Do Service Organizations Define The Control Objectives?
In a word, yes. For a SOC 1 report, service organizations are tasked with the responsibility of performing a risk assessment to define the different types of risks that are applicable to the specific service offering and infrastructure within scope.One of the products of the risk assessment is the identification of the control objectives (often stated as inverse statements of the risks) that will help address the risks. For example, if an identified risk for the logical infrastructure is “unauthorized logical access to data or systems”, then the related control objective would be to “ensure logical access to data and systems is authorized”.
Service organizations ultimately have the responsibility of defining which objectives are applicable to the scope of the service offering.
The subject matter of a control objective can be as broad or specific as needed by a service organization, and service auditors can provide service organizations with lists of possible control objectives for educational purposes. However, the service organizations ultimately have the responsibility of defining which objectives are applicable to the scope of the service offering.