Audit and Assurance

Expand all | Collapse all

SOC II Compliance Program - Best Practice

  • 1.  SOC II Compliance Program - Best Practice

    Posted 30 Aug, 2019 11:49
    ​Hello My SOC II People,

    I am working to build a program around the Trust Service Principles and am curious as to what the wonderful ISACA community considers as best practice when it comes to policy development.
    When developing (or updating in my case) InfoSec policies, should the control statements that are meant to specifically cover TSP requirements exist within the policy? I don't mean the exact action, I mean more of a high level description of necessary controls.

    Keen to hear thoughts around this.

    Thanks

    ------------------------------
    Ryan Artz, CISA | CISM | CRISC
    Sr. Director, Information Compliance
    ------------------------------


  • 2.  RE: SOC II Compliance Program - Best Practice

    Posted 30 Aug, 2019 21:04
    Edited by Ryan Artz 30 Aug, 2019 21:04
    I Actually found an answer myself within ISACA's documents.
    Got to love the detail that ISACA puts into control auditing.

    Under ISACA's SOC II User guide, page 18:
    principles are staged as follows -
    Policies -> Communication -> Procedures -> Monitoring

    From this, I would infer that it is best practice to incorporate control objectives into the policy, communicate the objectives, and then document a process into how it's managed.

    Check it out here:
    https://www.isaca.org/Groups/Professional-English/isae-3402/Documents/SOC2.pdf


    Hopefully this helps someone out somewhere.

    ------------------------------
    Ryan Artz, CISA | CISM | CRISC
    Sr. Director, Information Compliance
    ------------------------------



  • 3.  RE: SOC II Compliance Program - Best Practice

    Posted 31 Aug, 2019 06:21
    @Ryan Artz - I would hesitate to include specific control activities in policy documents since control activities change and sometimes control activities can satisfy multiple policies.  Since control activities may change based on different organizational variables, I think it would be an unnecessary administrative headache to change control activities in policies every time a control changed.

    In my opinion, best practice suggests that policy documents should include the why, what and who owns the policy and separate Standard Operating Procedure (SOP) documents would include the steps on how to satisfy the policy.  Many times the SOP is included in the policy document, however, by having it separate, you don't have to update policy documents every time a step of the process changes.  As a SOC 2 auditor SOP documents are great to have when understanding specific control activities when performing an audit.

    In conclusion, I think it is fine to include the criteria language/control objective in the policy document and the specific control activities should be in a separate SOP document.


    ------------------------------
    Troy Fine
    Manager
    Schneider Downs
    ------------------------------



  • 4.  RE: SOC II Compliance Program - Best Practice

    Posted 31 Aug, 2019 07:42
    Troy,

    I agree - and this is the conclusion I'm coming to.
    Respect the input, and much appreciated.

    Thanks,

    ------------------------------
    Ryan Artz, MS | CISA | CISM | CRISC
    Sr. Director, Information Compliance
    ------------------------------