Digital Edge's Compliance team has noticed that organizations and IT/compliance groups lack understanding of mandates for scheduled reviews and audits.
Each cybersecurity standard or framework has its own unique requirements. This article provides information on minimal required reviews and audits by PCI standard.
List of reviews for SOC 2
|
|
Description of review |
Frequency/Occurrence |
Evidence |
|
1 |
Review of Trust Services Criteria Controls system covering: - policies and procedures - management involvement, accountability and reporting - roles distribution - standards for evaluation of operations - reaction to deviations - segregation of duties - requirements (including background checks process) for new employees - attraction and training of employees - succession planning - evaluation of employees - communication within and outside of organization - use of encryption - change management procedures - confidential information management. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
2 |
Documents Review covering whether current policies and procedures need to be changed in light of changing processes or industry practices. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
3 |
Vendors and Contractors Review covering: - a vendor’s commitment to best practices of cybersecurity - vendors’ performance under contracts - confidentiality commitments with Vendors. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
4 |
Risk Review checking whether all risks were defined, assessed and managed. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
5 |
Review of Internal and External Reporting checking whether respective standards/frameworks were defined, reporting has been established. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
6 |
Fraud Review checking whether all known types of fraud has been considered, what risks it leads to, remediation activities developed. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
7 |
Internal Audit checking whether established documentation, processes and reviews are performed within the organization. |
every 12 months |
Results of the review in the form of detailed report |
|
8 |
Management Meeting covering: - results of Internal Audit - corrective and preventive actions - changes needed to be introduced after internal and external environment evaluation. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
9 |
Inventory Review checking availability and status of assets used by the organization. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
10 |
Access Review covering users logs, access rights. |
every 3 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
11 |
Technological Review (including Vulnerability Scans and/or Penetration Tests) covering whether existent assets and infrastructure are protected. |
every 12 months |
Results of the review in the form of detailed report |
|
12 |
Physical Access Review covering whether access to the organization premises is controlled. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
13 |
Antimalware and Antivirus Software Review covering whether such software is up to date, assets are being protected and review of logs from such software. |
every 3 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
14 |
Incident Response Plan Review checking whether incidents are detected, reported (internally and externally, if required), investigated, remediation developed and implemented, and lessons are learned. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
15 |
Business Continuity Plan Review checking whether the organization has action plan to recover from drastic disruption of operations (natural disasters, unavailability of critical assets/services, etc.). |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
16 |
Business Continuity Plan Test checking whether operations restoration was performed successfully. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
17 |
Backup Review checking whether all required backups are maintained and operational. |
every 3 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
18 |
Awareness Training Review checking whether the organization conducts trainings for employees required by standards and policies. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
|
19 |
Confidentiality and Privacy Review checking whether the organization collects, notifies users, processes, protects, disposes and manages confidential information received from users. |
every 12 months |
Results of the review in the form of memo or report (can be short or detailed report) |
