I'm not expecting so much to come of it, but does anyone have starting points for references, templates, or support resources for a SOC 2 information security audit to share? We will probably convert over our ISO 27001 designed ISMS system to support an audit review over the next however long that takes.
For others interested in background this isn't a management system certification, only a well-developed audit process. The result is pretty similar, just varying quite a bit in formal output, or really even that's still similar. You don't pass or fail, or certify, an audit service provider reviews and documents the degree to which your internal processes, policies, procedures, staff awareness, security controls and related records demonstrate coverage of a broad range of Trust Criteria review requirements.
Output is an audit report (not completely unlike with ISO systems review), with "exceptions" documented for a Type 2 report covering comprehensive record review. The Type 1 version is just a process audit, reviewing policies and procedures, so from a distance it looks a little like the Stage 1 and Stage 2 reviews for initial ISO management system certification. All of this needs to be attested by a CPA; it's originating from a more financial audit oriented agency source than ISO. A mapping to ISO 27001 covers what it is and that origin source: https://www.aicpa-cima.com/resources/download/mapping-2017-trust-services-criteria-to-iso-27001
The idea seems to be to replace Supplier audit reviews with this one general audit review, across information security scope, seemingly well-documented as a months-long records review in a Type 2 form. It can include optional sections on Availability, Process Integrity, Confidentiality, and Privacy, so it's set up to be tailored for slightly different uses. As with ISO systems in actual practice the theory isn't necessarily matched by absolutely perfect function, because in a real supplier review companies can focus in on what is of most concern to them, protecting their own information, and reviewing process steps of most interest, and all this has to tend to be a bit general. And as always some requirements are basic and well-grounded and others seem a bit arbitrary or even wonky, for example leaning into upper level management communication requirements a bit more than makes sense. It seems fine though; good for what kind of thing it is.
For others interested in background this isn't a management system certification, only a well-developed audit process. The result is pretty similar, just varying quite a bit in formal output, or really even that's still similar. You don't pass or fail, or certify, an audit service provider reviews and documents the degree to which your internal processes, policies, procedures, staff awareness, security controls and related records demonstrate coverage of a broad range of Trust Criteria review requirements.
Output is an audit report (not completely unlike with ISO systems review), with "exceptions" documented for a Type 2 report covering comprehensive record review. The Type 1 version is just a process audit, reviewing policies and procedures, so from a distance it looks a little like the Stage 1 and Stage 2 reviews for initial ISO management system certification. All of this needs to be attested by a CPA; it's originating from a more financial audit oriented agency source than ISO. A mapping to ISO 27001 covers what it is and that origin source: https://www.aicpa-cima.com/resources/download/mapping-2017-trust-services-criteria-to-iso-27001
The idea seems to be to replace Supplier audit reviews with this one general audit review, across information security scope, seemingly well-documented as a months-long records review in a Type 2 form. It can include optional sections on Availability, Process Integrity, Confidentiality, and Privacy, so it's set up to be tailored for slightly different uses. As with ISO systems in actual practice the theory isn't necessarily matched by absolutely perfect function, because in a real supplier review companies can focus in on what is of most concern to them, protecting their own information, and reviewing process steps of most interest, and all this has to tend to be a bit general. And as always some requirements are basic and well-grounded and others seem a bit arbitrary or even wonky, for example leaning into upper level management communication requirements a bit more than makes sense. It seems fine though; good for what kind of thing it is.