Back

Include a section regarding incidents related to the system in the audit assertion’s in scope system description.


CONTROL ID
14878
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an in scope system description., CC ID: 14873

This Control has the following implementation support Control(s):
  • Include the function performed by the in scope system in the audit assertion's in scope system description., CC ID: 14911
  • Include the disposition of the incident in the audit assertion's in scope system description., CC ID: 14896
  • Include the extent of the incident in the audit assertion's in scope system description., CC ID: 14895
  • Include the timing of each incident in the audit assertion's in scope system description., CC ID: 14891
  • Include the nature of each incident in the audit assertion's in scope system description., CC ID: 14889


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • were the result of controls that were not suitably designed or operating effectively or (¶ 2.05 Bullet 6 Sub-Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • otherwise resulted in a significant failure in the achievement of one or more of those service commitments and system requirements (¶ 2.05 Bullet 6 Sub-Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Description criterion DC4 requires that service organization management include in the description certain information related to system incidents that (a) were the result of controls that were not suitably designed or operating effectively or (b) otherwise resulted in a significant failure in the a… (¶ 3.38, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)