Back

Include changes in the audit assertion's in scope system description.


CONTROL ID
14894
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an in scope system description., CC ID: 14873

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Examine change documentation and interview personnel to verify that for each change to systems or networks the PCI DSS scope impact is determined, and includes all elements specified in this requirement. (A3.2.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • When performing the SOC 2® examination, the service auditor should also obtain an understanding of changes in the service organization's system implemented during the period covered by the examination. If the service auditor believes that the changes would be considered significant by the broad ran… (¶ 3.62, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Description criterion DC9 requires that the description disclose the relevant details of significant changes to the service organization's system during the period that are relevant to the service organization's service commitments and system requirements. Relevant changes are those that are likely … (¶ 3.74, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If the service auditor believes that the changes would be considered significant by the broad range of report users, those changes would generally be included in the description. The narrative discussing the change would be expected to contain an appropriate level of detail, including the date the c… (¶ 3.75, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor's understanding of the nature of changes to the service organization's system, if any, and the assessed risk and the design and implementation of related controls that may reduce the effectiveness of the design or operation of the periodic control in the current period under exam… (¶ 3.180 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)