1. Company Background

This section provides an overview of the organization, including its mission, business objectives, and compliance commitments.

2. Description of Services

A clear outline of the services provided, how they function, and how they interact with customer data. This helps auditors and stakeholders understand the scope of the audit.

3. Principal Service Commitments and System Requirements

Details on security, availability, processing integrity, confidentiality, and privacy commitments made to customers. These are aligned with the Trust Services Criteria (TSC).

4. Components of the System

A breakdown of the fundamental elements that make up the organization’s system, including:

• Infrastructure: Physical and cloud-based systems, servers, and network components.
• Software: Applications, databases, and security tools in use.
• People: Roles and responsibilities of employees managing security and compliance.
• Data: Handling, storage, encryption, and processing of customer data.
• Processes and Procedures: Internal policies governing system security and compliance.
  
  

5. Security and Operational Controls

A critical aspect of the System Description, this section details the security measures in place to protect sensitive information:

• Physical Security: Access controls for data centres, office spaces, and restricted areas.
• Logical Access: Authentication mechanisms, role-based access controls (RBAC), and privileged access management.
• Computer Operations – Backups: Data backup strategies, disaster recovery plans, and retention policies.
• Computer Operations – Availability: Measures ensuring uptime and resilience, such as redundancy and failover mechanisms.
• Change Management: Processes for software updates, patches, and infrastructure changes.
• Data Communications: Secure transmission of data between systems, including encryption standards.
• Boundaries of the System: Defining the scope of services covered within SOC 2 compliance.

6. Control Environment & Risk Management

Organizations must demonstrate a strong control environment by detailing policies, governance structures, and risk assessment processes:

• Integrity and Ethical Values: Commitment to ethical business practices and compliance.
• Commitment to Competence: Employee training and certifications to maintain compliance standards.
• Management’s Philosophy and Operating Style: Leadership’s role in fostering a security-first culture.
• Organizational Structure and Assignment of Authority and Responsibility: Clear roles and accountability within the company.
• Human Resource Policies and Practices: Security awareness training and employee onboarding processes.
• Risk Assessment Process & Integration: Identifying, evaluating, and mitigating security risks proactively.

7. Information and Communication Systems

A well-defined communication and monitoring process ensures continuous improvement in security posture:

• Monitoring Controls: Tools and procedures for detecting security incidents and vulnerabilities.
• Ongoing Monitoring: Regular internal audits, security reviews, and risk assessments.
• Reporting Deficiencies: Mechanisms for logging, tracking, and resolving compliance gaps.
• Subservice Organizations: Evaluation of third-party vendors that impact compliance.
• Complementary User Entity Controls: Customer responsibilities for maintaining shared security.