
The “supplemental criteria” of the TSC also covers these functional areas:
- Logical and physical access controls
- System operations
- Change management
- Risk mitigation
What ComplianceForge Products Support SOC2 Compliance?
When you break down the requirements to comply with this framework, you will see how the products address a specific compliance need:
|ComplianceForge Product||Supports SOC2 / TSC Requirement|
Written Information Security Program (WISP) or
|Vendor Compliance Program (VCP)||
|Cybersecurity Risk Management Program (RMP)||
|Cybersecurity Risk Assessment Template (CRA)|
|Vulnerability & Patch Management Program (VPMP)||
|Cybersecurity Incident Response Program (CIRP)||
|Security & Privacy By Design (SPBD)||
|Cybersecurity Standardized Operating Procedures (CSOP)||
|Continuity of Operations Plan (COOP)||
|Secure Baseline Configurations (SBC)||
|Control Validation Testing (CVT)||
We helped make two different bundles to offer a "near turkey" approach to SOC 2 compliance documentation. When you get into "operational practices" for things like risk management, vulnerability management, continuity of operations, etc., that is where we have quite a few products that come into play. Given that, we made two bundles to simplify the needs to comply with AICPA TSC (SOC 2) compliance needs.
|WISP version||DSP version|
Products Included in Trust Services Criteria (TSC) / SOC 2 Bundles
Written Information Security Program (WISP) or Digital Security Program (DSP)
- The WISP or DSP provide cybersecurity policies & standards in an editable Microsoft Word format.
- The WISP or DSP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
- Under each of the policies are standards that support those policy statements.
Vendor Compliance Program (VCP)
- The VCP addresses the “how?” questions for how your company manages risk with third parties (e.g., service provides, vendors, contractors, etc.).
- This is an editable Microsoft Word document that is essentially a “mini-WISP” document that is intended to be shared with third parties, as compared to sharing detailed policies and standards.
- The VCP contains concise cybersecurity-related expectations that your company expects your third parties to abide by.
- The text from the VCP can be used in a contract addendum or shared as a stand-alone document.
- The VCP helps provide evidence of due care in how your company informs third parties about their cybersecurity obligations.
Risk Management Program (RMP)
- The RMP addresses the “how?” questions for how your company manages risk.
- This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing cybersecurity risk.
- In summary, this addresses fundamental needs when it comes to risk management requirements:
- How risk is defined.
- Who can accept risk.
- How risk is calculated by defining potential impact and likelihood.
- Necessary steps to reduce risk.
- Risk considerations for vulnerability management.
- The RMP is based on leading frameworks, such as NIST 800-37, NIST 800-39, ISO 31010 and COSO 2013.
Cybersecurity Risk Assessment (CRA) Template
- The CRA supports the RMP product in answering the “how?” questions for how your company manages risk.
- This contains both an editable Microsoft Word document and Microsoft Excel spreadsheet that allows for professional-quality risk assessments.
- The CRA directly supports the RMP, as well as the WISP's policies and standards, for managing cybersecurity risk. It does this by enabling your company to produce risk assessment reports.
Vulnerability & Patch Management Program (VPMP)
- The VPMP addresses the “how?” questions for how your company manages technical vulnerabilities and patch management operations.
- This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing vulnerabilities.
- In summary, this addresses fundamental needs when it comes to vulnerability management requirements:
- Who is responsible for managing vulnerabilities.
- What is in scope for patching and vulnerability management.
- Defines the vulnerability management methodology.
- Defines timelines for conducting patch management operations.
- Considerations for assessing risk with vulnerability management.
- Vulnerability scanning and penetration testing guidance.
- Information Assurance (IA) guidance to support secure engineering activities.
Cybersecurity Incident Response Program (CIRP)
- The CIRP addresses the “how?” questions for how your company manages cybersecurity incidents.
- This is primarily an editable Microsoft Word document, but it comes with Microsoft Excel and Microsoft Visio templates.
- In summary, this addresses fundamental needs when it comes to incident response requirements:
- Defines the hierarchical approach to handling incidents.
- Categorizes eleven different types of incidents and four different classifications of incident severity.
- Defines the phases of incident response operations, including deliverables expected for each phase.
- Defines the Integrated Security Incident Response Team (ISIRT) to enable a unified approach to incident response operations.
- Defines the scientific method approach to incident response operations.
- Provides guidance on how to write up incident reports (e.g., lessons learned).
- Provides guidance on forensics evidence acquisition.
- Identifies and defines Indicators of Compromise (IoC).
- Identifies and defines sources of evidence.
- The CIRP contains “tabletop exercise” scenarios, based on the categories of incidents.
- This helps provide evidence of due care in how your company handles cybersecurity incidents.
- The CIRP is based on leading frameworks, such as NIST 800-37, NIST 800-39, ISO 31010 and COSO 2013.
Security & Privacy by Design (SPBD)
- The SPBD addresses the “how?” questions for how your company ensures both security and privacy principles are operationalized.
- This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for ensuring secure engineering and privacy principles are operationalized on a daily basis.
- The concept of “secure engineering” is mandatory in numerous statutory, regulatory and contractual requirements. The SPBD provides a “paint by numbers” approach to ensure your company has evidence of both due care and due diligence for operationalizing security and privacy principles.
- The SPBD is based on numerous frameworks, but the core is NIST 800-160, which is the de facto standard on secure engineering.
Cybersecurity Standardized Operating Procedures Template (CSOP)
- The ISO 27002 version of the CSOP is a template for procedures. This is an expectation that companies have to demonstrate HOW cybersecurity controls are actually implemented.
- This is an editable Microsoft Word document.
- Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who/what/when/where/why/how to make it complete.
- The CSOP is mapped to leading frameworks to help with mapping compliance requirements.
Continuity of Operations Program (COOP)
- The COOP addresses the “how?” questions for how your company plans to respond to disasters to maintain business continuity.
- This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP's policies and standards for disaster recovery and business continuity operations.
- The concept of “continuity operations” spans incident response to disaster recovery to business continuity operations. This is a very common requirement in numerous statutory, regulatory and contractual requirements. The COOP provides your organization with the documentation to prove it addresses both disaster recovery and business continuity.
- The CIRP is based on numerous frameworks to provide a holistic approach to DR and BC operations.
Secure Baseline Configurations (SBC)
- The SBC addresses the “how?” questions for how your company securely configures its technology assets, such as system hardening according to CIS Benchmarks, DISA STIGs or vendor recommendations.
- This is an editable Microsoft Word document that provides program-level guidance to direct systems administrators, third-parties and other asset custodians on the expectation to harden operating systems, applications and services.
- The hardening of systems is a basic requirement, but most organization struggle with a way to document the requirements they are using to secure their assets. This is where the SBC comes into play.
- The SBC leverages multiple sources for "industry best practices" and you are able to select what works best for your organization.
Control Validation Testing (CVT)
- The CVT addresses the “how?” questions for how your company performs pre-production testing to ensure that both cybersecurity and privacy principles are built-in by default.
- This is an editable Microsoft Word document that provides program-level guidance to conduct pre-production testing that ties in with existing SDLC/PDLC processes.
- The SBC leverages multiple sources for "industry best practices" and is based on practices used by the US Government for Information Assurance (IA) and Security Testing & Evaluation (ST&E).