Checks We Perform
Below is a list of all the checks we perform. Select one to view more information.
- All (21)
- Risk Mitigation (1)
- Logical and Physical Access Controls (3)
- Change Management (1)
- Other Criteria (5)
- Internal Control (9)
- System Operations (2)
Risk Mitigation
CC9.1 Were controls modified to address the changing risk landscape? (mitigating risks that lead to business disruption)
Description:
Detailed description coming soon.Logical and Physical Access Controls
CC6.1 Does the report include testing of access controls beyond cloud infrastructure? (protection through logical access)
Description:
Detailed description coming soon.Logical and Physical Access Controls
CC6.4 Are physical environments for critical roles and processes considered in the testing performed? (physical security controls)
Description:
Detailed description coming soon.Change Management
CC8.1 Were change tickets compared against system changes to discover undocumented changes? (change management best practices)
Description:
Detailed description coming soon.Other Criteria
P1.1 Were privacy principles evaluated beyond security principles? (what is the difference between privacy and security)
Description:
Detailed description coming soon.Other Criteria
C1.2 Have client agreements been inspected and compared against data repositories to ensure data disposal procedures are followed? (how contractual obligations impact confidential information)
Description:
Detailed description coming soon.Other Criteria
A1.2 Does the backup process all critical data supporting the system? (data backup processes)
Description:
Detailed description coming soon.Other Criteria
PI1.3 Were custom control descriptions written to capture the unique service delivery controls of the organization? (what is a service delivery walkthrough)
Description:
Detailed description coming soon.Internal Control
CC4.2 Have the ongoing processes for monitoring of operational effectiveness been tested? (who is monitoring internal control)
Description:
Detailed description coming soon.Internal Control
CC3.2 Does the scope of the risk assessment include risks across the organization beyond IT threats? (What types of risks does your organization face)
Description:
Detailed description coming soon.Internal Control
CC1.2 Have board members been interviewed to emphasize their cybersecurity and compliance obligations? (SOC 2 Academy: A Board’s Independence from Management)
Description:
Detailed description coming soon.Internal Control
CC2.2 Has a sample of employees been interviewed to ensure they understand and acknowledge their internal control responsibilities? (communicating with internal parties)
Description:
Detailed description coming soon.Internal Control
CC2.3 Do client agreements and shared responsibility models communicate the client’s role in maintaining internal control? (Communicating with external parties)
Description:
Detailed description coming soon.Internal Control
1.1 Does the scope of the SOC 2 report include the people, processes, and systems necessary for the proper functioning of internal control? (The importance of scope)
Description:
Detailed description coming soon.Internal Control
1.2 Did testing procedures include observations and sampling beyond interviews? (Why demonstration is necessary to quality audits)
Description:
Detailed description coming soon.Internal Control
1.3 Were custom control descriptions created by the service organization to reflect the unique nature of their environment? (quality reports delivered by professional writers)
Description:
Detailed description coming soon.Internal Control
1.4 Is the audit firm qualified to perform the engagement? i.e. skills, experience, compliance (Choosing the right audit firm)
Description:
Detailed description coming soon.System Operations
CC7.2 Has vulnerability management been integrated with the build pipeline? (performing code review prior to release)
Description:
Detailed description coming soon.System Operations
CC7.4 Was a sample of incidents inspected to evaluate the incident response process? (incident response best practices)