SlideShare a Scribd company logo

SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf

I
infosecTrain

The document is a checklist for a SOC 2 Type 2 audit. It contains controls, control activities, and test procedures related to assessing an organization's control environment, risk assessment, communication and information processes. Some key points: - The organization must demonstrate commitment to integrity and ethical values through policies like a code of conduct and enforcing disciplinary actions. - Risks are identified through annual assessments and risks are analyzed by evaluating likelihood and impact. Fraud potential is also considered. - Internal communication ensures employees are informed of policies and responsibilities. External communication covers commitments to customers, vendors, and during system changes. - Quality information is obtained through reviews, scans, and ensuring accurate descriptions of services are available to users

Education
1 of 19
Downloaded 56 times
1
2
Most read
3
4
5
6
7
8
9
10
11
Most read
12
13
14
15
16
17
18
Most read
19
www.infosectrain.com CHECK LIST SOC 2 (Service Organization Control) Type 2 Checklist Part - 1
www.infosectrain.com CC 1.0 Control Environment CC1.1: Demonstrates Commitment to Integrity & Ethical Values Control Activity Specified by Organization Control COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. Test Applied by Auditor Test Results Contractor agreements must include a Code of Business Conduct and a reference to the corporate Code of Conduct, and they must be posted on the corporate intranet for all employees to access. CC1.1.1 Examine the code of conduct for business and ensure that it is accessible via the corporate intranet. At the time of hire, the corporation requires new hires to acknowledge a code of conduct. Disciplinary actions are taken against employees who break the code of conduct in accordance with the policy. CC1.1.2 Examine the code of conduct for business and ensure that there are recorded enforcement processes that included disciplinary action. The business mandates that prospective hires undergo background checks. CC1.1.3 Examine and verify the documented information on employ background is accurate. At the time of hiring, the business demands that employees & contractors sign a confidentiality agreement. CC1.1.4 Examine and ensure that employees and contractors sign a confidentiality agreement at the time of engagement. Performance reviews for direct reports must be completed by firm management at least once a year. CC1.1.5 Examine and ensure that company performs evaluation for all employees annually. CC 1.0 Control Environment
www.infosectrain.com CC1.2: Exercises Oversight Responsibility Control Activity Specified by Organization Control COSO Principle 2: The board of directors demonstrates independence from management & exercises oversight of the development and performance of internal control. Test Applied by Auditor Test Results All corporate policies are reviewed and approved yearly by the board of directors of the firm or a pertinent subcommittee, such as senior management. CC1.2.1 Examine the corporate rules and ensure that they have undergone evaluation and senior management approval. The board members of the organisation are qualified to oversee management's capacity to create, put into place, and run information security controls. CC1.2.2 Examine and ensure that the information security controls have been created, implemented, reviewed and approved by proper authorities. The board of directors of the corporation holds formal meetings at least once a year and keeps minutes of those meetings. Directors who are not affiliated with the company are on the board. CC1.2.3 Ensure independent directors were present, proper meeting minutes were taken, and observe board sessions were held at least twice a year. The Organisational Chart for all personnel is reviewed and approved annually by the entity's Senior Management. CC1.2.4 Examine and ensure that each employee's organisational chart has undergone evaluation and senior management's approval. The management of the organisation exhibits a dedication to morality and ethical behaviour. CC1.2.5 Examine the ethical management document and ensure that the company management demonstrates a commitment to integrity and ethical values. CC 1.0 Control Environment
www.infosectrain.com CC1.3: Establishes Structure, Authority, and Responsibility Control Activity Specified by Organization Control COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Test Applied by Auditor Test Results To oversee the development and application of information security controls, the firm management established clear roles and responsibilities. CC1.3.1 Examine and ensure that the management of the organisation has created clear roles and responsibilities to oversee the development and application of information security controls. The board of directors of the corporation has a written charter outlining its internal control monitoring obligations. CC1.3.2 Examine and ensure that the roles and responsibilities of the board of directors are outlined in the bylaws. The business keeps an organisational layout that details the hierarchical framework and reporting structure. CC1.3.3 Examine and ensure that the most recent organisation chart for the company accurately reflects the hierarchical framework and reporting structure. To improve the operational performance of employees within the organisation; the business maintains job descriptions for client-facing IT and engineering positions. CC1.3.4 Examine and ensure that the job description improves the operational performance of employees. Roles and Responsibilities policy formally allocate roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls. CC1.3.5 Examine the Roles and Responsibilities policy for the design, implementation, operation, maintenance, and monitoring of information security measures. CC 1.0 Control Environment
www.infosectrain.com CC1.4: Demonstrates Commitment to Competence Control Activity Specified by Organization Control COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Test Applied by Auditor Test Results The businesses must make sure that new personnel have undergone a thorough evaluation of their abilities to perform the duties of their positions. CC1.4.1 Examine and ensure the new hires' competence assessment. The business runs background checks on new hires. CC1.4.2 Examine the onboarding process and make sure that new hires' backgrounds are checked. Performance reviews for direct reports must be completed by firm management at least once a year. CC1.4.3 Examine the performance evaluation and performance review policy to confirm that annual performance evaluations are carried out. Roles and Responsibilities policy formally allocate roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls. CC1.4.4 Examine the Roles and Responsibilities policy for the design, implementation, operation, maintenance, and monitoring of information security measures. Employees must undergo security awareness training within 30 days of hire and at least once a year after that. CC1.4.5 Examine the Information Security Policy and ensure that employees undergo security training at the time of hire and on an annual basis after that. CC 1.0 Control Environment
www.infosectrain.com CC1.5: Enforces Accountability Control Activity Specified by Organization Control COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Test Applied by Auditor Test Results All personnel in client-facing, IT, engineering, and information security professions are required to undergo quarterly evaluations addressing their job responsibilities. CC1.5.1 Examine and ensure that job responsibilities are routinely evaluated. At the time of hire, the corporation requires new hires to acknowledge a code of conduct. Disciplinary actions are taken against employees who break the code of conduct in accordance with the policy. CC1.5.2 Examine the code of conduct for business and ensure that there are recorded enforcement processes that included disciplinary action. Business has implemented information security awareness training, and the firm intranet makes the training resources accessible to all employees. CC1.5.3 Examine the data on information security awareness and ensure that all employees have access to the contents via the business intranet. The organisation mandates that all staff members complete information security awareness training once upon hire as well as once a year for all employees. CC1.5.4 Examine the training records for information security awareness. Every year, the business mandates that all employees review and acknowledge the company's policies. CC1.5.5 Examine the firm policies to ensure that all employees have read and agreed to them. CC 1.0 Control Environment
www.infosectrain.com CC2.0 Communication and Information CC2.1: Quality Information Control Activity Specified by Organization Control COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. Test Applied by Auditor Test Results The information generated by the organization's systems undergoes assessment and analysis to identify its effects on the operation of internal controls. CC2.1.1 Examine the operation of internal controls, ensuring they have been reviewed and evaluated within the system. Corporation conducts annual control self-assessments to confirm effective control presence and operation, implementing corrective actions based on findings. CC2.1.2 Examine yearly control self-assessments to ensure that crucial policies are annually reviewed for the effectiveness of control presence and operation. Additionally, implement necessary corrective actions based on identified findings. The organization employs a log management tool to identify events that could potentially compromise the corporation's ability to accomplish its security goals. CC2.1.3 Examine that the log management tool effectively identifies events that could impact security objectives. To ensure customer accessibility, the corporation prominently presents up-to-date information regarding its services on its website. CC2.1.4 Examine whether the corporation effectively presents current information about its services on its website to ensure customer accessibility. Corporation conducts host-based vulnerability scans on its external-facing systems quarterly. These scans identify critical and high vulnerabilities, which are then closely monitored and promptly addressed for remediation. CC2.1.5 Examine quarterly host-based vulnerability scans to detect critical and high vulnerabilities and then closely monitor and take proactive measures to address these vulnerabilities, ensuring effective mitigation. CC2.0 Communication and Information
www.infosectrain.com CC2.2: Internal Communication for Effective Control Control Activity Specified by Organization Control COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Test Applied by Auditor Test Results The Code of Business Conduct, established by the company, contains guidelines for appropriate conduct. All employees have access to this code via the company intranet, ensuring everyone knows it's ethical guidelines. CC2.2.1 Examine established behavioral standards in the Code of Business Conduct and verify their accessibility to all staff through the company's intranet platform. The organization's management has established specific roles and responsibilities to ensure information security controls are designed and implemented. CC2.2.2 Examine security policies and ensure that organization management has designated roles and responsibilities for supervising the design and implementation of information security controls. To understand what the company offers and how it can meet the needs of its various audiences, organization provides comprehensive descriptions of its products and services, catering to its internal employees and external users such as customers, partners, and stakeholders. CC2.2.3 Review documents to ensure that the company's comprehensive descriptions of its goods and services for internal and external users are clear and aligned with needs. The firm maintains documented information security policies and procedures subject to an annual review, ensuring their continued relevance and effectiveness in safeguarding sensitive information and assets. CC2.2.4 Examine the company's information security policies and procedures, confirming their documentation, yearly review, and acknowledgment by new employees. The company ensures that authorized internal users are promptly informed of system changes. CC2.2.5 Examine internal communication practices and ensure that the company effectively informs authorized internal users about system updates. CC2.0 Communication and Information
www.infosectrain.com CC2.3: Communication with External Parties Control Activity Specified by Organization Control COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. Test Applied by Auditor Test Results The firm implements an external-facing support system that enables users to report information about system failures, incidents, concerns, and other complaints to the relevant personnel. CC2.3.1 Examine the CodeSee Website and ensure a support email is available for users to report system issues and references to the right personnel. The company informs customers about its security commitments through agreements known as Master Service Agreements (MSA) or Terms of Service (TOS). CC2.3.2 Examine the Master Service Agreement to ensure that customers know the company's commitments and promises. The company establishes contractual agreements with vendors and affiliated third parties, incorporating confidentiality and privacy commitments relevant to the firm. CC2.3.3 Examine a sample of a Signed Non-Disclosure Agreement to verify the presence of confidentiality and privacy agreements with contractors and third parties. The company comprehensively describes its products and services to its internal and external users. CC2.3.4 Examine the CodeSee Website and verify the presence of a product description intended for communication to both internal and external users. The company informs customers about significant system changes that could impact their processing operations. CC2.3.5 Examine the company website to ensure that customers are informed about significant system changes that could affect their processing activities. CC2.0 Communication and Information
www.infosectrain.com CC3.0 Risk Assessment CC3.1: Specification of Objectives Control Activity Specified by Organization Control COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Test Applied by Auditor Test Results The company maintains a documented risk management program, which guides identifying potential threats, assessing the significance of associated risks, and outlining mitigation strategies. CC3.1.1 Examine the Risk Assessment Policy, find documented steps for identifying and managing risks, and observe in Secureframe a maintained list of risks with assigned ratings and tracked actions for improvement. The company performs annual risk assessments, identifying threats and changes to service commitments and evaluating risks, including the potential for fraud and its impact on objectives. CC3.1.2 Examine the documentation containing records of the annual formal risk assessment exercise. The company has an established vendor management program comprising components such as critical third-party vendor inventory, vendor security and privacy requirements, and annual reviews of critical third-party vendors. CC3.1.3 Examine Secureframe for vendor list with ratings, security, privacy, and reviews; also examined Vendor Management Policy encompassing contract reviews, annual assessments, risk evaluation, and due diligence procedures. The company maintains a documented Business Continuity/Disaster Recovery (BC/DR) plan and conducts annual testing of the plan's effectiveness. CC3.1.4 Examine the company's BC/DR plan to ensure its presence, approval, and yearly testing. CC3.0 Risk Assessment
www.infosectrain.com CC3.2: Risk Identification and Analysis Control Activity Specified by Organization Control COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Test Applied by Auditor Test Results The firm performs an annual formal risk assessment, outlined in the Risk Assessment and Management Policy, to identify potential threats that could affect its systems' security commitments and requirements. CC3.2.1 Examine records documenting the annual formal risk assessment exercise. Each risk undergoes assessment and receives a risk score considering its likelihood of occurrence and impact on the security, availability, and confidentiality of the company's platform. Risks are then associated with mitigating factors that address relevant aspects of the risk. CC3.2.2 Examine how each risk is evaluated based on likelihood and impact on platform security, availability, and confidentiality and ensure that risks are linked to actions that reduce their effects. During onboarding, the firm mandates new staff members to review and acknowledge company policies, ensuring an understanding of responsibilities and commitment to compliance. CC3.2.3 Examine the company's policies and confirm that new staff members have duly reviewed and acknowledged these policies, ensuring their knowledge and commitment. The organization establishes a documented risk management program that encompasses instructions for identifying potential threats, assessing the significance of risks related to these threats, and formulating strategies to mitigate these risks. CC3.2.4 Examine Risk Assessment and Treatment Policy for documented risk management processes and verify Secureframe the existence of a maintained risk registry with identified vulnerabilities, severity ratings, and tracked remediation actions. The company implements a vendor management program that includes maintaining a list of critical third-party vendors, setting security & privacy requirements for vendors, & performing annual reviews of these vendors. CC3.2.5 Examine the company's vendor management program to ensure it has a process for documenting and overseeing vendor relationships. CC3.0 Risk Assessment
www.infosectrain.com CC3.3: Fraud Consideration in Risk Assessment Control Activity Specified by Organization Control COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives. Test Applied by Auditor Test Results The company performs annual risk assessments that involve identifying threats, changes to service commitments, formal risk assessments, and considering fraud's potential impact on objectives. CC3.3.1 Examine the company's risk assessment documentation, confirming the yearly format of assessments, identifying threats and commitment modifications, formal risk assessment, and considering the impact of fraud on objectives. The company establishes a documented risk management program that provides instructions for identifying potential threats, evaluating the significance of risks linked to those threats, and developing strategies to mitigate those risks. CC3.3.2 Examine the risk management program to ensure it offers guidance for identifying potential threats and suggesting strategies to mitigate these threats. CC3.0 Risk Assessment
www.infosectrain.com CC3.4: Identifying Changes Control Activity Specified by Organization Control COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control. Test Applied by Auditor Test Results Each year, the company conducts a formal risk assessment exercise in accordance with the Risk Assessment and Management Policy. The goal is to identify potential threats that could compromise the security commitments and requirements of the systems. CC3.4.1 Review the records of the annual formal risk assessment exercise and examine the Assessment and Management Policy. The company implements a configuration management procedure to ensure consistent deployment of system configurations throughout the environment. CC3.4.2 Evaluate the company's configuration management procedure to validate its implementation, ensuring the constant deployment of system configurations across the entirety of the environment. The firm evaluates risks and scores based on their likelihood and potential impact on platform security, availability, and confidentiality. They are then linked to mitigating factors, wholly or partially addressing the risks. CC3.4.3 Examine risk mitigating factors related to risk evaluation The company conducts penetration testing, develops a remediation plan, and implements changes to address vulnerabilities by SLAs. CC3.4.4 Examine the company's penetration testing, verifying its annual execution. CC3.0 Risk Assessment
www.infosectrain.com CC4.0 Monitoring Activities CC4.1: Continuous Evaluation Control Activity Specified by Organization Control COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Test Applied by Auditor Test Results The senior management of the firm designates an Information Security Officer tasked with planning, evaluating, implementing, and overseeing the internal control environment. CC4.1.1 Examine the coordination of planning, assessment, and implementation within the internal control environment. The organization designates an Infrastructure owner responsible for all assets listed in the inventory. CC4.1.2 Examine the Infra Operations Person document, confirming their responsibility for overseeing all holdings within the inventory. The organization utilizes Sprinto, a continuous monitoring system, to track and report the information security program's status to the Information Security Officer and other stakeholders. CC4.1.3 Examine the ongoing monitoring and reporting activities of the Sprinto tool, which ensures the health of the information security program is communicated to the Information Security Officer and other stakeholders. The senior management of the entity annually reviews and grants approval for all company policies. CC4.1.4 Examine the yearly company policy, which has undergone review and received approval from Senior Management. The firm conducts regular reviews and assessments of all subservice organizations to verify their ability to fulfill customer commitments. CC4.1.5 Examine the subservice organizations outlined in the system and note that they have undergone review and evaluation by the firm. CC4.0 Monitoring Activities
www.infosectrain.com CC4.2: Reporting of Control Deficiencies Control Activity Specified by Organization Control COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Test Applied by Auditor Test Results The company conducts annual control self-assessments to ensure controls' presence and effective functioning, followed by appropriate corrective actions in response to identified findings. CC4.2.1 Examine the Secureframe platform to verify recent policy reviews and publications. Additionally, examine the Information Security Policy to confirm its annual review and updates, reinforcing security control effectiveness. The company informs employees through the Information Security Policy about how to report problems, failures, incidents, or concerns related to the services or systems they provide. CC4.2.2 Examine Information Security Policy to ensure employees understand how to report system problems. The entity utilizes Sprinto, a continuous monitoring system, to monitor and provide updates to the information security officer and other relevant stakeholders about the status of the information security program. CC4.2.3 Examine the sprinto system and ensure it constantly tracks, monitors, and reports the information security program's position to the security officer and stakeholders. Every year, Senior Management of the firm evaluates and approves all corporate policies. CC4.2.4 Examine the firm policies and ensure that Senior Management has examined and supported them. Each year, senior management of the entity evaluates and approves the program's status for information security. CC4.2.5 Examine the report on the internal audit assessment and ensure that Senior Management has examined and given their approval. CC4.0 Monitoring Activities
www.infosectrain.com CC5.0 Control Activities CC5.1: Risk Mitigating Control Activity Specified by Organization Control COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Test Applied by Auditor Test Results The firm establishes a set of guidelines that outline acceptable behavior about the firm's regulatory framework. CC5.1.1 Examine the policies for the control environment. The firm possesses a well-defined Acceptable Usage Policy accessible to all employees through the firm's intranet. CC5.1.2 Examine the Acceptable Usage Policy and ensure it is accessible to all employees via the company's intranet. Senior Management of the firm separates Roles and Responsibilities to reduce risks to the services offered to its clients. CC5.1.3 Examine and ensure that the firm's senior management has separate Roles and Responsibilities to minimize risks to the services provided to its clients. The company maintains a documented risk management program outlining procedures for identifying potential threats, assessing their significance, and implementing mitigation strategies for associated risks. CC5.1.4 Examine the risk management program to verify its provision of guidance in identifying potential hazards, evaluating risk significance, and formulating mitigation strategies. CC5.0 Control Activities
www.infosectrain.com CC5.2: Establishment of Technology Control Activities Control Activity Specified by Organization Control COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives. Test Applied by Auditor Test Results The firm employs Sprinto, a continuous monitoring system, to track and report to the information security officer and other stakeholders on the state of the information security program. CC5.2.1 Examine the ongoing monitoring capabilities of the Sprinto software, which tracks, records, and updates the information security officer and stakeholders on the program's status. Each year, senior management of the firm evaluates and approves the program's status for information security. CC5.2.2 Examine the internal audit assessment report and ensure it subsequently receives examination and approval from Senior Management. The structure of operations for all personnel is reviewed and approved annually by the firm's Senior Management. CC5.2.3 Examine the organizational staff chart and ensure it is subsequently examined and approved by Senior Management. Every subservice firm is routinely reviewed and evaluated by the firm to make sure obligations to the firm's clients can be maintained. CC5.2.4 Examine that the system's subservice organizations undergo regular reviews and evaluations. The organization establishes policies detailing acceptable behavior concerning the company's control environment. CC5.2.5 Examine the guidelines for the control environment. CC5.0 Control Activities
www.infosectrain.com CC5.3: Implementing Control Policies Control Activity Specified by Organization Control COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. Test Applied by Auditor Test Results The organization provides all employees access to policies and procedures through the corporate intranet. CC5.3.1 Examine the company's policies and practices and ensure they are accessible to all employees through the corporate intranet. Every year, the organization mandates that all employees review and acknowledge the company's policies. CC5.3.2 Examine the company's policies and ensure that every employee has reviewed and approved them. During onboarding, new employees must read and acknowledge the company's policies, ensuring their awareness and preparedness to meet their obligations. CC5.3.3 Examine the duties assigned to new employees in the system and ensure each employee has reviewed and approved them. The organization creates a set of policies that outline acceptable conduct about the control environment at the organization. CC5.3.4 Examine system policies related to the control environment. The organization defines its objectives to simplify the identification and assessment of risks associated with them. CC5.3.5 Examine the Risk Assessment and Treatment Policy to ensure that risk categories have been specified to aid in identifying and evaluating risk related to objectives. CC5.0 Control Activities
www.infosectrain.com Found this useful? To Get More Insights Through our FREE Course | Workshops | eBooks | White Paper Checklists | Mock Tests Press the Icon &

More Related Content

PDF
Sample SOC2 report of a security audit firm
JosephKirkpatrickCPA
 
PDF
SOC 2: Build Trust and Confidence
Schellman & Company
 
PPTX
SOC 2 presentation. Overview of SOC 2 assessment
Modu9
 
PDF
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
Mark S. Mahre
 
PDF
Navigating Compliance for MSPs From First Audit to Monetization
ControlCase
 
PDF
Iso 27001 Checklist
Craig Willetts ISO Expert
 
PDF
SOC 2 and You
Schellman & Company
 
PDF
Compliance 101 HITRUST Update.pdf
AmyPoblete3
 
Sample SOC2 report of a security audit firm
JosephKirkpatrickCPA
 
SOC 2: Build Trust and Confidence
Schellman & Company
 
SOC 2 presentation. Overview of SOC 2 assessment
Modu9
 
SOC-2 Framework - Plan, Budget, Design, Integrate & Audit Security Controls
Mark S. Mahre
 
Navigating Compliance for MSPs From First Audit to Monetization
ControlCase
 
Iso 27001 Checklist
Craig Willetts ISO Expert
 
SOC 2 and You
Schellman & Company
 
Compliance 101 HITRUST Update.pdf
AmyPoblete3
 

What's hot (20)

PDF
ISO 27001_2022 Standard_Presentation.pdf
SerkanRafetHalil1
 
PPTX
ISO 27701
UtkarshDhiman4
 
PPTX
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
PPTX
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
PPTX
System hardening - OS and Application
edavid2685
 
PPTX
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
PDF
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPT
ISO 27001 Benefits
Dejan Kosutic
 
PDF
Information Security Strategic Management
Marcelo Martins
 
PPTX
ERP IT Infrastructure Audit
velcomerp
 
PPTX
27001 awareness Training
Dr Madhu Aman Sharma
 
PDF
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
PDF
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
PDF
SOC-2 Compliance Status Report sample v10.0
Mark S. Mahre
 
PPTX
Effective Cyber Defense Using CIS Critical Security Controls
BSides Delhi
 
PPTX
Introduction to COBIT 2019 and IT management
Christian F. Nissen
 
PDF
Iso 22301 Checklist
Craig Willetts ISO Expert
 
PDF
Vectra Concept Overview
Ilya O
 
PDF
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
PDF
Guide to Risk Management Framework (RMF)
MetroStar
 
ISO 27001_2022 Standard_Presentation.pdf
SerkanRafetHalil1
 
ISO 27701
UtkarshDhiman4
 
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
System hardening - OS and Application
edavid2685
 
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 Benefits
Dejan Kosutic
 
Information Security Strategic Management
Marcelo Martins
 
ERP IT Infrastructure Audit
velcomerp
 
27001 awareness Training
Dr Madhu Aman Sharma
 
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
SOC-2 Compliance Status Report sample v10.0
Mark S. Mahre
 
Effective Cyber Defense Using CIS Critical Security Controls
BSides Delhi
 
Introduction to COBIT 2019 and IT management
Christian F. Nissen
 
Iso 22301 Checklist
Craig Willetts ISO Expert
 
Vectra Concept Overview
Ilya O
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
Guide to Risk Management Framework (RMF)
MetroStar
 
Ad

Similar to SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf (20)

PDF
SOX Audit Requirements -- How to Succeed
RodolfoGamaOliveira
 
PDF
Essential Study Guide and Exam Prep Questions for CPP Certification Success.pdf
Sienna Faleiro
 
DOCX
Chapter 11 personnel_and_security
husseinalshomali
 
PDF
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Boise State University - College of Engineering
 
PPTX
Security and Personnel-Chapter 11 Presentation.pptx
bernaleighsande88
 
PPTX
Security Organization/ Infrastructure
Priyank Hada
 
PDF
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
Boise State University - College of Engineering
 
DOCX
Assignment 1 Developing the Corporate Strategy for Information Secu.docx
murgatroydcrista
 
PPTX
Information System Audit and Control
Asad Raza
 
PDF
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
PDF
Contrast & Compare & Contrast Information Security Roles
LearningwithRayYT
 
PDF
SOC 2 certification: a Comprehensive Guide
ShyamMishra72
 
PDF
Internal audit manual template
CenapSerdarolu
 
PPTX
CompTIA CySA Domain 5 Compliance and Assessment.pptx
Infosectrain3
 
PDF
COSO_2013_Framework_on_Internal_Control.pdf
AliehaDhea
 
PPT
Security and personnel bp11521
Merlin Florrence
 
PPTX
CISO's first 100 days
MichaelSadeghiPhDABD
 
PDF
SELI030_EN 202cccccccccccccccc3032222.pdf
Salsa897659
 
PDF
Internal control and Control Self Assessment
Manoj Agarwal
 
PDF
Integration of Information Security Governance and Corporate Governance
Boise State University - College of Engineering
 
SOX Audit Requirements -- How to Succeed
RodolfoGamaOliveira
 
Essential Study Guide and Exam Prep Questions for CPP Certification Success.pdf
Sienna Faleiro
 
Chapter 11 personnel_and_security
husseinalshomali
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Boise State University - College of Engineering
 
Security and Personnel-Chapter 11 Presentation.pptx
bernaleighsande88
 
Security Organization/ Infrastructure
Priyank Hada
 
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
Boise State University - College of Engineering
 
Assignment 1 Developing the Corporate Strategy for Information Secu.docx
murgatroydcrista
 
Information System Audit and Control
Asad Raza
 
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
Contrast & Compare & Contrast Information Security Roles
LearningwithRayYT
 
SOC 2 certification: a Comprehensive Guide
ShyamMishra72
 
Internal audit manual template
CenapSerdarolu
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
Infosectrain3
 
COSO_2013_Framework_on_Internal_Control.pdf
AliehaDhea
 
Security and personnel bp11521
Merlin Florrence
 
CISO's first 100 days
MichaelSadeghiPhDABD
 
SELI030_EN 202cccccccccccccccc3032222.pdf
Salsa897659
 
Internal control and Control Self Assessment
Manoj Agarwal
 
Integration of Information Security Governance and Corporate Governance
Boise State University - College of Engineering
 
Ad

More from infosecTrain (20)

PDF
Top 10 Network Security Solutions You Need to Know.pdf
infosecTrain
 
PDF
Ethical Considerations in Generative Al.pdf
infosecTrain
 
PDF
Top 10 Security Architecture Tools in 2025.pdf
infosecTrain
 
PDF
Top ISO 27001 Lead Auditor Interview Question.pdf
infosecTrain
 
PDF
IAPP AIGP Exam Preparation Guide 2025.pdf
infosecTrain
 
PDF
What if Ben 10's aliens were your cybersecurity sidekicks.pdf
infosecTrain
 
PDF
Common Security Policies in Organizations.pdf
infosecTrain
 
PDF
Just Launched: ISO/IEC 42001:2023 Audit and Control Checklist for Al Governance
infosecTrain
 
PDF
ISSAP [Information Systems Security Architecture Professional) Certification ...
infosecTrain
 
PDF
CEH Exam Practice Questions and Answers Part 2.pdf
infosecTrain
 
PDF
CEH Exam Practice Questions and Answers Part -1.pdf
infosecTrain
 
PDF
AI-GRC Pros, Are You Implementation-Ready.pdf
infosecTrain
 
PDF
ISO 27001 2022 Audit Charter - By InfosecTrain
infosecTrain
 
PDF
IT Auditing with Certified GRC Auditor (CGA) Training.pdf
infosecTrain
 
PDF
Top Wireless Attacks and How to Prevent Them.pdf
infosecTrain
 
PDF
Which Access Control Mechanism is Best for the Cloud?
infosecTrain
 
PDF
Top CompTIA Security+ Exam Practice Questions and Answers..pdf
infosecTrain
 
PDF
CISSP Certification Exam Preparation Guide.pdf
infosecTrain
 
PDF
AI Governance Principles: Building Trust, Transparency, and Ethical AI System...
infosecTrain
 
PDF
Top 20 DevsecOps Interview Questions.pdf
infosecTrain
 
Top 10 Network Security Solutions You Need to Know.pdf
infosecTrain
 
Ethical Considerations in Generative Al.pdf
infosecTrain
 
Top 10 Security Architecture Tools in 2025.pdf
infosecTrain
 
Top ISO 27001 Lead Auditor Interview Question.pdf
infosecTrain
 
IAPP AIGP Exam Preparation Guide 2025.pdf
infosecTrain
 
What if Ben 10's aliens were your cybersecurity sidekicks.pdf
infosecTrain
 
Common Security Policies in Organizations.pdf
infosecTrain
 
Just Launched: ISO/IEC 42001:2023 Audit and Control Checklist for Al Governance
infosecTrain
 
ISSAP [Information Systems Security Architecture Professional) Certification ...
infosecTrain
 
CEH Exam Practice Questions and Answers Part 2.pdf
infosecTrain
 
CEH Exam Practice Questions and Answers Part -1.pdf
infosecTrain
 
AI-GRC Pros, Are You Implementation-Ready.pdf
infosecTrain
 
ISO 27001 2022 Audit Charter - By InfosecTrain
infosecTrain
 
IT Auditing with Certified GRC Auditor (CGA) Training.pdf
infosecTrain
 
Top Wireless Attacks and How to Prevent Them.pdf
infosecTrain
 
Which Access Control Mechanism is Best for the Cloud?
infosecTrain
 
Top CompTIA Security+ Exam Practice Questions and Answers..pdf
infosecTrain
 
CISSP Certification Exam Preparation Guide.pdf
infosecTrain
 
AI Governance Principles: Building Trust, Transparency, and Ethical AI System...
infosecTrain
 
Top 20 DevsecOps Interview Questions.pdf
infosecTrain
 

Recently uploaded (20)

PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Institutional Correction lecture only . . .
limvtheghins
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Classroom Observation Tools for Teachers
Nicaramirez
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 

SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf

  • 1. www.infosectrain.com CHECK LIST SOC 2 (Service Organization Control) Type 2 Checklist Part - 1
  • 2. www.infosectrain.com CC 1.0 Control Environment CC1.1: Demonstrates Commitment to Integrity & Ethical Values Control Activity Specified by Organization Control COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. Test Applied by Auditor Test Results Contractor agreements must include a Code of Business Conduct and a reference to the corporate Code of Conduct, and they must be posted on the corporate intranet for all employees to access. CC1.1.1 Examine the code of conduct for business and ensure that it is accessible via the corporate intranet. At the time of hire, the corporation requires new hires to acknowledge a code of conduct. Disciplinary actions are taken against employees who break the code of conduct in accordance with the policy. CC1.1.2 Examine the code of conduct for business and ensure that there are recorded enforcement processes that included disciplinary action. The business mandates that prospective hires undergo background checks. CC1.1.3 Examine and verify the documented information on employ background is accurate. At the time of hiring, the business demands that employees & contractors sign a confidentiality agreement. CC1.1.4 Examine and ensure that employees and contractors sign a confidentiality agreement at the time of engagement. Performance reviews for direct reports must be completed by firm management at least once a year. CC1.1.5 Examine and ensure that company performs evaluation for all employees annually. CC 1.0 Control Environment
  • 3. www.infosectrain.com CC1.2: Exercises Oversight Responsibility Control Activity Specified by Organization Control COSO Principle 2: The board of directors demonstrates independence from management & exercises oversight of the development and performance of internal control. Test Applied by Auditor Test Results All corporate policies are reviewed and approved yearly by the board of directors of the firm or a pertinent subcommittee, such as senior management. CC1.2.1 Examine the corporate rules and ensure that they have undergone evaluation and senior management approval. The board members of the organisation are qualified to oversee management's capacity to create, put into place, and run information security controls. CC1.2.2 Examine and ensure that the information security controls have been created, implemented, reviewed and approved by proper authorities. The board of directors of the corporation holds formal meetings at least once a year and keeps minutes of those meetings. Directors who are not affiliated with the company are on the board. CC1.2.3 Ensure independent directors were present, proper meeting minutes were taken, and observe board sessions were held at least twice a year. The Organisational Chart for all personnel is reviewed and approved annually by the entity's Senior Management. CC1.2.4 Examine and ensure that each employee's organisational chart has undergone evaluation and senior management's approval. The management of the organisation exhibits a dedication to morality and ethical behaviour. CC1.2.5 Examine the ethical management document and ensure that the company management demonstrates a commitment to integrity and ethical values. CC 1.0 Control Environment
  • 4. www.infosectrain.com CC1.3: Establishes Structure, Authority, and Responsibility Control Activity Specified by Organization Control COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Test Applied by Auditor Test Results To oversee the development and application of information security controls, the firm management established clear roles and responsibilities. CC1.3.1 Examine and ensure that the management of the organisation has created clear roles and responsibilities to oversee the development and application of information security controls. The board of directors of the corporation has a written charter outlining its internal control monitoring obligations. CC1.3.2 Examine and ensure that the roles and responsibilities of the board of directors are outlined in the bylaws. The business keeps an organisational layout that details the hierarchical framework and reporting structure. CC1.3.3 Examine and ensure that the most recent organisation chart for the company accurately reflects the hierarchical framework and reporting structure. To improve the operational performance of employees within the organisation; the business maintains job descriptions for client-facing IT and engineering positions. CC1.3.4 Examine and ensure that the job description improves the operational performance of employees. Roles and Responsibilities policy formally allocate roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls. CC1.3.5 Examine the Roles and Responsibilities policy for the design, implementation, operation, maintenance, and monitoring of information security measures. CC 1.0 Control Environment
  • 5. www.infosectrain.com CC1.4: Demonstrates Commitment to Competence Control Activity Specified by Organization Control COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Test Applied by Auditor Test Results The businesses must make sure that new personnel have undergone a thorough evaluation of their abilities to perform the duties of their positions. CC1.4.1 Examine and ensure the new hires' competence assessment. The business runs background checks on new hires. CC1.4.2 Examine the onboarding process and make sure that new hires' backgrounds are checked. Performance reviews for direct reports must be completed by firm management at least once a year. CC1.4.3 Examine the performance evaluation and performance review policy to confirm that annual performance evaluations are carried out. Roles and Responsibilities policy formally allocate roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls. CC1.4.4 Examine the Roles and Responsibilities policy for the design, implementation, operation, maintenance, and monitoring of information security measures. Employees must undergo security awareness training within 30 days of hire and at least once a year after that. CC1.4.5 Examine the Information Security Policy and ensure that employees undergo security training at the time of hire and on an annual basis after that. CC 1.0 Control Environment
  • 6. www.infosectrain.com CC1.5: Enforces Accountability Control Activity Specified by Organization Control COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Test Applied by Auditor Test Results All personnel in client-facing, IT, engineering, and information security professions are required to undergo quarterly evaluations addressing their job responsibilities. CC1.5.1 Examine and ensure that job responsibilities are routinely evaluated. At the time of hire, the corporation requires new hires to acknowledge a code of conduct. Disciplinary actions are taken against employees who break the code of conduct in accordance with the policy. CC1.5.2 Examine the code of conduct for business and ensure that there are recorded enforcement processes that included disciplinary action. Business has implemented information security awareness training, and the firm intranet makes the training resources accessible to all employees. CC1.5.3 Examine the data on information security awareness and ensure that all employees have access to the contents via the business intranet. The organisation mandates that all staff members complete information security awareness training once upon hire as well as once a year for all employees. CC1.5.4 Examine the training records for information security awareness. Every year, the business mandates that all employees review and acknowledge the company's policies. CC1.5.5 Examine the firm policies to ensure that all employees have read and agreed to them. CC 1.0 Control Environment
  • 7. www.infosectrain.com CC2.0 Communication and Information CC2.1: Quality Information Control Activity Specified by Organization Control COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. Test Applied by Auditor Test Results The information generated by the organization's systems undergoes assessment and analysis to identify its effects on the operation of internal controls. CC2.1.1 Examine the operation of internal controls, ensuring they have been reviewed and evaluated within the system. Corporation conducts annual control self-assessments to confirm effective control presence and operation, implementing corrective actions based on findings. CC2.1.2 Examine yearly control self-assessments to ensure that crucial policies are annually reviewed for the effectiveness of control presence and operation. Additionally, implement necessary corrective actions based on identified findings. The organization employs a log management tool to identify events that could potentially compromise the corporation's ability to accomplish its security goals. CC2.1.3 Examine that the log management tool effectively identifies events that could impact security objectives. To ensure customer accessibility, the corporation prominently presents up-to-date information regarding its services on its website. CC2.1.4 Examine whether the corporation effectively presents current information about its services on its website to ensure customer accessibility. Corporation conducts host-based vulnerability scans on its external-facing systems quarterly. These scans identify critical and high vulnerabilities, which are then closely monitored and promptly addressed for remediation. CC2.1.5 Examine quarterly host-based vulnerability scans to detect critical and high vulnerabilities and then closely monitor and take proactive measures to address these vulnerabilities, ensuring effective mitigation. CC2.0 Communication and Information
  • 8. www.infosectrain.com CC2.2: Internal Communication for Effective Control Control Activity Specified by Organization Control COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Test Applied by Auditor Test Results The Code of Business Conduct, established by the company, contains guidelines for appropriate conduct. All employees have access to this code via the company intranet, ensuring everyone knows it's ethical guidelines. CC2.2.1 Examine established behavioral standards in the Code of Business Conduct and verify their accessibility to all staff through the company's intranet platform. The organization's management has established specific roles and responsibilities to ensure information security controls are designed and implemented. CC2.2.2 Examine security policies and ensure that organization management has designated roles and responsibilities for supervising the design and implementation of information security controls. To understand what the company offers and how it can meet the needs of its various audiences, organization provides comprehensive descriptions of its products and services, catering to its internal employees and external users such as customers, partners, and stakeholders. CC2.2.3 Review documents to ensure that the company's comprehensive descriptions of its goods and services for internal and external users are clear and aligned with needs. The firm maintains documented information security policies and procedures subject to an annual review, ensuring their continued relevance and effectiveness in safeguarding sensitive information and assets. CC2.2.4 Examine the company's information security policies and procedures, confirming their documentation, yearly review, and acknowledgment by new employees. The company ensures that authorized internal users are promptly informed of system changes. CC2.2.5 Examine internal communication practices and ensure that the company effectively informs authorized internal users about system updates. CC2.0 Communication and Information
  • 9. www.infosectrain.com CC2.3: Communication with External Parties Control Activity Specified by Organization Control COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. Test Applied by Auditor Test Results The firm implements an external-facing support system that enables users to report information about system failures, incidents, concerns, and other complaints to the relevant personnel. CC2.3.1 Examine the CodeSee Website and ensure a support email is available for users to report system issues and references to the right personnel. The company informs customers about its security commitments through agreements known as Master Service Agreements (MSA) or Terms of Service (TOS). CC2.3.2 Examine the Master Service Agreement to ensure that customers know the company's commitments and promises. The company establishes contractual agreements with vendors and affiliated third parties, incorporating confidentiality and privacy commitments relevant to the firm. CC2.3.3 Examine a sample of a Signed Non-Disclosure Agreement to verify the presence of confidentiality and privacy agreements with contractors and third parties. The company comprehensively describes its products and services to its internal and external users. CC2.3.4 Examine the CodeSee Website and verify the presence of a product description intended for communication to both internal and external users. The company informs customers about significant system changes that could impact their processing operations. CC2.3.5 Examine the company website to ensure that customers are informed about significant system changes that could affect their processing activities. CC2.0 Communication and Information
  • 10. www.infosectrain.com CC3.0 Risk Assessment CC3.1: Specification of Objectives Control Activity Specified by Organization Control COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Test Applied by Auditor Test Results The company maintains a documented risk management program, which guides identifying potential threats, assessing the significance of associated risks, and outlining mitigation strategies. CC3.1.1 Examine the Risk Assessment Policy, find documented steps for identifying and managing risks, and observe in Secureframe a maintained list of risks with assigned ratings and tracked actions for improvement. The company performs annual risk assessments, identifying threats and changes to service commitments and evaluating risks, including the potential for fraud and its impact on objectives. CC3.1.2 Examine the documentation containing records of the annual formal risk assessment exercise. The company has an established vendor management program comprising components such as critical third-party vendor inventory, vendor security and privacy requirements, and annual reviews of critical third-party vendors. CC3.1.3 Examine Secureframe for vendor list with ratings, security, privacy, and reviews; also examined Vendor Management Policy encompassing contract reviews, annual assessments, risk evaluation, and due diligence procedures. The company maintains a documented Business Continuity/Disaster Recovery (BC/DR) plan and conducts annual testing of the plan's effectiveness. CC3.1.4 Examine the company's BC/DR plan to ensure its presence, approval, and yearly testing. CC3.0 Risk Assessment
  • 11. www.infosectrain.com CC3.2: Risk Identification and Analysis Control Activity Specified by Organization Control COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Test Applied by Auditor Test Results The firm performs an annual formal risk assessment, outlined in the Risk Assessment and Management Policy, to identify potential threats that could affect its systems' security commitments and requirements. CC3.2.1 Examine records documenting the annual formal risk assessment exercise. Each risk undergoes assessment and receives a risk score considering its likelihood of occurrence and impact on the security, availability, and confidentiality of the company's platform. Risks are then associated with mitigating factors that address relevant aspects of the risk. CC3.2.2 Examine how each risk is evaluated based on likelihood and impact on platform security, availability, and confidentiality and ensure that risks are linked to actions that reduce their effects. During onboarding, the firm mandates new staff members to review and acknowledge company policies, ensuring an understanding of responsibilities and commitment to compliance. CC3.2.3 Examine the company's policies and confirm that new staff members have duly reviewed and acknowledged these policies, ensuring their knowledge and commitment. The organization establishes a documented risk management program that encompasses instructions for identifying potential threats, assessing the significance of risks related to these threats, and formulating strategies to mitigate these risks. CC3.2.4 Examine Risk Assessment and Treatment Policy for documented risk management processes and verify Secureframe the existence of a maintained risk registry with identified vulnerabilities, severity ratings, and tracked remediation actions. The company implements a vendor management program that includes maintaining a list of critical third-party vendors, setting security & privacy requirements for vendors, & performing annual reviews of these vendors. CC3.2.5 Examine the company's vendor management program to ensure it has a process for documenting and overseeing vendor relationships. CC3.0 Risk Assessment
  • 12. www.infosectrain.com CC3.3: Fraud Consideration in Risk Assessment Control Activity Specified by Organization Control COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives. Test Applied by Auditor Test Results The company performs annual risk assessments that involve identifying threats, changes to service commitments, formal risk assessments, and considering fraud's potential impact on objectives. CC3.3.1 Examine the company's risk assessment documentation, confirming the yearly format of assessments, identifying threats and commitment modifications, formal risk assessment, and considering the impact of fraud on objectives. The company establishes a documented risk management program that provides instructions for identifying potential threats, evaluating the significance of risks linked to those threats, and developing strategies to mitigate those risks. CC3.3.2 Examine the risk management program to ensure it offers guidance for identifying potential threats and suggesting strategies to mitigate these threats. CC3.0 Risk Assessment
  • 13. www.infosectrain.com CC3.4: Identifying Changes Control Activity Specified by Organization Control COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control. Test Applied by Auditor Test Results Each year, the company conducts a formal risk assessment exercise in accordance with the Risk Assessment and Management Policy. The goal is to identify potential threats that could compromise the security commitments and requirements of the systems. CC3.4.1 Review the records of the annual formal risk assessment exercise and examine the Assessment and Management Policy. The company implements a configuration management procedure to ensure consistent deployment of system configurations throughout the environment. CC3.4.2 Evaluate the company's configuration management procedure to validate its implementation, ensuring the constant deployment of system configurations across the entirety of the environment. The firm evaluates risks and scores based on their likelihood and potential impact on platform security, availability, and confidentiality. They are then linked to mitigating factors, wholly or partially addressing the risks. CC3.4.3 Examine risk mitigating factors related to risk evaluation The company conducts penetration testing, develops a remediation plan, and implements changes to address vulnerabilities by SLAs. CC3.4.4 Examine the company's penetration testing, verifying its annual execution. CC3.0 Risk Assessment
  • 14. www.infosectrain.com CC4.0 Monitoring Activities CC4.1: Continuous Evaluation Control Activity Specified by Organization Control COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Test Applied by Auditor Test Results The senior management of the firm designates an Information Security Officer tasked with planning, evaluating, implementing, and overseeing the internal control environment. CC4.1.1 Examine the coordination of planning, assessment, and implementation within the internal control environment. The organization designates an Infrastructure owner responsible for all assets listed in the inventory. CC4.1.2 Examine the Infra Operations Person document, confirming their responsibility for overseeing all holdings within the inventory. The organization utilizes Sprinto, a continuous monitoring system, to track and report the information security program's status to the Information Security Officer and other stakeholders. CC4.1.3 Examine the ongoing monitoring and reporting activities of the Sprinto tool, which ensures the health of the information security program is communicated to the Information Security Officer and other stakeholders. The senior management of the entity annually reviews and grants approval for all company policies. CC4.1.4 Examine the yearly company policy, which has undergone review and received approval from Senior Management. The firm conducts regular reviews and assessments of all subservice organizations to verify their ability to fulfill customer commitments. CC4.1.5 Examine the subservice organizations outlined in the system and note that they have undergone review and evaluation by the firm. CC4.0 Monitoring Activities
  • 15. www.infosectrain.com CC4.2: Reporting of Control Deficiencies Control Activity Specified by Organization Control COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Test Applied by Auditor Test Results The company conducts annual control self-assessments to ensure controls' presence and effective functioning, followed by appropriate corrective actions in response to identified findings. CC4.2.1 Examine the Secureframe platform to verify recent policy reviews and publications. Additionally, examine the Information Security Policy to confirm its annual review and updates, reinforcing security control effectiveness. The company informs employees through the Information Security Policy about how to report problems, failures, incidents, or concerns related to the services or systems they provide. CC4.2.2 Examine Information Security Policy to ensure employees understand how to report system problems. The entity utilizes Sprinto, a continuous monitoring system, to monitor and provide updates to the information security officer and other relevant stakeholders about the status of the information security program. CC4.2.3 Examine the sprinto system and ensure it constantly tracks, monitors, and reports the information security program's position to the security officer and stakeholders. Every year, Senior Management of the firm evaluates and approves all corporate policies. CC4.2.4 Examine the firm policies and ensure that Senior Management has examined and supported them. Each year, senior management of the entity evaluates and approves the program's status for information security. CC4.2.5 Examine the report on the internal audit assessment and ensure that Senior Management has examined and given their approval. CC4.0 Monitoring Activities
  • 16. www.infosectrain.com CC5.0 Control Activities CC5.1: Risk Mitigating Control Activity Specified by Organization Control COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Test Applied by Auditor Test Results The firm establishes a set of guidelines that outline acceptable behavior about the firm's regulatory framework. CC5.1.1 Examine the policies for the control environment. The firm possesses a well-defined Acceptable Usage Policy accessible to all employees through the firm's intranet. CC5.1.2 Examine the Acceptable Usage Policy and ensure it is accessible to all employees via the company's intranet. Senior Management of the firm separates Roles and Responsibilities to reduce risks to the services offered to its clients. CC5.1.3 Examine and ensure that the firm's senior management has separate Roles and Responsibilities to minimize risks to the services provided to its clients. The company maintains a documented risk management program outlining procedures for identifying potential threats, assessing their significance, and implementing mitigation strategies for associated risks. CC5.1.4 Examine the risk management program to verify its provision of guidance in identifying potential hazards, evaluating risk significance, and formulating mitigation strategies. CC5.0 Control Activities
  • 17. www.infosectrain.com CC5.2: Establishment of Technology Control Activities Control Activity Specified by Organization Control COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives. Test Applied by Auditor Test Results The firm employs Sprinto, a continuous monitoring system, to track and report to the information security officer and other stakeholders on the state of the information security program. CC5.2.1 Examine the ongoing monitoring capabilities of the Sprinto software, which tracks, records, and updates the information security officer and stakeholders on the program's status. Each year, senior management of the firm evaluates and approves the program's status for information security. CC5.2.2 Examine the internal audit assessment report and ensure it subsequently receives examination and approval from Senior Management. The structure of operations for all personnel is reviewed and approved annually by the firm's Senior Management. CC5.2.3 Examine the organizational staff chart and ensure it is subsequently examined and approved by Senior Management. Every subservice firm is routinely reviewed and evaluated by the firm to make sure obligations to the firm's clients can be maintained. CC5.2.4 Examine that the system's subservice organizations undergo regular reviews and evaluations. The organization establishes policies detailing acceptable behavior concerning the company's control environment. CC5.2.5 Examine the guidelines for the control environment. CC5.0 Control Activities
  • 18. www.infosectrain.com CC5.3: Implementing Control Policies Control Activity Specified by Organization Control COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. Test Applied by Auditor Test Results The organization provides all employees access to policies and procedures through the corporate intranet. CC5.3.1 Examine the company's policies and practices and ensure they are accessible to all employees through the corporate intranet. Every year, the organization mandates that all employees review and acknowledge the company's policies. CC5.3.2 Examine the company's policies and ensure that every employee has reviewed and approved them. During onboarding, new employees must read and acknowledge the company's policies, ensuring their awareness and preparedness to meet their obligations. CC5.3.3 Examine the duties assigned to new employees in the system and ensure each employee has reviewed and approved them. The organization creates a set of policies that outline acceptable conduct about the control environment at the organization. CC5.3.4 Examine system policies related to the control environment. The organization defines its objectives to simplify the identification and assessment of risks associated with them. CC5.3.5 Examine the Risk Assessment and Treatment Policy to ensure that risk categories have been specified to aid in identifying and evaluating risk related to objectives. CC5.0 Control Activities
  • 19. www.infosectrain.com Found this useful? To Get More Insights Through our FREE Course | Workshops | eBooks | White Paper Checklists | Mock Tests Press the Icon &