SOC2®

Summary

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems used by the organization to process users' data, as well as the confidentiality and privacy of the information processed by these systems. The version used in this section is 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (last revisions made in March 2020).

Definitions

Definition	Requirements
SOC2-CC2_3. Communication and information	318. Notify third parties of changes
SOC2-CC5_1. Control activities	062. Define standard configurations
SOC2-CC5_2. Control activities	062. Define standard configurations
SOC2-CC6_1. Logical and physical access controls	228. Authenticate using standard protocols 231. Implement a biometric verification component 264. Request authentication
SOC2-CC6_2. Logical and physical access controls	114. Deny access with inactive credentials 122. Validate credential ownership 034. Manage user accounts 095. Define users with privileges
SOC2-CC6_3. Logical and physical access controls	186. Use the principle of least privilege 341. Use the principle of deny by default
SOC2-CC6_4. Logical and physical access controls	231. Implement a biometric verification component
SOC2-CC6_5. Logical and physical access controls	144. Remove inactive accounts periodically
SOC2-CC6_6. Logical and physical access controls	115. Filter malicious emails 253. Restrict network access 257. Access based on user credentials
SOC2-CC6_7. Logical and physical access controls	181. Transmit data using secure protocols
SOC2-CC6_8. Logical and physical access controls	115. Filter malicious emails 155. Application free of malicious code
SOC2-C1_1. Additional criteria for confidentiality	185. Encrypt sensitive information 300. Mask sensitive data 375. Remove sensitive data from client-side applications
SOC2-C1_2. Additional criteria for confidentiality	183. Delete sensitive data securely 210. Delete information from mobile devices
SOC2-P1_1. Additional criteria for privacy (related to notice and communication of objectives related to privacy)	186. Use the principle of least privilege
SOC2-P2_1. Additional criteria for privacy (related to choice and consent)	310. Request user consent
SOC2-P3_1. Additional criteria for privacy (related to collection)	360. Remove unnecessary sensitive information
SOC2-P3_2. Additional criteria for privacy (related to collection)	310. Request user consent
SOC2-P4_1. Additional criteria for privacy (related to use, retention, and disposal)	189. Specify the purpose of data collection 310. Request user consent 314. Provide processing confirmation 315. Provide processed data information
SOC2-P4_2. Additional criteria for privacy (related to use, retention, and disposal)	229. Request access credentials 300. Mask sensitive data
SOC2-P4_3. Additional criteria for privacy (related to use, retention, and disposal)	183. Delete sensitive data securely 317. Allow erasure requests 318. Notify third parties of changes 360. Remove unnecessary sensitive information
SOC2-P5_2. Additional criteria for privacy (related to access)	316. Allow rectification requests
SOC2-P6_1. Additional criteria for privacy (related to disclosure and notification)	189. Specify the purpose of data collection 310. Request user consent
SOC2-P6_2. Additional criteria for privacy (related to disclosure and notification)	311. Demonstrate user consent 079. Record exact occurrence time of events
SOC2-P6_3. Additional criteria for privacy (related to disclosure and notification)	079. Record exact occurrence time of events
SOC2-P6_5. Additional criteria for privacy (related to disclosure and notification)	318. Notify third parties of changes

Last updated

2024/02/08