CHECK LIST

SOC 2
(Service Organization Control)
Type 2 Checklist Part - 1

www.infosectrain.com
 CC 1.0 Control Environment
CC1.1: Demonstrates Commitment to Integrity & Ethical Values
COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results

Contractor agreements must include a Code of Business Conduct Examine the code of conduct for business and ensure that it is
CC1.1.1 and a reference to the corporate Code of Conduct, and they must accessible via the corporate intranet.
be posted on the corporate intranet for all employees to access.

At the time of hire, the corporation requires new hires to Examine the code of conduct for business and ensure that there
acknowledge a code of conduct. Disciplinary actions are taken are recorded enforcement processes that included disciplinary
CC1.1.2 against employees who break the code of conduct in accordance action.
with the policy.

The business mandates that prospective hires undergo Examine and verify the documented information on employ
CC1.1.3 background checks. background is accurate.

At the time of hiring, the business demands that employees & Examine and ensure that employees and contractors sign a
CC1.1.4 contractors sign a confidentiality agreement. confidentiality agreement at the time of engagement.

Performance reviews for direct reports must be completed by Examine and ensure that company performs evaluation for all
CC1.1.5 firm management at least once a year. employees annually.

www.infosectrain.com CC 1.0 Control Environment

 CC1.2: Exercises Oversight Responsibility
COSO Principle 2: The board of directors demonstrates independence from management &
exercises oversight of the development and performance of internal control.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results

All corporate policies are reviewed and approved yearly by the Examine the corporate rules and ensure that they have undergone
CC1.2.1 board of directors of the firm or a pertinent subcommittee, such evaluation and senior management approval.
as senior management.

The board members of the organisation are qualified to oversee Examine and ensure that the information security controls have
CC1.2.2 management's capacity to create, put into place, and run been created, implemented, reviewed and approved by proper
information security controls. authorities.

The board of directors of the corporation holds formal meetings at Ensure independent directors were present, proper meeting
CC1.2.3 least once a year and keeps minutes of those meetings. Directors minutes were taken, and observe board sessions were held at least
who are not affiliated with the company are on the board. twice a year.

The Organisational Chart for all personnel is reviewed and Examine and ensure that each employee's organisational chart has
CC1.2.4 approved annually by the entity's Senior Management. undergone evaluation and senior management's approval.

The management of the organisation exhibits a dedication to Examine the ethical management document and ensure that the
CC1.2.5 morality and ethical behaviour. company management demonstrates a commitment to integrity
and ethical values.

www.infosectrain.com CC 1.0 Control Environment

CC1.3: Establishes Structure, Authority, and Responsibility
COSO Principle 3: Management establishes, with board oversight, structures, reporting
lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results

To oversee the development and application of information Examine and ensure that the management of the organisation has
CC1.3.1 security controls, the firm management established clear roles created clear roles and responsibilities to oversee the development
and responsibilities. and application of information security controls.

The board of directors of the corporation has a written charter Examine and ensure that the roles and responsibilities of the board
CC1.3.2 outlining its internal control monitoring obligations. of directors are outlined in the bylaws.

The business keeps an organisational layout that details the Examine and ensure that the most recent organisation chart for the
CC1.3.3 hierarchical framework and reporting structure. company accurately reflects the hierarchical framework and
reporting structure.

To improve the operational performance of employees within the Examine and ensure that the job description improves the
CC1.3.4 organisation; the business maintains job descriptions for operational performance of employees.
client-facing IT and engineering positions.

Roles and Responsibilities policy formally allocate roles and Examine the Roles and Responsibilities policy for the design,
CC1.3.5 responsibilities for the design, development, implementation, implementation, operation, maintenance, and monitoring of
operation, maintenance, and monitoring of information security information security measures.
controls.

www.infosectrain.com CC 1.0 Control Environment

 CC1.4: Demonstrates Commitment to Competence
COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results

The businesses must make sure that new personnel have Examine and ensure the new hires' competence assessment.
CC1.4.1 undergone a thorough evaluation of their abilities to perform the
duties of their positions.

The business runs background checks on new hires. Examine the onboarding process and make sure that new hires'
CC1.4.2 backgrounds are checked.

Performance reviews for direct reports must be completed by firm Examine the performance evaluation and performance review policy
CC1.4.3 management at least once a year. to confirm that annual performance evaluations are carried out.

Roles and Responsibilities policy formally allocate roles and Examine the Roles and Responsibilities policy for the design,
CC1.4.4 responsibilities for the design, development, implementation, implementation, operation, maintenance, and monitoring of
operation, maintenance, and monitoring of information security information security measures.
controls.

Employees must undergo security awareness training within 30 Examine the Information Security Policy and ensure that
CC1.4.5 days of hire and at least once a year after that. employees undergo security training at the time of hire and on an
annual basis after that.

www.infosectrain.com CC 1.0 Control Environment

 CC1.5: Enforces Accountability
COSO Principle 5: The entity holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results

All personnel in client-facing, IT, engineering, and information Examine and ensure that job responsibilities are routinely
CC1.5.1 security professions are required to undergo quarterly evaluations evaluated.
addressing their job responsibilities.

At the time of hire, the corporation requires new hires to Examine the code of conduct for business and ensure that there
acknowledge a code of conduct. Disciplinary actions are taken are recorded enforcement processes that included disciplinary
CC1.5.2 against employees who break the code of conduct in accordance action.
with the policy.

Business has implemented information security awareness training, Examine the data on information security awareness and ensure that
CC1.5.3 and the firm intranet makes the training resources accessible to all all employees have access to the contents via the business intranet.
employees.

The organisation mandates that all staff members complete Examine the training records for information security awareness.
CC1.5.4 information security awareness training once upon hire as well as
once a year for all employees.

Every year, the business mandates that all employees review and Examine the firm policies to ensure that all employees have read
CC1.5.5 acknowledge the company's policies. and agreed to them.

www.infosectrain.com CC 1.0 Control Environment

 CC2.0 Communication and Information
CC2.1: Quality Information
COSO Principle 13: The entity obtains or generates and uses relevant, quality information
to support the functioning of internal control.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The information generated by the organization's systems Examine the operation of internal controls, ensuring they have been
CC2.1.1 undergoes assessment and analysis to identify its effects on the reviewed and evaluated within the system.
operation of internal controls.

Corporation conducts annual control self-assessments to confirm Examine yearly control self-assessments to ensure that crucial
effective control presence and operation, implementing corrective policies are annually reviewed for the effectiveness of control
CC2.1.2 actions based on findings. presence and operation. Additionally, implement necessary
corrective actions based on identified findings.

The organization employs a log management tool to identify events Examine that the log management tool effectively identifies events
CC2.1.3 that could potentially compromise the corporation's ability to that could impact security objectives.
accomplish its security goals.

To ensure customer accessibility, the corporation prominently Examine whether the corporation effectively presents current
CC2.1.4 presents up-to-date information regarding its services on its information about its services on its website to ensure customer
website. accessibility.

Corporation conducts host-based vulnerability scans on its Examine quarterly host-based vulnerability scans to detect critical
external-facing systems quarterly. These scans identify critical and high vulnerabilities and then closely monitor and take proactive
CC2.1.5 and high vulnerabilities, which are then closely monitored and measures to address these vulnerabilities, ensuring effective
promptly addressed for remediation. mitigation.

www.infosectrain.com CC2.0 Communication and Information

 CC2.2: Internal Communication for Effective Control
COSO Principle 14: The entity internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of internal control.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The Code of Business Conduct, established by the company, contains Examine established behavioral standards in the Code of Business
CC2.2.1 guidelines for appropriate conduct. All employees have access to this Conduct and verify their accessibility to all staff through the company's
code via the company intranet, ensuring everyone knows it's ethical intranet platform.
guidelines.

The organization's management has established specific roles and Examine security policies and ensure that organization management has
CC2.2.2 responsibilities to ensure information security controls are designed and designated roles and responsibilities for supervising the design and
implemented. implementation of information security controls.

To understand what the company offers and how it can meet the needs Review documents to ensure that the company's comprehensive
of its various audiences, organization provides comprehensive descriptions of its goods and services for internal and external users are
CC2.2.3 descriptions of its products and services, catering to its internal clear and aligned with needs.
employees and external users such as customers, partners, and
stakeholders.

The firm maintains documented information security policies and Examine the company's information security policies and procedures,
procedures subject to an annual review, ensuring their continued confirming their documentation, yearly review, and acknowledgment by
CC2.2.4 relevance and effectiveness in safeguarding sensitive information and new employees.
assets.

The company ensures that authorized internal users are promptly Examine internal communication practices and ensure that the company
CC2.2.5 informed of system changes. effectively informs authorized internal users about system updates.

www.infosectrain.com CC2.0 Communication and Information

 CC2.3: Communication with External Parties
COSO Principle 15: The entity communicates with external parties regarding matters affecting
the functioning of internal control.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The firm implements an external-facing support system that enables Examine the CodeSee Website and ensure a support email is
CC2.3.1 users to report information about system failures, incidents, available for users to report system issues and references to the
concerns, and other complaints to the relevant personnel. right personnel.

The company informs customers about its security commitments Examine the Master Service Agreement to ensure that customers
CC2.3.2 through agreements known as Master Service Agreements (MSA) or know the company's commitments and promises.
Terms of Service (TOS).

The company establishes contractual agreements with vendors and Examine a sample of a Signed Non-Disclosure Agreement to verify
affiliated third parties, incorporating confidentiality and privacy the presence of confidentiality and privacy agreements with
CC2.3.3
commitments relevant to the firm. contractors and third parties.

The company comprehensively describes its products and services Examine the CodeSee Website and verify the presence of a product
to its internal and external users. description intended for communication to both internal and
CC2.3.4
external users.

The company informs customers about significant system changes Examine the company website to ensure that customers are
CC2.3.5 that could impact their processing operations. informed about significant system changes that could affect their
processing activities.

www.infosectrain.com CC2.0 Communication and Information

 CC3.0 Risk Assessment
CC3.1: Specification of Objectives
COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives.
Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The company maintains a documented risk management Examine the Risk Assessment Policy, find documented steps for
program, which guides identifying potential threats, assessing the identifying and managing risks, and observe in Secureframe a
CC3.1.1 significance of associated risks, and outlining mitigation maintained list of risks with assigned ratings and tracked actions
strategies. for improvement.

The company performs annual risk assessments, identifying Examine the documentation containing records of the annual
threats and changes to service commitments and evaluating formal risk assessment exercise.
CC3.1.2 risks, including the potential for fraud and its impact on
objectives.

The company has an established vendor management program Examine Secureframe for vendor list with ratings, security, privacy,
comprising components such as critical third-party vendor and reviews; also examined Vendor Management Policy
CC3.1.3 inventory, vendor security and privacy requirements, and annual encompassing contract reviews, annual assessments, risk
reviews of critical third-party vendors. evaluation, and due diligence procedures.

The company maintains a documented Business Examine the company's BC/DR plan to ensure its presence,
CC3.1.4 Continuity/Disaster Recovery (BC/DR) plan and conducts annual approval, and yearly testing.
testing of the plan's effectiveness.

www.infosectrain.com CC3.0 Risk Assessment

 CC3.2: Risk Identification and Analysis
COSO Principle 7: The entity identifies risks to the achievement of its objectives across the
entity and analyzes risks as a basis for determining how the risks should be managed.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results
The firm performs an annual formal risk assessment, outlined in the Examine records documenting the annual formal risk assessment
CC3.2.1 Risk Assessment and Management Policy, to identify potential threats exercise.
that could affect its systems' security commitments and requirements.

Each risk undergoes assessment and receives a risk score considering Examine how each risk is evaluated based on likelihood and impact on
its likelihood of occurrence and impact on the security, availability, and platform security, availability, and confidentiality and ensure that risks
CC3.2.2 confidentiality of the company's platform. Risks are then associated are linked to actions that reduce their effects.
with mitigating factors that address relevant aspects of the risk.

During onboarding, the firm mandates new staff members to review and Examine the company's policies and confirm that new staff members have
CC3.2.3 acknowledge company policies, ensuring an understanding of duly reviewed and acknowledged these policies, ensuring their knowledge
responsibilities and commitment to compliance. and commitment.

The organization establishes a documented risk management program Examine Risk Assessment and Treatment Policy for documented risk
that encompasses instructions for identifying potential threats, management processes and verify Secureframe the existence of a
CC3.2.4 assessing the significance of risks related to these threats, and maintained risk registry with identified vulnerabilities, severity ratings,
formulating strategies to mitigate these risks. and tracked remediation actions.

The company implements a vendor management program that includes Examine the company's vendor management program to ensure it has a
CC3.2.5 maintaining a list of critical third-party vendors, setting security & privacy process for documenting and overseeing vendor relationships.
requirements for vendors, & performing annual reviews of these vendors.

www.infosectrain.com CC3.0 Risk Assessment

 CC3.3: Fraud Consideration in Risk Assessment
COSO Principle 8: The entity considers the potential for fraud in assessing risks to the
achievement of objectives.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results

The company performs annual risk assessments that involve Examine the company's risk assessment documentation,
identifying threats, changes to service commitments, formal risk confirming the yearly format of assessments, identifying threats
CC3.3.1
assessments, and considering fraud's potential impact on and commitment modifications, formal risk assessment, and
objectives. considering the impact of fraud on objectives.

The company establishes a documented risk management Examine the risk management program to ensure it offers
program that provides instructions for identifying potential guidance for identifying potential threats and suggesting strategies
CC3.3.2 threats, evaluating the significance of risks linked to those to mitigate these threats.
threats, and developing strategies to mitigate those risks.

www.infosectrain.com CC3.0 Risk Assessment

 CC3.4: Identifying Changes
COSO Principle 9: The entity identifies and assesses changes that could significantly
impact the system of internal control.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results
Each year, the company conducts a formal risk assessment Review the records of the annual formal risk assessment exercise
exercise in accordance with the Risk Assessment and and examine the Assessment and Management Policy.
CC3.4.1 Management Policy. The goal is to identify potential threats that
could compromise the security commitments and requirements
of the systems.

The company implements a configuration management Evaluate the company's configuration management procedure to
CC3.4.2 procedure to ensure consistent deployment of system validate its implementation, ensuring the constant deployment of
configurations throughout the environment. system configurations across the entirety of the environment.

The firm evaluates risks and scores based on their likelihood and Examine risk mitigating factors related to risk evaluation
potential impact on platform security, availability, and
CC3.4.3 confidentiality. They are then linked to mitigating factors, wholly
or partially addressing the risks.

The company conducts penetration testing, develops a Examine the company's penetration testing, verifying its annual
CC3.4.4 remediation plan, and implements changes to address execution.
vulnerabilities by SLAs.

www.infosectrain.com CC3.0 Risk Assessment

 CC4.0 Monitoring Activities
CC4.1: Continuous Evaluation
COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present and functioning.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results

The senior management of the firm designates an Information Examine the coordination of planning, assessment, and
CC4.1.1 Security Officer tasked with planning, evaluating, implementing, implementation within the internal control environment.
and overseeing the internal control environment.

The organization designates an Infrastructure owner responsible Examine the Infra Operations Person document, confirming their
CC4.1.2 for all assets listed in the inventory. responsibility for overseeing all holdings within the inventory.

The organization utilizes Sprinto, a continuous monitoring system, Examine the ongoing monitoring and reporting activities of the
to track and report the information security program's status to the Sprinto tool, which ensures the health of the information security
CC4.1.3 Information Security Officer and other stakeholders. program is communicated to the Information Security Officer and
other stakeholders.

The senior management of the entity annually reviews and grants Examine the yearly company policy, which has undergone review
CC4.1.4 approval for all company policies. and received approval from Senior Management.

The firm conducts regular reviews and assessments of all Examine the subservice organizations outlined in the system and
CC4.1.5 subservice organizations to verify their ability to fulfill customer note that they have undergone review and evaluation by the firm.
commitments.

www.infosectrain.com CC4.0 Monitoring Activities

 CC4.2: Reporting of Control Deficiencies
COSO Principle 17: The entity evaluates and communicates internal control deficiencies in
a timely manner to those parties responsible for taking corrective action, including senior
management and the board of directors, as appropriate.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results

The company conducts annual control self-assessments to Examine the Secureframe platform to verify recent policy reviews
CC4.2.1 ensure controls' presence and effective functioning, followed by and publications. Additionally, examine the Information Security
appropriate corrective actions in response to identified findings. Policy to confirm its annual review and updates, reinforcing
security control effectiveness.

The company informs employees through the Information Examine Information Security Policy to ensure employees
CC4.2.2 Security Policy about how to report problems, failures, incidents, understand how to report system problems.
or concerns related to the services or systems they provide.

The entity utilizes Sprinto, a continuous monitoring system, to Examine the sprinto system and ensure it constantly tracks,
monitor and provide updates to the information security officer and monitors, and reports the information security program's position to
CC4.2.3 other relevant stakeholders about the status of the information the security officer and stakeholders.
security program.

Every year, Senior Management of the firm evaluates and Examine the firm policies and ensure that Senior Management has
CC4.2.4 approves all corporate policies. examined and supported them.

Each year, senior management of the entity evaluates and Examine the report on the internal audit assessment and ensure
CC4.2.5 approves the program's status for information security. that Senior Management has examined and given their approval.

www.infosectrain.com CC4.0 Monitoring Activities

 CC5.0 Control Activities
CC5.1: Risk Mitigating
COSO Principle 10: The entity selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results

The firm establishes a set of guidelines that outline acceptable Examine the policies for the control environment.
CC5.1.1 behavior about the firm's regulatory framework.

The firm possesses a well-defined Acceptable Usage Policy Examine the Acceptable Usage Policy and ensure it is accessible to
CC5.1.2 accessible to all employees through the firm's intranet. all employees via the company's intranet.

Senior Management of the firm separates Roles and Examine and ensure that the firm's senior management has separate
CC5.1.3 Responsibilities to reduce risks to the services offered to its clients. Roles and Responsibilities to minimize risks to the services provided
to its clients.

The company maintains a documented risk management Examine the risk management program to verify its provision of
program outlining procedures for identifying potential threats, guidance in identifying potential hazards, evaluating risk
CC5.1.4 assessing their significance, and implementing mitigation significance, and formulating mitigation strategies.
strategies for associated risks.

www.infosectrain.com CC5.0 Control Activities

 CC5.2: Establishment of Technology Control Activities
COSO Principle 11: The entity also selects and develops general control activities over
technology to support the achievement of objectives.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results

The firm employs Sprinto, a continuous monitoring system, to Examine the ongoing monitoring capabilities of the Sprinto
CC5.2.1 track and report to the information security officer and other software, which tracks, records, and updates the information
stakeholders on the state of the information security program. security officer and stakeholders on the program's status.

Each year, senior management of the firm evaluates and approves Examine the internal audit assessment report and ensure it
CC5.2.2 the program's status for information security. subsequently receives examination and approval from Senior
Management.

The structure of operations for all personnel is reviewed and Examine the organizational staff chart and ensure it is subsequently
CC5.2.3 approved annually by the firm's Senior Management. examined and approved by Senior Management.

Every subservice firm is routinely reviewed and evaluated by the Examine that the system's subservice organizations undergo
CC5.2.4 firm to make sure obligations to the firm's clients can be regular reviews and evaluations.
maintained.

The organization establishes policies detailing acceptable Examine the guidelines for the control environment.
CC5.2.5 behavior concerning the company's control environment.

www.infosectrain.com CC5.0 Control Activities

 CC5.3: Implementing Control Policies
COSO Principle 12: The entity deploys control activities through policies that establish
what is expected and in procedures that put policies into action.

Control Control Activity Specified by Organization Test Applied by Auditor Test Results

The organization provides all employees access to policies and Examine the company's policies and practices and ensure they are
CC5.3.1 procedures through the corporate intranet. accessible to all employees through the corporate intranet.

Every year, the organization mandates that all employees review Examine the company's policies and ensure that every employee
CC5.3.2
and acknowledge the company's policies. has reviewed and approved them.

During onboarding, new employees must read and acknowledge the Examine the duties assigned to new employees in the system and
CC5.3.3 company's policies, ensuring their awareness and preparedness to ensure each employee has reviewed and approved them.
meet their obligations.

The organization creates a set of policies that outline acceptable Examine system policies related to the control environment.
CC5.3.4 conduct about the control environment at the organization.

The organization defines its objectives to simplify the Examine the Risk Assessment and Treatment Policy to ensure that
CC5.3.5 identification and assessment of risks associated with them. risk categories have been specified to aid in identifying and
evaluating risk related to objectives.

www.infosectrain.com CC5.0 Control Activities

Found this useful?
To Get More Insights Through our FREE
Course | Workshops | eBooks | White Paper
Checklists | Mock Tests

Press the Icon &

www.infosectrain.com