Home Services Industries About Us News Resources Careers
IT Assurance

SOC 2 – Scope Sample

SECURITY - The system is protected against unauthorized access (both physical and logical)

  1. Policies: The entity defines and documents its policies for the security of its system.
  2. Communications: The entity communicates its defined system security policies to responsible parties and authorized users.
  3. Procedures: The entity placed in operation procedures to achieve its documented system security objectives in accordance with its defined policies.
  4. Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system security policies.

AVAILABILITY - The system is available for operation and use as committed or agreed.

  1. Policies: The entity defines and documents its policies for the availability of its system.
  2. Communications: The entity communicates its defined system availability policies to responsible parties and authorized users.
  3. Procedures: The entity placed in operation procedures to achieve its documented system availability objectives in accordance with its defined policies.
  4. Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system availability policies.

PROCESSING INTEGRITY - System processing is complete, accurate, timely, and authorized.

  1. Policies: The entity defines and documents its policies for the processing integrity of its system.
  2. Communications: The entity communicates its defined system processing integrity policies to responsible parties and authorized users.
  3. Procedures: The entity placed in operation procedures to achieve its documented system processing integrity objectives in accordance with its defined policies.
  4. Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system processing integrity policies.

CONFIDENTIALITY - Information designated as confidential is protected by the system as committed or agreed.

  1. Policies: The entity defines and documents its policies related to the system protecting confidential information as committed or agreed.
  2. Communications: The entity communicates its defined policies related to the system's protection of confidential information to responsible parties and authorized users.
  3. Procedures: The entity placed in operation procedures to achieve its documented system confidentiality objectives in accordance with its defined policies.
  4. Monitoring: The entity monitors the system and takes action to maintain compliance with its defined confidentiality policies.

PRIVACY

  1. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
  2. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, user, retained, and disclosed.
  3. The entity describes the choices available to the Individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
  4. The entity collects personal information only for the purposes identified in the notice.
  5. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
  6. The entity provides Individuals with access to their personal information for review and update.
  7. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
  8. The entity protects personal information against unauthorized access (both physical and logical).
  9. The entity maintains accurate, complete, and relevant personal information for the purposes Identified In the notice.
  10. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related Inquiries, complaints and disputes.