A Comprehensive SOC 2 Audit Work Plan

Instructions

This is a unique IT audit work plan. Many small and medium-sized companies should find it helpful and easy to use. This work plan primarily audits against the SOC 2 Trust Services Criteria but also covers other security framework requirements by default, as there is much overlap among the significant security frameworks (e.g., NIST 800-53, PCI DSS, ISO 27001, and the HIPAA security rule).

If you are looking at this document, you probably already know the reasons for performing an IT audit. If your organization seeks a specific certification or wants to see where you stand against industry-accepted security control requirements, this audit plan is for you.

Each control to be tested is shown and contains the following sections:
     • The control being tested;
     • A description of the control;
     • The test plan used by the auditor;
     • An area to record the test results;
     • A placeholder for conclusions and noted issues (i.e., exceptions); and
     • A section to record where evidence is maintained, including any document reviewed for the stated control.

Organization Overview and Management Control

 Control A.1 

The organization’s management team establishes, communicates, and regularly re-evaluates the organization’s tone, direction, and objectives.

 Related Frameworks/Compliance Standards:
SOC 2 – CC3.1, CC2.1, CC1.1                            

 Control Description:
Management uses various methods to communicate the organization’s objectives.

 Test Plan:
   1. Verify management has established a mission and values. 
   2. Verify management defines and communicates the organization’s goals and objectives to personnel.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Control A.2 

The organization maintains an active board of directors, or equivalent, with the responsibility of oversight and management.

 Related Frameworks/Compliance Standards:
SOC 2 – CC4.2, CC4.1, CC2.2, CC1.5, CC1.2    

 Control Description: The board holds and seeks out relevant documentation of the board’s responsibilities and activities, such as charters, expertise summaries, and meeting notes, which demonstrate appropriate knowledge.

 Test Plan:
   1. Verify board membership is appropriate, that the board is independent, and that individual members are familiar with their responsibilities.
   2. Verify the board of directors consults with experts and appoints relevant sub-committees.
   3. Verify that management and leadership staff report to the board of directors and receive guidance on operational goals and objectives. 

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3.  Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc. 

Control A.3 

The organization’s operational structure, including crucial reporting lines and department responsibilities, is well-defined and documented.

 Related Frameworks/Compliance Standards:
SOC 2 – CC5.3, CC4.1, CC2.2, CC1.5, CC1.3    

 Control Description:
Documentation of reporting lines and operational structures includes the following:
   – An organization chart that depicts vital functional areas,
   – Critical oversight roles within the organization, and
   – Standards used when assigning, distributing, and limiting authorities.

 Test Plan:
   1. Verify authority assignments are appropriate.
   2. Verify established reporting lines are appropriate for the organization’s operational structure. 
   3. Verify oversight responsibilities are assigned to appropriate authorities (e.g., an ISO, department leaders, management staff, etc.) within the organization and that those authorities know their duties. 

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 

W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Control A.4

The organization’s management team designs, implements, and monitors the achievement of internal control programs.

 Related Frameworks/Compliance Standards:
SOC 2 – CC2.1, CC3.1, CC1.4, CC5.3, CC4.1, CC2.2, CC1.5        

 Control Description:
The following are documented and implemented by management personnel:
   – Policy and procedure documents that govern:
        a. Internal quality and control enforcement,
        b. Monitoring of routine operations,
        c. Evaluation of the achievement of operational objectives and
        d. Review and maintenance of policy and procedure documentation.
   – Role(s) responsible for overseeing and reporting on daily operations,
   – Roles(s) responsible for maintaining policy and procedure documents,
   – System(s) of record used to document control monitoring efforts.

 Test Plan:
   1. Verify management oversees routine operations to monitor quality, control objectives, and hold all personnel accountable.
   2. Verify management regularly reviews policy documents and approves any changes needed.
   3. Verify that the organization has established quality control monitoring to meet service delivery commitments.
   4. Verify policies and procedures are developed and approved by management.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title (s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc. 

Risk Assessment 

Control B.1

The organization has developed and maintains a risk management program to manage risk within acceptable levels.

 Related Frameworks/Compliance Standards:
SOC 2 – CC3.1, CC3.2, CC5.1, A1.2                  

 Control Description: The organization has a formal (documented and implemented) risk assessment program with an owner assigned to maintain and review the program to identify critical assets, threats, and vulnerabilities.

 Test Plan:
   1. Verify the client has a formally documented risk assessment in place.
   2. Verify a risk methodology is employed (e.g., ISO, NIST, Octave, etc.).
   3. Verify the assessment is comprehensive and covers more than IT risk (e.g., operational risk, financial risk, the impact of system changes, and risks with vendor and business partners.

   4. Verify the organization assesses the risk of fraud.
   5. Verify the organization has documented a policy detailing its risk assessment methodology, frequency, and key stakeholders.
   6. Verify a formally documented procedure is in place detailing how the risk assessment is performed.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Regulatory Compliance 

Control C.1

The organization has identified and follows state, federal, and international laws and regulations relevant to its operations.

 Related Frameworks/Compliance Standards:
SOC 2 – CC4.2, CC4.1, CC3.1, CC2.3                

 Control Description:
   – The organization considers compliance needs when developing internal control programs, such as training, access control, and service delivery requirements and 
   – The organization uses audits (internal and external) to drive evaluation and improvement of internal control programs implemented to support regulatory compliance.

 Test Plan:
   1. Verify the organization considers its regulatory commitments and relevant industry standards when designing and implementing control activities. 
   2. Verify management is made aware of audit results and findings.
   3. Verify audit findings are used to improve the organization’s internal control programs. 

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s):  

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Application Development 

Control D.1 

A software development life-cycle (SDLC) is followed to securely develop and implement applications and apply changes to prevent vulnerabilities against threats such as unauthorized access and modification.

 Related Frameworks/Compliance Standards:
SOC 2 – CC5.1, CC6.6, CC6.1, CC8.1                

 Control Description:
The organization employs a software development lifecycle and software development policies and procedures that address the following: 
   – Development methodology (e.g., Waterfall, RAD, or Agile),
   – Separation of duties between development, test, and production personnel,
   – Separation of critical environments, and
   – Application change control and change management.

 Test Plan:
   1. Verify the development methodology, including any requirements for project approval, documentation, testing, and implementation, adheres to policy.
   2. Verify development, testing, and production environments are separated.
   3. Verify application changes adhere to the development lifecycle and change management procedures.
   4. Verify separation of duties is enforced during the development lifecycle, especially promotion to Production.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

W/P Reference: Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Control D.2

The organization prevents common vulnerabilities during the application development process.

 Related Frameworks/Compliance Standards:
SOC 2 – PI1.5, PI1.4, PI1.3, CC6.1, CC7.1, CC5.3, CC1.4

 Control Description:
   – The organization has training and professional development requirements for its development personnel,
   – The organization frequently scans its service application(s) during development (e.g., pre- and post-development), and the remediation of identified application vulnerabilities is prioritized and tracked,
   – The organization restricts access to source code and enforces version control,
   – The organization follows industry-accepted coding and testing methodologies to ensure developed applications are secure against common vulnerabilities and
   – The organization ensures the integrity of data collected and transmitted by its service application(s).

 Test Plan:
   1. Verify the organization provides learning opportunities to ensure development personnel are knowledgeable and capable of fulfilling their responsibilities. 
   2. Verify the organization scans service application(s) for vulnerabilities and remediates negative findings.
   3. Verify source code access is restricted to personnel with a role-based need and that versioning is enforced.
   4. Verify appropriate, industry-accepted coding and practices are used during the development process.
   5. Verify service applications use secure transmission protocols and encryption to secure applications and service transmissions.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Information Security Policy 

Control E.1

The organization establishes, maintains, and improves Information Security policies, objectives, processes, and procedures to support and monitor the information security management system.

 Related Frameworks/Compliance Standards:
SOC2 – CC5.2, CC3.3, CC6.6, CC6.1, CC5.2, CC5.3, CC5.2, CC5.1         

 Control Description:
An Information Security Policy (ISP) is made available to all employees, which defines how information technology (IT) assets and resources should be used, managed, and protected.

 Test Plan:
   1. Verify the organization has implemented policies concerning the acceptable use of information assets, systems, and resources. Which types of use are permitted for which roles within the organization?
   2. Verify the policy includes the following attributes:
        a. Policy maintenance,
        b. Compliance with legal requirements and industry standards (if applicable),
        c. Inclusion of all necessary topics and adherence to industry best practices,
        d. Approval, including the most recent approver’s title and date of approval,
        e. Date of the last review, and
        f. Revision history.
   3. Verify the organization maintains technical infrastructure documentation, such as network diagrams. Ensure the system description addresses the technologies (e.g., firewalls) and design concepts (e.g., segmentation and isolation) used to support achieving your organization’s service delivery and security objectives. 
   4. Verify the organization communicates security responsibilities to personnel and describe how the information security program is overseen by an appropriate member(s) of the management team.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

W/P Reference: Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Change Control and Change Management 

Control F.1

Procedures exist to manage changes to applications and network configurations (e.g., firewalls, routers, servers, workstations, and other critical network devices).

 Related Frameworks/Compliance Standards:
SOC 2 – CC7.3, CC7.4, CC8.1                            

 Control Description:
The organization has a formal (documented, approved, published, communicated, and implemented) Change Control / Change Management process that contains approval for all changes and logs all changes.

 Test Plan:
   1. Verify the organization maintains change requests and supporting documentation of the following attributes for each change implementation:
        a. Identified roles and responsibilities,
        b. Impact or risk analysis of the change request,
        c. Testing before implementation of the change(s),
        d. Authorization and approval,
        e. Process for notifying clients before changes are made that may impact their service,
        f. Post-installation validation, and
        g. Back-out or recovery plans.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s):  

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Physical Security and Environmental Protection 

Control G.1

Physical access to facilities and protected information assets is restricted to authorized personnel.

 Related Frameworks/Compliance Standards:
SOC2 – CC6.4                                              

Control Description:
The organization’s facilities are protected against unauthorized access by employing detection measures and assigning access permissions according to a role-based need. Access is revoked upon termination.

 Test Plan:
   1. Verify access to the organization’s facility is restricted to authorized personnel and approved visitors.
   2. Verify measures are in place to detect unauthorized access to the organization’s facilities. 
   3. Verify access tokens are issued to new employees according to their role-based needs for access.
   4. Verify that terminated employees’ facility access permissions are revoked following termination. 

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s):  

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc. 

Control G.2

Mechanisms protect physical assets (e.g., storage media, networking devices, and mobile devices) against tampering, theft, and unauthorized access.

 Related Frameworks/Compliance Standards:
SOC2 – CC6.4                                              

 Control Description:
Policy and procedures are employed that address the following:
   a. Security and destruction of removable media and equipment,
   b. Mechanisms used to electronically secure removable media and equipment (e.g., encryption and mobile device management),
   c. Measures used to physically secure removable media and equipment (e.g., storage in lockboxes) and
   d. Means used to destroy removable media and equipment.

 Test Plan:
   1. If mobile device management is used, describe how you verified it is implemented on all applicable devices.
   2. Verify media and equipment stored onsite are appropriately secured to prevent theft, tampering, and unauthorized access.
   3. Verify sensitive data stored on media is rendered unreadable before that media is disposed. 
   4. Verify sensitive data stored on removable media is encrypted.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Control G.3

The organization employs mechanisms to protect its assets (e.g., technologies, data, and personnel) against environmental hazards, including natural and man-made disasters.

 Related Frameworks/Compliance Standards:
SOC2 – A1.2                                                  

Control Description:
– Environmental threats to assets and critical business processes are identified, detected, and addressed.

Test Plan:
   1. Verify the organization uses its risk assessment program to identify and address environmental threats.
   2. Verify the organization uses hazard detection measures (e.g., smoke alarms, monitoring procedures, and routine system testing) to detect environmental threats.
   3. Verify the organization responds to environmental hazards. 
   4. Verify protections are in place to prevent or mitigate environmental threats (e.g., geographic location, backup power sources, and fire suppression).

Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Data Backup and Media Protection 

Control H.1 

Backup and restoration policies and procedures are documented and followed for all critical systems.

 Related Frameworks/Compliance Standards:
SOC 2 – A1.3, A1.2                                            

 Control Description:
Policy and procedures are followed that govern:
    – Data backup types and schedules, backup retention, backup security, and backup validation procedures,
    – Data classifications and systems that require backups, 
    – Tool(s) and methods used to create backups,
    – Types of backups performed,
    – Schedule(s) for performing each backup type,
    – Backup storage locations and
    – Backup security measures.

 Test Plan:
   1. Verify systems and data requiring backup are identified and necessary backups are performed.
   2. Verify backups are performed according to established schedules.
   3. Verify backup restoration testing is performed regularly.
   4. Verify backups are retained for the organization’s pre-defined timeframe(s) and disposed of after retention periods expire.
   5. Verify stored backups are secure. 

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title (s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Control H.2

Backup failures are monitored, and procedures exist to respond to backup failures.

 Related Frameworks/Compliance Standards:
SOC2 (2020) A1.3, SOC2 (2020) A1.2

 Control Description:
   – The organization identifies and classifies critical systems and data that require backups and the types of backups performed and
   – Policy and procedures govern backup monitoring, validation, and response to backup failures.

 Test Plan:
   1. Verify systems and data requiring backup are identified and necessary backups are performed.
   2. Verify backups are performed according to established schedules.
   3. Verify backup restoration testing is performed regularly.
   4. Verify backups are retained for the organization’s pre-defined timeframe(s) and disposed of after retention periods expire.
   5. Verify stored backups are secure.
   6. Verify the organization monitors for backup failures and responds to identified failures.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Human Resources Security 

Control I.1

Personnel policies and controls apply to employees and contractors.

 Related Frameworks/Compliance Standards:
SOC2 – CC1.5, CC1.1                                         

 Control Description: Personnel controls apply to employees and contractors and address:
    – Conduct and ethics,
    – General employment policies and
    – Disciplinary actions resulting from non-compliance.

 Test Plan:
   1. Verify conduct, ethics, and integrity standards are appropriate, defined, and communicated to personnel.
   2. Verify appropriate onboarding procedures are followed utilizing items such as:
          – Onboarding forms,
          – Confidentiality agreement,
          – Form I-9, and
          – Employee Handbook acknowledgment.
   3. Verify background checks are performed according to company policy and local, state, and federal requirements.
   4. Verify the organization enforces disciplinary actions if an employee does not comply with defined conduct, ethics, or integrity standards. 

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Control I.2

All critical roles and departments are identified and documented.

 Related Frameworks/Compliance Standards:
SOC 2 – CC1.4, CC1.5, CC1.3                            

 Control Description:
Job descriptions reflect:
    – Role-specific duties and expectations,
    – Reporting lines, and
    – Relationships within appropriate functional areas

 Test Plan:
   1. Verify that role-specific duties and authorities are communicated to personnel.
   2. Verify expertise and skill requirements are communicated to personnel and that thorough performance evaluations are conducted regularly.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.

  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Control I.3

Appropriate training is provided to all personnel.

 Related Frameworks/Compliance Standards:
SOC 2 – CC1.3, CC1.4, CC2.3                            

 Control Description:
Training policy and procedure documents address:
    – General (e.g., security awareness and conduct) training provided to all personnel,
    – Service-specific training,
    – Role-specific training,
    – Technical training, provided to enhance technical competencies,
    – Knowledge assessments and
    – Training frequencies.

 Test Plan:
   1. Verify all personnel complete security awareness training. 
   2. Verify appropriate personnel receive training on service offerings and service delivery.
   3. Verify role-specific training is provided to personnel with technical skill requirements.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Logical Access Management 

Control J.1

Logical access control policies and procedures are in place for all relevant methods of user acess management. 

 Related Frameworks/Compliance Standards:
SOC 2 – CC6.6, CC6.3, CC6.2, CC6.1                

 Control Description:
Access controls are implemented, which address:
   – New user authorization,
   – Role-based permissions,
   – Access approval,
   – Access provisioning procedures,
   – Access removal,
   – Access validation reviews, and
   – Multi-factor authentication.

 Test Plan:
   1. Verify access is authorized and that access requests are appropriate.
   2. Verify access provisioning and account creation procedures are appropriate and implemented.
   3. Verify access modification requests and fulfillment are appropriate and implemented. 
   4. Verify that terminated users’ access is revoked promptly.
   5. Verify that additional security and authentication requirements (e.g., MFA) are implemented for remote and sensitive access.
   6. Verify the organization assigns appropriate, limited access permissions and how you verified that access reviews are performed.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s):  

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Control J.2

User account security and password policies are implemented to meet industry best practices.

 Related Frameworks/Compliance Standards:
SOC 2 – CC6.6, CC6.2, CC6.1                            

 Control Description:
Logical access controls are enforced related to:
   – Password composition, including complexity and length,
   – Password issuance and reset,
   – Password expiration and reuse, and
   – Account lockouts and session timeouts.

 Test Plan:
   1. Verify standards for generating, communicating, and changing first-time passwords are appropriate and implemented.
   2. Verify standards for requesting, generating, communicating, and changing reset passwords are appropriate and implemented.
   3. Verify password composition and expiration policies are appropriate and enforced.
   4. Verify accounts lock out following consecutive failed login attempts.
   5. Verify configurations that enforce idle session timeouts and require users to reauthenticate following prolonged inactivity. 
   6. Verify authentication credentials are secured during storage and transmission.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Configuration Management 

Control K.1

Configuration standards are documented for all system components. 

 Related Frameworks/Compliance Standards:
SOC 2 – CC6.8, CC8.1, CC7.1, CC5.2                

 Control Description:
Configuration management policies and procedures address, at a minimum:
    – Industry-accepted standards used as configuration baselines,
    – Maintenance of documented baselines,
    – Training programs for personnel with configuration duties and
    – Configuration monitoring controls and tools.

 Test Plan:
   1. Describe what authoritative guidance the organization uses as the basis of its configuration standards. How are these standards implemented for all relevant technologies used by the organization?
   2. Describe what tools and procedures (e.g., file integrity monitoring and response) the organization uses to monitor and respond to configuration changes.
   3. Verify standard, non-privileged users are prevented, through workstation configurations, from installing third-party software without prior approval. 

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Data Security 

Control L.1

The types and classifications of data the organization handles and the methods by which it collects, generates, stores, transmits, and processes data are identified.

 Related Frameworks/Compliance Standards:
SOC 2 – PI1.5, PI1.4, PI1.3, PI1.2, PI1.1, CC2.1, CC6.5, CC2.3, C1.1    

 Control Description:
   – The organization has implemented policy and procedure documentation that addresses the following:
        a. Identification of data needed for service delivery,
        b. Data classification,
        c. Data retention periods, secure handling requirements, and secure disposal  methods, and
   – Data flow diagram(s) depict the flow of information for any critical process or system.  

 Test Plan:
   1. Verify the organization identifies what data is needed to provide its services and understands how it is used.
   2. Verify data classifications are appropriate and applied to all data collected and generated by the organization.

  1. Verify data flow diagrams are maintained for all critical systems.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Control L.2 

The organization secures (e.g., encrypts) all sensitive data types at all collection points, storage, transmission, and processing until the data is securely disposed.

 Related Frameworks/Compliance Standards:
SOC 2 – C1.2, C1.1, CC6.5, CC6.7, CC6.1        

 Control Description:
   – Data security policy and procedures are implemented that address:
        a. Encryption and encryption key management,
        b. Secure transmission protocols,
        c. Data handling procedures and
        d. Data destruction methods.
   – Encryption methods and standards used to protect stored data, and
   – Transmission protocols used to protect data transmissions.

 Test Plan:
   1. Verify data at rest is encrypted by the organization.
   2. Verify encryption key management policies and procedures are appropriate and enforced.
   3. Verify data transmissions are secured to prevent unauthorized access. 
   4. Verify data is disposed of at the end of its lifecycle.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Network Monitoring 

Control M.1

Logging is enabled for all critical systems, and the network’s usage and performance are monitored and checked for availability, overall performance, and slow or failing systems.

 Related Frameworks/Compliance Standards:
SOC 2 – CC7.2, CC7.2, CC7.1, CC6.8, A1.1      

 Control Description:
Slow or failing components are identified before they cause problems (e.g., crashed, frozen, or overloaded servers; failed switches; failing routers; and other troublesome components or network failures. Alerts are automatically generated, and the network administrator is notified promptly.

 Test Plan:
   1. Verify log reviews are regularly conducted, and that log details are appropriate and support log reviews.
   2. Verify the organization monitors for system intrusions and security events and responds to system alerts.
   3. Verify the organization uses file integrity monitoring to prevent unauthorized configuration changes.
   4. Verify the antivirus solution(s) used by the organization are in place on at-risk technologies and appropriately configured for automatic updates and alerts.
   5. Verify the organization monitors appropriate sources for patches and updates and applies those patches promptly.
   6. Verify the organization uses usage reports to establish thresholds, plan for future needs, and request additional resources. 
   7. Verify forecasting initiates the change management process as new system needs are identified. 

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference: Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Incident Response 

Control N.1

Procedures are followed to identify security incidents and understand, contain, remediate, and appropriately communicate security incidents. 

Related Frameworks/Compliance Standards:
SOC 2 – P6.6, CC7.4, CC7.2, CC7.1, CC7.5, CC7.3, CC2.3, CC2.2          

 Control Description:
Activities are defined and implemented to recover from identified security incidents and perform remediation to prevent future incidents.

 Test Plan:
   1. Verify the organization uses appropriate channels to allow for incident reporting. 
   2. Verify internal and external parties are aware of these reporting channels.
   3. Verify the organization uses automated and manual measures to detect and analyze security events.
   4. Verify defined response procedures that address containment, remediation, evaluation, and correction of all incident types.
   5. Verify the organization classifies incidents to ensure the response is appropriate for the incident’s severity.
   6. Verify incident roles and responsibilities are assigned and communicated to capable, competent personnel.
   7. Verify the organization works to contain incidents as a part of response proceedings.
   8. Verify the organization regularly tests its incident response plans and uses test results to improve procedures. 
   9. Verify all incidents are logged and that the incident log is regularly reviewed.
   10. Verify that the organization works to restore critical systems as a part of the incident response. 

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Vulnerability Management 

Control O.1

A formal process is executed to identify and take action on vulnerabilities to remediate and minimize the window of opportunity for attackers.

Related Frameworks/Compliance Standards:
SOC 2 – CC3.2, CC6.1                                        

 Control Description:
    – Vulnerability scans are performed following a defined schedule, and discovered vulnerabilities are rated according to the risk and remediated as appropriate and
    – Detection, prevention, and recovery controls are in place to protect against viruses and malware.

 Test Plan:
   1. Verify vulnerability scans are regularly performed. 
   2. Verify vulnerabilities identified during scans are prioritized based on severity rankings and re-tested after remediation implementation.
   3. Verify management approves vulnerability remediation actions before implementation. 

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference: Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Vendor Management 

Control P.1 

Risks associated with vendors and business partners are assessed and managed.

 Related Frameworks/Compliance Standards:
SOC 2 – C1.4, C1.5, C1.6                                   

 Control Description:
Vendor and third-party risks are identified, performance is monitored, and confidentiality agreements are obtained.

 Test Plan:
   1. Verify the organization has appointed appropriate personnel to monitor vendor relationships.
   2. Verify vendors are assessed for risk during the selection process.
   3. Verify the organization has established communication channels and procedures for addressing issues reported by vendors.
   4. Verify vendor performance is monitored and considered during contract renewals. 

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Service Delivery 

Control Q.1

End-users (clients and customers) are guided on using the organization’s system securely, and access is provisioned securely.

 Related Frameworks/Compliance Standards:
SOC 2 – PI1.1, CC3.1, CC2.3, CC2.2, PI1.3, PI1.2, PI1.1, CC4.1, CC2.3, CC2.1, CC6.6, CC6.3, CC6.2, CC6.1                             

 Control Description:
    – Procedures for onboarding clients, processing service transactions, handling inquiries and complaints, and reporting on services are implemented,
    – Clients or end-users of your services are trained in appropriate system use and operation through client onboarding, operating procedures, or user guides published online and
    – Management of clients’ access to service systems address, as applicable: 
         a. Account creation, 
         b. Access provisioning,
         c. Access modification and
         d. Access removal.

 Test Plan:
   1. Verify client issues and complaints are responded to promptly.
   2. Verify external users are notified of the appropriate and most effective way to use the organization’s services.
   3. Verify that end-user access to the client’s service system(s) is managed in a controlled, consistent manner.
   4. Verify that end-user authentication credentials are secured.

 Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title (s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Contingency Planning and Business Continuity Management 

Control R.1

Business continuity and disaster recovery plans are designed to ensure the achievement of the organization’s objectives following a disaster or disruption.

 Related Frameworks/Compliance Standards:
SOC 2 – A1.2, CC1.4, CC2.3, CC2.2, A1.3, CC5.3, CC4.1, CC5.2, CC3.1

 Control Description:
Business continuity and disaster recovery plans are in place, which reflect, at a minimum:
   – Business impact analysis results,
   – Sensitivity and criticality of assets,
   – Recovery time and recovery point objectives,
   – Critical roles and responsibilities,
   – Plan activation and communication requirements,
   – Training activities, and
   – Plan testing and maintenance.

 Test Plan:
   1. Verify management conducts business impact assessments to design and support its business continuity and recovery plans. 
   2. Verify the organization routinely tests its continuity and disaster recovery plans and uses test results to drive plan improvement.
   3. Verify the organization has defined and communicated roles and responsibilities related to business continuity and disaster recovery plans.
   4. Verify the organization communicates continuity and recovery efforts to appropriate internal and external parties.
   5. Verify personnel with roles and responsibilities under the business continuity and disaster recovery plans are provided appropriate, role-specific training. 
   6. Verify that the procedures and infrastructures selected for continuity and recovery efforts are appropriate for the organization.

Enter Test Results: Document any of the following as applicable:
   1. Person(s) interviewed and summary of the discussion.

  1. Applicable policy/procedure documentation. Note policy name, revision date, and approver. Describe how the policy supports the stated control requirement.
  2. Observation(s) of process, system settings, and configuration. Describe how the observations verify the stated control is or is not in place.
  3. Population(s) and sample size(s), if used in step 3 above.
  4. Other artifacts obtained and reviewed.

 Enter Conclusions/Noted Issue(s): 

State if “No Relevant Exceptions Noted” or describe the nature of discovered control deficiencies (i.e., gaps and exceptions).

 W/P Reference:

Provide a link to the document repository and title(s) of supporting documentation (e.g., policies and procedures, screenshots, access lists, network diagrams, inventory lists, etc.

Return to TOC