Back

Establish, implement, and maintain an in scope system description.


CONTROL ID
14873
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

This Control has the following implementation support Control(s):
  • Include in scope procedures in the audit assertion's in scope system description., CC ID: 16551
  • Include roles and responsibilities in the audit assertion's in scope system description., CC ID: 16558
  • Include the audit criteria in the audit assertion's in scope system description., CC ID: 16548
  • Include third party data in the audit assertion's in scope system description., CC ID: 16554
  • Include third party personnel in the audit assertion's in scope system description., CC ID: 16552
  • Include compliance requirements in the audit assertion's in scope system description., CC ID: 16506
  • Include third party assets in the audit assertion's in scope system description., CC ID: 16550
  • Include third party services in the audit assertion's in scope system description., CC ID: 16503
  • Include monitoring controls in the audit assertion's in scope system description., CC ID: 16501
  • Include availability commitments in the audit assertion's in scope system description., CC ID: 14914
  • Include deviations and the corrective actions taken in the audit assertion's in scope system description., CC ID: 16549
  • Include changes in the audit assertion's in scope system description., CC ID: 14894
  • Include external communications in the audit assertion's in scope system description., CC ID: 14913
  • Include a section regarding incidents related to the system in the audit assertion’s in scope system description., CC ID: 14878
  • Include a section regarding in scope controls related to the system in the audit assertion's in scope system description., CC ID: 14897
  • Refrain from omitting or distorting information in the audit assertion's in scope system description., CC ID: 14893
  • Include the timing of each change in the audit assertion's in scope system description., CC ID: 14892
  • Include the system boundaries in the audit assertion's in scope system description., CC ID: 14887
  • Determine the presentation method of the audit assertion's in scope system description., CC ID: 14885
  • Include the time frame covered by the description in the audit assertion's in scope system description., CC ID: 14884
  • Include commitments to third parties in the audit assertion., CC ID: 14899
  • Determine the completeness of the audit assertion's in scope system description., CC ID: 14883
  • Determine the appropriateness of the audit assertion's in scope system description., CC ID: 16449
  • Include system requirements in the audit assertion's in scope system description., CC ID: 14881
  • Include third party controls in the audit assertion's in scope system description., CC ID: 14880


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits; (Art. 30.3. ¶ 1(e)(iv), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • For Core Protection it is particularly important to not only clearly delimit the information domain, but also to keep it as small as possible. Any further target object added to an information domain increases complexity of safeguarding. Thus, in case of doubt it can be more reasonable to operate th… (§ 7.2 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Identifying all in-scope networks and system components (A3.2.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE. (12.5.2 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE. (A3.2.1 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE. (12.5.2 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE. (12.5.2 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The individual(s) managing the audit programme should determine the extent of the audit programme. This can vary depending on the information provided by the auditee regarding its context (see 5.3). (§ 5.4.3 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • determine the conformity of the system, as far as documented, with audit criteria; (§ 6.4.6 ¶ 1 Bullet 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Applicability. A description of the AI system, including for example, its algorithms, data and models, should be transparent enough to ensure its applicability to the intended use. (§ 6.7.5 ¶ 3 Bullet 1, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description (¶ 2.26 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Modifying the description, if appropriate (chapter 4, "Forming the Opinion and Preparing the Service Auditor's Report," describes a few situations in which the service auditor would recommend that management modify the description) (¶ 2.29 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method … (¶ 2.100, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Service organization management may use either a formal or an informal process to prepare the description of the service organization's system. For example, a small service organization that prepares only one report per year is likely to have an informal process in which a few employees with persona… (¶ 2.117, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When a service organization uses multiple subservice organizations, it may prepare its description using the carve-out method for one or more subservice organizations and the inclusive method for others. (¶ 2.13, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In other situations, the service organization may perform several control activities directed at meeting an applicable trust services criterion in order to achieve its service commitments and service requirements. Consequently, if the service auditor evaluates certain control activities as being ine… (¶ 3.94, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Service organization management is responsible for preparing the description of the system that was designed and implemented in accordance with the description criteria presented in supplement A, "2018 Description Criteria for a Description ofa Service Organization's System in a SOC 2® Report." Gen… (¶ 3.13, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the vendor is a subservice organization, the service organization's description of its system would include the information set forth in description criterion DC7 presented in supplement A, "2018 Description Criteria for a Description of a Service Organization's System in a SOC 2® Report," depen… (¶ 2.11, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When a service organization uses multiple subservice organizations, it may prepare its description using the carve-out method for one or more subservice organizations and the inclusive method for others. (¶ 2.15, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In a SOC 2 examination, service organization management is the responsible party. However, in certain situations there may be other responsible parties. As the responsible party, service organization management prepares the description of the service organization's system that is included in the SOC… (¶ 1.18, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If the management's specialist is a subservice organization, the service organization's description of its system would include the information set forth in description criterion DC7 presented in DC section 200, 2018 Description Criteria for a Description of a Service Organization's System in a SOC … (¶ 2.13, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for having a reasonable basis for asserting that (a) the description of the service organization's system is presented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable a… (¶ 2.04, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Preparing a description of the service organization's system, including the completeness, accuracy, and method of presentation of the description (¶ 2.32 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Modifying the description, if appropriate (Chapter 4, "Forming the Opinion and Preparing the Service Auditor's Report," describes a few situations in which the service auditor would generally recommend that management modify the description.) (¶ 2.35 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In addition to providing the service auditor with a written assertion and representation letter at the end of the examination, subservice organization management is also responsible for preparing a description of the subservice organization's system, including the completeness, accuracy, and method … (¶ 2.104, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In any event, the service auditor needs to remember that the initial system description prepared by service organization management is ordinarily revised several times during the examination, as the service auditor's procedures provide further insight into the nature and extent of appropriate disclo… (¶ 2.116, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for preparing the description of the system that was designed and implemented in accordance with the description criteria presented in DC section 200, 2018 Description Criteria for a Description of a Service Organization's System in a SOC 2® Report (Wi… (¶ 3.12, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Generally, management prepares the description from documentation supporting the system of internal control and system operations and from consideration of the policies, processes, and procedures (controls) within the system used to provide the services. (¶ 3.13, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service organization may have designed and implemented multiple (redundant) controls to address a particular risk that threatens the achievement of its service commitments and system requirements. If the service auditor evaluated the suitability of design of one control and determined that it wa… (¶ 3.109, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When the service auditor identifies a material description misstatement, the service auditor ordinarily discusses the misstatement with service organization management. In many situations, service organization management would elect to revise the description to correct the misstatement. (¶ 3.83, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Paragraph .35 of AT-C section 205 states that the service auditor's assessment of the risks of material misstatement may change during the course of the examination as additional evidence is obtained. If the service auditor obtains evidence from performing further procedures, or if new information i… (¶ 3.212, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)