SOC 2’s monitoring requirement
The SOC 2 assessment is an examination of how your organization meets specific criteria. Your organization demonstrates how it adheres to the framework by aligning these criteria with your organization's unique controls. For example, if the criteria states, “The entity identifies, develops, and implements activities to recover from identified security incidents,” you can demonstrate coverage by implementing a control related to your incident response plan.
Common Criteria (CC) 4.1 and 4.2 cover the active and ongoing monitoring of your information security program:
CC 4.1: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
In plain English: You have a process in place to ensure all of your IT controls are doing what they are supposed to, when they are supposed to. You demonstrate this either through periodic audits performed by a group OTHER than your SOC 2 auditor (like internal auditors) or you continuously monitor them.
CC 4.2: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
In plain English: You have a process for letting your leadership know that your controls are working as intended and to inform them when any aren't.
Many interpret CC 4.1 as ensuring that monitoring-type controls, such as vulnerability scans and penetration tests, are in place. Many will only call out these controls to demonstrate CC 4.1 and CC 4.2. However, these two criteria are really about ensuring that you are performing IT security oversight. CC 4.2 takes it one step further by asking you to demonstrate how you keep your leadership group informed about overall control status.
How to monitor your IT compliance program using Strike Graph
Strike Graph is a monitoring tool that offers you visibility into your organization’s IT compliance program. If you are new to the concept of monitoring your controls, we suggest that our customers start by implementing and performing the following control:
Monitoring activities that can be performed using Strike Graph may include:
Consider a frequency that makes sense for your organization to follow up on any “Needs Attention” status evidence items.
Address any auditor recommendations from your previous audit.
Have a penetration test performed and/or run frequent vulnerability scans.
Document a process for control owners to monitor controls for “deficiencies,” document deficiencies in a corrective action plan, and communicate them to management for review.
Review risks with a High score. If any rely on only one mitigating control, dive into that control’s evidence to ensure that the control is operating correctly. If the control is not working, the risk is not appropriately mitigated!
Select and review a sample of As Needed, Monthly, and Quarterly controls that are performed by a human. Does the attached evidence prove that step in the process was carried out?
How monitoring compliance efforts impacts your audit
By implementing IT control monitoring practices throughout the year, you will be able to confidently address the following:
Complete security questionnaires knowing controls used to support questionnaire responses are in place and functioning.
Sign contracts attesting that you’re in compliance.
Set yourself up for a smooth and simple audit preparation period by setting up evidence integrations.