The following guidance is for organizations that use the ‘carve-out’ method to describe controls operated by subservice organizations. This method describes the controls that are necessary for the functioning of an organization's system, but are ‘outsourced’ to a subservice organization.
Some organizations choose to include the entirety of a subservice organization's people, process, and technology in their SOC 2 report; this is called the 'inclusive' method, and it’s not commonly used.
For more information on the carve-out and inclusive method, refer to AICPA’s DC Section 200 “Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report.”
Step 1: Determine the criteria/controls that your organization ‘outsources’
Navigate to the Compliance Dashboard and select the SOC 2 framework. Expand the Security Trust Services Criteria (SOC2.CC). Expand the other Trust Services Criteria only if they are in scope for your organization, such as Privacy or Availability.
Scroll through the criteria 'branches’ and identify any criteria that you rely on a provider to perform on your behalf. You are required to demonstrate that every criteria is met. For the most part, you will meet each criteria with a control that is performed entirely by your organization. In some scenarios, you may rely on a provider to perform the control.
Tip: When scrolling through, look for any criteria ‘branches’ that do not have an active control linked. This may indicate that, in order to demonstrate coverage of this control, your organization relies on an external provider (subservice organization). The Strike Graph System Description template is pre-populated with a few examples that are possibly applicable to your organization.
Example: For organizations that operate in the cloud, CC.6.4 should be called out within the CSOC section, as the cloud provider performs physical access controls.
Example: For organizations that completely outsource their software development, criteria CC.8 should be called out within the CSOC section.
Step 2: Determine all Subservice Organizations that perform controls on your organization's behalf
Subservice organizations may perform controls that are necessary for the functioning of your in-scope system, but are not directly operated by your organization. Your organization may not have insight into the definition, operation, or management of these controls, but they are likely described in the subservice organization's own SOC 2 report.
'Outsourced’ controls will be presented within your System Description separately from the controls that your organization owns and operates. For example, as mentioned above, remote organizations typically rely on their cloud provider subservice organization (i.e. AWS, Azure, GCP) to perform the SOC 2 Common Criteria 6.4 physical-related controls. These controls are still considered in-scope for your organization, they're just performed by another entity.
For additional guidance on what is considered a subservice organization, refer to these Help Center resources:
Step 3: Fill out the Complementary Subservice Organization Controls table
Write a very brief description for each subservice organization that describes the role they play in your organization’s system. The example below includes a sentence about AWS' role. Examples can also look like the following:
Azure hosts our system. We utilize the following products within the Azure suite in the performance of our system: (list the relevant products used).
XYZ Managed Service Provider is utilized to perform monitoring and incident response activities.
Under the description, list the criteria reference and the control they perform on your behalf. You can find this information in the subservice organization's SOC 2 report (usually within Section III or Section IV).
List each control verbatim or summarize the control(s) as shown in the example below:
Feel free to reach out to the Strike Graph team via the chat feature if questions arise!