How to Manage the 2016 SOC 2 Content Update

In our ever changing technological and corporate environment, it is only natural for standards and best practices to receive regular updates that try to both accommodate corrections and improvements. That is what just recently happened to the American Institute of Certified Public Accountants criteria for the Trust Services Principles (TSP) by releasing a SOC 2 Content Update.

The Trust Services Principles (TSP) cover security, availability, processing integrity, and confidentiality and usually are reported using SOC 2 or SOC 3. AICPA’s Assurance Services Executive Committee (ASEC) latest guidance updated TSP.

If your reporting period ended on or after December 15, 2016, you better get acquainted with the updated guidance, it is mandatory. An early adoption is also an option; you may as well go ahead and get the job done with the updated SOC 2.

Why was the update necessary?

If you are familiar with TSP, you will remember the last update in 2014 included the CC (Common Criteria) which is required to all of the principles as well as specific, incremental criteria for the Availability (A), Processing Integrity (PI), and Confidentiality (C) principles. However, the 2014 changes removed updates to the original privacy principle. To put it simply, the idea of the current update is to eliminate redundant, legacy privacy criteria.

While most changes are focused on clarification (i.e. Common Criteria CC3.3 was removed, while CC3.1 was clarified), the inclusion of privacy to the CC and the new confidentiality criteria, many service organizations might just be surprised with a significant impact on their the control framework if there is no proper planning ahead.

What changed?

The most significant changes include three key aspects:

  • A new approach to risk management: The updated version of SOC 2 will require a more specific approach to risk management, including a precise definition of third-party or customer risks and the emphasis on having a process that ensures that the identified risks will be adequately addressed.
  • New confidentiality criteria: The central point of the new confidentiality criteria is data lifecycle and how well you handle aspects such as data retention and secure disposal of sensitive information.
  • The restructured privacy criteria: The single most relevant SOC 2 2016 change is the update of the privacy criteria. Forget those overwhelming 64 pages of guidance and welcome the new TSP 100, with eight criteria and a total of 20 control objectives, including:
  1. Notice and Communications of Commitments and System Requirements: Any changes to privacy practices and responsibilities must be adequately communicated.
  2. Choice and Consent: How are you collecting, using, storing, disclosing and disposing personal information to data subjects? Consent is mandatory from data subjects (or authorized party) and can only be applied for specific purposes. Any form of implied consent must be documented.
  3. Collection: The way personal information is collected is of great importance and must adhere to privacy commitments and system requirements. In cases where consent must be explicit, it must be formally communicated.
  4. Use, Retention, and Disposal: The use, retention and disposal of personal information must adhere, be secure and consistent with both privacy commitments and system requirements.
  5. Access: The ability to review, access or (if requested) be provided with a physical or electronic copy of personal information is now available to data subjects (provided that they are identified and authenticated). If for any reason, access is denied, a reason for denial must be communicated. Subjects may also provide updated/corrected/new information, and this must be communicated to all appropriate parties. Again, in the case those modifications are not allowed, the reason must be informed.
  6. Disclosure and Notification: the disclosure of private data subject information to third parties requires formal permission.
  7. Quality: To ensure information integrity, private information must be accurate, current, comprehensive and pertinent.
  8. Monitoring and Environment: There must be a process that ensures that inquiries, complaints and disputes from data subjects or any other involved party are adequately received, addressed and resolved. A key point is the continuous monitoring of compliance with privacy commitments and system requirements, ensuring that the required corrections and adjustments are implemented promptly.

How will the updates impact your organization?

While improving clarification and removing redundancy, adding privacy still means a large effort for SOC 2. the new TSP 100 has ensured a simpler and more streamlined process. For instance, companies who are using other compliance frameworks such as HIPAA or HITRUST will be happy to know that SOC 2 privacy principle allows for single compliance and audit effort, with multiple-use results.

Overall the changes coming from the SOC 2 2016 update do not necessarily mean lots of adjustments for most organizations. Aside from cosmetic changes, in the long run, the updates will simplify the reporting processes, making it easier to adjust. Reviewing the current exchanges and reports is the key to being prepared for the updates. If your organization reports on the privacy principle, you will probably find out that the updated version allows for greater clarity.

The SOC 2 2016 update reinforces the need to improve your risk management practices continually and ensuring that you identify and manage your risks by regularly performing risk assessments.

As far as updates go, this one is not as disruptive as you might initially have thought. However, since future changes to TSPs are more than likely, one sure way to stay ahead in the game is to understand that proper controls for cybersecurity risks will be one of your top priorities for the upcoming years. With that in mind, and a sound risk management process in place, even the most paradigm breaking update will seem like a breeze.