Skip to Content

SOC 2 External Communications (Principle 15) (CC2.3)

223  Matthew Burdick September 26, 2022  Communication and Information

Overview:
The entity communicates with external parties regarding matters affecting the functioning of internal control.


Action Items:
1) Create a standard set of customer agreements and terms of use that all customers are required to accept. This should outline the entity's commitments, system requirements, and standard terms of use that the customer agrees to accept prior to using the entity's product(s) or service(s), and is often accepted during the user onboarding process.
2) Create a standard nondisclosure agreement for vendors that assures confidentiality and protection before sharing information designated as confidential with third parties.
3) Create an escalation procedure and publish on the company intranet for employees to access and review.
4) Inspect the company website overview page to determine that information regarding the design and operation of the system and its boundaries was communicated to external users via the company website.
5) Inspect the customer agreements and terms for a sample of customers onboarded during the review period to determine that the entity’s commitments and associated system requirements are documented in customer contracts, agreements, and terms of use for each new customer sampled.
6) Inspect the contracts for a sample of vendors during the review period to determine that nondisclosure agreements of confidentiality and protection are required before sharing information designated as confidential with third parties for each vendor sampled.
7) Inspect customer correspondence messages to determine that system alerts, including planned changes to system components, planned outages and known issues, are communicated to key stakeholders.
8) Inspect the escalation procedure to determine that documented escalation procedures for reporting security incidents are in place to guide employees in identifying, reporting, and acting upon system security breaches and other incidents.
9) Inspect the company website and the customer login portal to determine that a contact e-mail address and a customer portal are available for customers to submit security related tickets, report security incidents, concerns, and complaints and that reports of concerns are reviewed by the information security team as they appear in the inbox.


Related Documents:
1) Customer terms of use
2) Vendor non-disclosure agreements
3) Sample of standard customer correspondence messages related to technology and security
4) Escalation procedure
5) Evidence validating methods for customers to report security incidents

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:


1) Communicates to External Parties—Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties.
2) Enables Inbound Communications—Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information.
3) Communicates With the Board of Directors—Relevant information resulting from assessments conducted by external parties is communicated to the board of directors.
4) Provides Separate Communication Lines—Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective.
5) Selects Relevant Method of Communication—The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations.
6) Communicates Objectives Related to Confidentiality and Changes to Objectives— The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.
7) Communicates Objectives Related to Privacy and Changes to Objectives—The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives related to privacy and changes to those objectives.
8) Communicates Information About System Operation and Boundaries—The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation.
9) Communicates System Objectives—The entity communicates its system objectives to appropriate external users.
10) Communicates System Responsibilities—External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities.
11) Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters—External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel.
Not Rated
Secure Code