The SOC 2 Guide (which our CFO helped author) defines control activity as an action established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. While your entire SOC 2 report includes control activities, the CC9 series is focused on your holistic risk mitigation processes and procedures. This blog post will provide a detailed overview of each criterion, key concepts assessed, typical evidence requests for each criterion, and the ByteChek difference.
CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
Key Concepts Assessed in CC9.1:
Risk Management Policies and Procedures:
Typical evidence requests: You will be required to provide your risk management policies and procedures. Some common themes your auditors will look for include:
Key risk management procedures such as system characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control recommendations, and results from the documentation.
Guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.
With ByteChek, our platform is built with an intuitive information security policy generator which will help you quickly create a robust and detailed policy that includes risk management policies and procedures. If you already have a policy, you can upload it directly to our platform to address this control. We also take care of the communication to users, your employees can use the ByteChek platform to read and acknowledge their understanding of the risk management policy (and other applicable policies and procedures).
Typical evidence requests: Excel sheets or observations of GRC tools outlining the identified risks and how the risks were formally assessed with documented treatment plans and assigned risk owners. This risk assessment should be conducted by an appropriate individual in security, governance, or executive roles. You should expect a detailed conversation with your auditors to explain the inputs for the risk assessment and the individuals involved in the process.
With ByteChek, we built an intuitive risk assessment directly into our platform. The ByteChek platform helps you generate a continuous risk register. Our risk assessment tool is NIST based and includes references to NIST 800-53, NOST 800-171, NIST CSF, ISO 27001, and CIS Critical Security Controls. We understand that a risk assessment is not a single point-in-time activity, risks should be continually assessed and evaluated. Your team still owns this risk register and will be required to review the risks, and document any additional risk mitigation strategies but our platform helps you begin the process and update threats in real-time.
CC9.2 The entity assesses and manages risks associated with vendors and business partners.
Key Concepts Assessed in CC9.2:
Third-Party Risk Management:
Typical evidence requests: There are two key components evaluated here addressing third-party risk:
Subservice Organization Monitoring: Excel sheets, memorandums, or other evidence showing your organization’s review of your subservice organizations SOC 2 or other security-related third-party auditor reports. This review should include a confirmation of the scope of the assessment, any deviations or exceptions identified, and the responses to those deviations. This should be completed for every subservice organization listed in Section 3 of your report.
Contracts and Confidentiality: Signed contracts with vendors, customers, and business partners. Be prepared for your auditors to thoroughly review and read your contracts to identify security, availability, and confidentiality commitments and request an understanding of the process to onboard new vendors and customers.
With ByteChek, we built the sub-service organization security review directly into our platform. On an annual basis, you will receive a notification (via Slack or email) reminding you to retrieve your sub-service organization’s SOC 2 or other report and upload it to the ByteChek platform. After you upload, our platform generates four Yes/No questions that will help you address the sub-service organization monitoring control. We will work closely with your team to determine the best way to assess the contractual commitments to your vendors, customers, and business partners. In our experience, these commitments are standardized across all contracts and we can test this control by obtaining and reviewing your contract template utilized at your organization.
We started ByteChek with one goal in mind: Make Compliance Suck Less. This blog post covers a small subset of the controls we built our platform to automate and move away from status quo SOC 2 examinations and other framework audits. Automating compliance and eliminating screenshots, document uploads, and generic evidence requests help your team focus on growing and securing your business. Reach out to our team to learn how you can automate compliance and set up a demo of the ByteChek platform.