Everything You Need to Know About the Revised Points of Focus for the SOC 2 Trust Services Criteria

In 2022, the American Institute of Certified Public Accountants (AICPA) published revisions to the points of focus for the SOC 2 trust services criteria. In this article, our GRC team tells you everything you need to know about these revisions and the impact to your organization if you are pursuing or currently maintain a SOC 2 compliance program.  

What Are the Trust Services Criteria? 

The trust services criteria are criteria established by the AICPA’s Assurance Services Executive Committee (ASEC) for use in evaluating and reporting on controls over the security, availability, processing integrity, confidentiality, or privacy (the trust services categories) of information and systems used to provide products or services. 

The trust services criteria set forth the outcomes that an organization’s controls should ordinarily meet to achieve the organization’s unique objectives. 

The trust services criteria are organized as follows:

• Criteria common to all five of the trust services categories (common criteria) and

• Additional specific criteria for the availability, processing integrity, confidentiality, and privacy categories. 

How Are the Trust Services Criteria Relevant for SOC 2 Examinations?

In a SOC 2 examination, the trust services criteria are used to evaluate the suitability of design and/or operating effectiveness of controls. A SOC 2 auditor ultimately gives an opinion on whether the management’s controls were appropriately designed/operating effectively to provide reasonable assurance that the organization’s system commitments and service requirements were achieved, based on the trust services criteria. 

Therefore, the trust services criteria are the lens through which the SOC 2 examination is performed. 

What Are the Points of Focus of the Trust Services Criteria?

Accompanying the trust services criteria, there are points of focus. The points of focus represent important characteristics of each criterion, and assist both management and auditors when they are designing and evaluating controls.

It is important to note that the points of focus are not prescriptive requirements or mandatory controls. 

Per the AICPA:

• Use of the trust services criteria does not require an assessment of whether each point of focus is addressed. 

• Some points of focus may not be suitable or relevant to the organization or to the engagement to be performed. In such situations, management may customize a particular point of focus or identify and consider other characteristics based on the specific circumstances of the organization.

• Each organization is responsible for establishing its own objectives, assessing the unique risks that may impact the achievement of those objectives, and implementing processes and controls to mitigate those risks to acceptable levels.

The points of focus are helpful guidance for designing, implementing, and evaluating controls to achieve the organization’s objectives based on the trust services criteria. Management and auditors must consider the facts and circumstances of the organization and its environment in actual situations in relation to the organization’s objectives. 

What Were the Updates to the Points of Focus?

The updates to the SOC 2 framework were driven by the AICPA to better support the application of the trust services criteria in an environment of ever-changing technologies, threats, vulnerabilities, and other matters that may create additional risks to organizations. Additionally, these updates are intended to better support addressing changing legal and regulatory requirements and related cultural expectations regarding privacy.

It is important to note that these revisions do not alter the trust services criteria in any way. The revisions were made only to the points of focus, which are only guidance or important characteristics of the criteria.  

Drata’s GRC team has analyzed these revisions and has summarized some key focus areas below.

Logical Access Control

The revisions to the points of focus include enhanced guidance to implement logical access controls to address risks associated with modern technology infrastructures and services. Some examples include: implementing multi-factor authentication and/or zero trust architectures. 

Additionally, the revised points of focus highlight the importance of authorizing the creation of all types of credentials and reviewing access credentials on a periodic basis for validity—such as accounts of employees, contractors, vendors, and business partner personnel—and to identify any inappropriate system or service accounts.

Configuration Management

The revisions to the points of focus include enhanced guidance on baseline configuration hardening and managing changes to configurations, including: establishing standard configuration hardening processes and baselines for information assets, and monitoring changes to configurations. 

Using modern configuration management practices, such as infrastructure as code, is an effective way of defining, maintaining, and monitoring changes to baseline configurations. 

Data Management

The updated points of focus emphasize the importance of data management throughout its life cycle, including: documenting data flows, maintaining asset inventories, classifying information assets, validating the completeness and accuracy of information, and managing the location and custody of assets. 

Additionally, the points of focus provide additional considerations for data classified as confidential, such as data retention policies and procedures, so that confidential data is retained for no longer than necessary to fulfill the identified purpose. 

Third-Party Risk Management

The updated points of focus emphasize the importance of third-party risk management practices and considering the threats and vulnerabilities that may arise from vendor relationships. Examples of threats arising from relationships with vendors and business partners include those arising from a third-party financial failure, security vulnerabilities, operational disruption, and failure to meet business or regulatory requirements. 

Organizations should proactively manage third-party relationships and assess vendor performance against security and performance expectations as frequently as warranted, based on the risk associated with the vendor or business partner.

Privacy 

The revisions now indicate which points of focus related to privacy may apply only to an organization that is a data controller, and which ones may apply to a data processor only. Organizations must understand their role in their privacy ecosystem and determine the nature and processing of data and associated risks, and implement controls to mitigate those risks. 

Additionally, the revised points of focus now include considerations about establishing structures, reporting lines, and authorities to support compliance with legal and contractual privacy obligations. 

An example of this is appointing a Data Protection Officer, which is a requirement of many privacy regulations such as GDPR. There is also emphasis on the importance of personnel awareness on privacy matters, including incident reporting processes for privacy-related incidents.

The revised points of focus also include guidance on secure software development and privacy by design. This highlights the importance of considering privacy requirements in the design of systems and processes, and limits the collection and processing of personal information to what is necessary for the identified purpose.

The revisions also include guidance on reviewing privacy notices periodically, communicating changes to privacy notices to data subjects, and retaining prior versions of the privacy notice in accordance with internal requirements. 

Regarding data subject rights, the revisions include a point of focus to establish processes to respond to data subject requests. These processes may include authentication of the requests, permitting access where appropriate, responding within a reasonable time, and providing notification if a request is denied.

Implications of These Revisions forYour Organization

Whether you are about to go through your first SOC 2 examination or already have a SOC 2 report and are focused on continuous compliance, you should be aware of changes introduced by the AICPA, as the trust service criteria serve as the foundation of this framework.

As stated before, these revisions to the points of focus do not alter the trust services criteria in any way. There are no new requirements that would significantly change the way you approach SOC 2. The points of focus do not represent prescriptive requirements or mandatory controls. Therefore, the main implication of these revisions is simply for organizations to “go back to the basics” of SOC 2 and revisit their risk assessment process. 

The premise of SOC 2 is that organizations must assess the unique risks that threaten the achievement of the company's objectives, and implement the necessary processes and controls to mitigate those risks to acceptable levels. 

With these revisions from the AICPA, organizations should consider reevaluating their risk assessment and using these updated points of focus to inform their identification, analysis, and evaluation of risks. 

The goal of this process would be to determine if there is a need to implement any additional controls to mitigate newly identified risks that your organization faces in an environment of ever-changing technologies, threats, and vulnerabilities, as well as changes in legal and regulatory requirements.

Navigating the Revisions Within Drata

Drata has updated its SOC 2 framework content to align with the 2022 revisions of the points of focus for each trust services criterion, so Drata customers continue to have access to the latest content from the AICPA within the product. 

Additionally, we’ve used this as an opportunity to iterate on Drata’s proprietary control library. We have enhanced the control library to include additional controls that reflect evolving modern technologies and evolving industry standards and best practices. 

For example, we have added controls around software composition analysis, static application security testing, phishing simulations, cloud deletion protection, and management of cryptographic keys and secrets throughout their lifecycle, to name a few. These control templates are provided to Drata customers for them to evaluate within the context of their unique objectives and risk assessment, to help accelerate and standardize their ongoing compliance efforts and reduce compliance fatigue.

For more resources associated with SOC 2 and other GRC topics, refer to Drata’s GRC Central.