Include a section regarding incidents related to the system in the audit assertion’s in scope system description.
CONTROL ID 14878
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain an in scope system description., CC ID: 14873
This Control has the following implementation support Control(s):
Include the function performed by the in scope system in the audit assertion's in scope system description., CC ID: 14911
Include the disposition of the incident in the audit assertion's in scope system description., CC ID: 14896
Include the extent of the incident in the audit assertion's in scope system description., CC ID: 14895
Include the timing of each incident in the audit assertion's in scope system description., CC ID: 14891
Include the nature of each incident in the audit assertion's in scope system description., CC ID: 14889
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
were the result of controls that were not suitably designed or operating effectively or (¶ 2.05 Bullet 6 Sub-Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
otherwise resulted in a significant failure in the achievement of one or more of those service commitments and system requirements (¶ 2.05 Bullet 6 Sub-Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Description criterion DC4 requires that service organization management include in the description certain information related to system incidents that (a) were the result of controls that were not suitably designed or operating effectively or (b) otherwise resulted in a significant failure in the a… (¶ 3.38, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)