Skip to main content
All CollectionsControl Library
SOC 2 Controls - Tips and Tricks
SOC 2 Controls - Tips and Tricks

This article provides guidance in response to common questions for a handful of SOC 2 controls

Michelle Strickler avatar
Written by Michelle Strickler
Updated over a week ago

The following list adds a bit of context to controls based on frequently asked questions.

API Access

Add the version of TLS used to the System Description.

Asset Decommission Checklist

This control refers to hardware assets such as end user devices and server hard drives.

Audit Trail

What is logged is determined by the organization. Logging can be used to address high-risk processes or to assist in meeting internal/external audit requirements.

Board Independence

This can be a gray area as some small companies more than likely do not have a Board of Directors or an independent board.

Business Continuity

In some organizations, the Business Continuity Plan will include a section on Disaster Recovery.

Change Management: Business Review

This control refers to system changes such as architecture, code, and process.

Cloud Change Monitoring

In AWS, this is CloudWatch.

Cloud Physical Key

This control refers to a physical key device such as a mobile phone or a keygen device.

Contracts

This can be a contract, statement of work, master services agreement, etc.

Service levels are only included in contractual documents when required.

Remove reference to privacy if not in scope.

Data Anonymization

This can include any information containing Personally Identifiable Information that is overwritten and deleted.

Data Classification Policy

This 'policy' can be a sub-section of the Information Security Policy.

Disaster Recovery Plan

In some organizations, the Disaster Recovery Plan will be included in the Business Continuity Plan.

Incidents External

Other means besides the support webpage are acceptable.

Internal Controls

This is the Strike Graph GRC platform.

Job Descriptions

If Privacy is also in scope, ensure privacy responsibilities are included.

Logical Access

Remove the reference to Role Based access if this is not used in your environment.

Office Access

For remotely run organizations, Physical Access Controls should be called out in the System Description as a 'control performed by others (for example, by AWS or Azure).

Password Requirements

If the Password setting requirements are outlined within a different Policy, then update the control language to reflect this.

Review Privileged Access

If this review is performed at the same frequency as the User Access Review control, then combine these two controls into one control.

Teleworking Policy

This may also be called a Work From Home Policy or a Remote Work Policy.

Termination of Access

Each organization should set an appropriate time limit based on its unique risk profile.

Questions?

Reach out through our chat feature for real-time Customer Success support 8 am - 5 pm PT Monday through Friday.

Did this answer your question?