SOC 1: Do Service Organizations Define The Control Objectives?

May 19, 2014

Do Service Organizations Define The Control Objectives?

In a word, yes. For a SOC 1 report, service organizations are tasked with the responsibility of performing a risk assessment to define the different types of risks that are applicable to the specific service offering and infrastructure within scope.One of the products of the risk assessment is the identification of the control objectives (often stated as inverse statements of the risks) that will help address the risks. For example, if an identified risk for the logical infrastructure is “unauthorized logical access to data or systems”, then the related control objective would be to “ensure logical access to data and systems is authorized”.

Service organizations ultimately have the responsibility of defining which objectives are applicable to the scope of the service offering.

The subject matter of a control objective can be as broad or specific as needed by a service organization, and service auditors can provide service organizations with lists of possible control objectives for educational purposes. However, the service organizations ultimately have the responsibility of defining which objectives are applicable to the scope of the service offering.

 

Previous Article
User Organizations: Why Does My Customer Want Me to Get a SOC Report?
User Organizations: Why Does My Customer Want Me to Get a SOC Report?

The SOC 1 report enables organizations to present a strong position to its customers regarding their contro...

Next Article
Can a SOC 1 Report Help With Competitive Advantage?
Can a SOC 1 Report Help With Competitive Advantage?

There is no doubt a SOC 1 report may provide a competitive advantage and potentially increase market share.