SOC 2 Type I Requirements: Point-in-Time Trust Services Criteria Guide

Your organization must demonstrate a commitment to integrity and ethical values, exercise board-level oversight, establish organizational structure with clear reporting lines, demonstrate commitment to competence, and enforce accountability. For Type I, the auditor verifies these elements are in place on the assessment date.

You must generate and use relevant, quality information to support internal control. Information must be communicated internally and externally. For Type I, the auditor checks that communication policies and procedures exist and information flows are properly designed.

You must specify clear objectives, identify and analyze risks, assess fraud risk, and identify and assess changes that could impact internal controls. For Type I, the auditor verifies that a risk assessment has been conducted and documented as of the assessment date.

You must select and develop control activities that mitigate risks, deploy technology controls, implement through policies and procedures, and monitor controls through ongoing evaluations. For Type I, the auditor confirms controls exist and are designed to achieve their objectives.

You must implement logical access security (authentication, authorization), restrict physical access to facilities and assets, manage user provisioning based on authorization and least privilege, and restrict data transmission and movement. For Type I, the auditor verifies these controls are configured and in place.

You must monitor systems for anomalies and security events, evaluate detected events for potential incidents, and respond to identified incidents through a defined process. For Type I, the auditor verifies that monitoring, detection, and incident response mechanisms are designed and implemented.

All changes to infrastructure and software must follow a documented change management process including authorization, testing, approval, and implementation controls. For Type I, the auditor checks that a change management process is defined and implemented.

You must mitigate risks through business continuity planning, disaster recovery procedures, and vendor risk management. For Type I, the auditor verifies that BCP/DR plans exist and vendor management processes are documented as of the assessment date.

If included, you must demonstrate that systems are available for operation and use as committed. This covers capacity planning, performance monitoring, backup and recovery, and business continuity. For Type I, the auditor verifies these mechanisms are designed and in place.

If included, you must identify and protect confidential information through classification, access restrictions, and secure disposal. For Type I, the auditor checks that data classification and confidentiality controls are designed and implemented.

If included, you must ensure that system processing is complete, valid, accurate, timely, and authorized. For Type I, the auditor verifies controls for input validation, processing accuracy, and output completeness are designed.

If included, you must address how personal information is collected, used, retained, disclosed, and disposed of. Privacy notices, consent mechanisms, and data subject rights processes must be in place. For Type I, the auditor checks these are designed and documented.