Back

Include system requirements in the audit assertion's in scope system description.


CONTROL ID
14881
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an in scope system description., CC ID: 14873

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Specifying the principal system requirements related to commitments made to business partners (¶ 2.04 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • System requirements are the specifications about how the system should function to (a) meet the service organization's service commitments to user entities and others (such as user entities' customers); (b) meet the service organization's commitments to vendors and business partners; (c) comply with… (¶ 1.47, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Likewise, management should disclose only the principal system requirements that are relevant to the trust services category or categories addressed by the description and that are likely to be relevant to the broad range of SOC 2® report users. When identifying which system requirements to disclos… (¶ 2.63, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Specifying the principal service commitments made to user entities and the system requirements needed to operate the system (¶ 2.168 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Relevance to compliance with laws and regulations. If the service organization is subject to requirements specified by laws or regulations related to security and the other trust services categories included within the scope of the SOC 2® examination, identified deficiencies and deviations related … (¶ 3.163 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • As discussed in the preceding paragraph, as part of its assertion, management describes the boundaries of the system and the principal service commitments and system requirements. The boundaries of a system addressed by the examination need to be clearly understood, defined, and communicated to repo… (¶ 4.112, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Service organization management is responsible for establishing its service commitments and system requirements. Service commitments are the declarations made by service organization management to user entities (its customers) about the system used to provide the service. Commitments can be communic… (¶ 1.45, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to under… (¶ 1.49, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • A service organization's system of internal control is evaluated by using the trust services criteria to determine whether the service organization's controls provide reasonable assurance that its business objectives and sub-objectives are achieved. When a service organization provides services to u… (¶ 1.44, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When the description addresses privacy, service organization management discloses the service commitments and system requirements identified in the service organization's privacy notice or in its privacy policy that are relevant to the system being described. When making such disclosures, it may als… (¶ 2.61, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Disclosures about the boundaries of the system and the principal service commitments and system requirements ordinarily would be included in management's assertion or in an exhibit thereto. If management does not include those disclosures in its assertion (or in an exhibit thereto), the service audi… (¶ 4.114, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • An assertion by service organization management about whether the controls were effective throughout the period to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. As part of that a… (¶ 4.111 ¶ 1(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Service organization management is responsible for identifying the specific subject matter to be examined, including the components of the system used to provide the service and the boundaries of that system. Service organization management is also responsible for establishing its service commitment… (¶ 1.22, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In order to understand the service provided, the system, and the design and operation of the controls, SOC 2 report users usually require an understanding of the nature of the service organization's service commitments and system requirements. The service commitments and system requirements that are… (¶ 1.31, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Specifying the principal system requirements related to commitments made to business partners (¶ 2.05 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for establishing its service commitments and identifying its system requirements. Service commitments are the declarations made by service organization management to user entities (its customers) about the system used to provide the service. Commitments… (¶ 1.57, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • A service organization adopts a mission and vision, sets strategies, and establishes objectives to help it achieve its mission and vision based on its strategies. Management designs and implements various systems to achieve specific objectives and designs and implements controls within the systems t… (¶ 1.30, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Specifying the principal service commitments made to user entities and the system requirements needed to operate the system (¶ 2.05 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for having a reasonable basis for asserting that (a) the description of the service organization's system is presented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable a… (¶ 2.04, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for achieving its service commitments and system requirements. It is also responsible for stating in the description the service organization's principal service commitments and system requirements with sufficient clarity to enable report users to under… (¶ 1.61, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • There is no type 1 equivalent for a SOC 3 report. In a SOC 3 examination, service organization management prepares, and includes in the SOC 3 report, a written assertion about whether the controls within the system were effective throughout the specified period to provide reasonable assurance that t… (¶ 1.74, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Obtain an understanding of the services provided by the service organization, the system used to provide them, and the service organization's service commitments and system requirements that define the engagement. (¶ 2.97 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As stated in chapter 1, service organization management is responsible for identifying and achieving the service commitments it makes to user entities as well as for the requirements of the system that will enable the service organization to achieve them. Management is also responsible for designing… (¶ 2.66, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Specifying the principal service commitments made to user entities and the system requirements needed to operate the system (¶ 2.191 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • For a SOC 3 examination, service organization management's responsibilities are substantially the same as those for a SOC 2 examination except that management does not prepare a system description. Although management does not prepare a system description, it does disclose the boundaries of the syst… (¶ 2.190, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • identifies the service organization's service commitments and system requirements; (¶ 3.93 Bullet 1 Sub-Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • An assertion by service organization management about whether the controls were effective throughout the period to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. As part of that a… (¶ 4.120 ¶ 1 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in the preceding paragraph, as part of its assertion, management describes the boundaries of the system and the principal service commitments and system requirements. The boundaries of the system addressed by the examination need to be clearly understood, defined, and communicated to re… (¶ 4.121, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Disclosures about the boundaries of the system and the principal service commitments and system requirements ordinarily would be included in management's assertion or in an exhibit thereto. If management does not include those disclosures in its assertion (or in an exhibit thereto), the service audi… (¶ 4.123, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in chapter 2, service organization management is responsible for designing, implementing, and operating the system to achieve its service commitments to user entities and the system requirements that are necessary to enable the system to achieve those commitments and comply with laws an… (¶ 3.26, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)