Log in

System Description (Section III)

Home » Glossary Items » SOC 2 » System Description (Section III)

What is a system description?

Generally speaking, a system description is a section of a technical document or report that provides an overview of the system, its structure and components, and explains how it works. It may also provide information about related systems and technologies used in conjunction with the main system. System descriptions are often included in user manuals, software documentation, project plans, proposal documents, business cases, feasibility studies and other technical reports.

What is a SOC 2 system description?

The SOC 2 reporting system is designed to provide assurance that an organization has established effective controls necessary to meet its objectives as they relate to the Trust Service Principles. A SOC 2 report enables companies to demonstrate their commitment to protecting customer data by providing an independent evaluation of their internal control environment.

A SOC 2 system description is a required document that describes the systems, processes and controls relevant to a service organization’s system. A system description is the way in which management describes the organization’s system that supports the delivery of products, solutions or services to its customers.

The system description is important because it provides a comprehensive overview of the system and its components. It helps to define the scope, objectives, and functionality of the system, as well as provide an understanding of how the system works. This information can be used to help identify potential areas for improvement that would increase information security, efficiency or performance. Additionally, it can help support decision-making when considering changes to existing systems or implementing new ones.

SOC 2 Type 2 controls

The system description also outlines the specific requirements of the Trust Service Principles (and relevant controls) included in your scope that must be met in order for your organization to achieve compliance with the AICPA‘s Service Organization Control (SOC) 2 standards. The Type 2 controls are designed to provide assurance that these criteria have been implemented and maintained over a specified period of time, usually one year. Therefore, having a detailed, accurate system description is essential for any organization looking to prove their compliance with SOC 2 Type 2 requirements.

What is included in a SOC 2 system description?

The following is a simple outline of how organizations should structure their system description of their SOC 2 report:

Types of services provided

This includes a description of the company and the system being audited.

Principal service commitments and system requirements

This includes all commitments you have to customers, partners, etc., as well as your commitment to adhere to any laws and regulations.

System components

The infrastructure, software, people, procedures, and data that back your system.

Trust services criteria and corresponding controls

Includes details on the criteria that are in your scope. From there, a description of your control environment is needed.

Complementary user entity controls

The list of the controls your customers need to implement so that your system and control environment can operate securely and achieve its objectives.

Complementary subservice organization controls

The list of subservice organizations performing controls on behalf of the client. Once completed, you need to list the subservice organization controls that support your company’s system and control environment.

System incidents

List of any security incidents during your reporting period. If there were such incidents, you will need to detail where your organization failed to meet specific criteria, customer commitments, or system requirements.

Significant changes to the system during the period

Any relevant changes that occurred during the reporting period, and any significant effects from those changes.

Back

You may also like

Blog

April 9, 2024
SOC 2 Type 1 Guide: Everything You Need To Know

Which type of SOC 2 report is best for your organization and what are their differences?
Blog

March 24, 2024
How To Speed Up Your SOC 2 Audit Without Breaking A Sweat

What’s the fastest way to pass a SOC 2 audit? Simple: you need to plan carefully.
Blog

March 4, 2024
The Latest SOC 2 Revisions and What They Mean for Your Business

Do you know what the latest SOC 2 updates mean for your company as you prepare for your next audit? This blog breaks them down for you.
Blog

February 28, 2024
5 Things To Avoid When Implementing SOC 2

There are a number of common mistakes that businesses make when implementing SOC 2.
Blog

February 6, 2024
SOC 2 Audit: The Essentials for Data Security and Compliance

Read All the Essential Steps and Requirements for Preparing for a SOC 2 Audit to Ensure Data Security and Compliance.
Blog

January 31, 2024
The Ultimate SOC 2 Checklist for SaaS Companies

Here’s a handy SOC 2 compliance checklist to help you prepare for your SOC 2 compliance audit and realize your business’ security goals.
Blog

January 23, 2024
Do You Really Need a SOC 2 Report?

You might be asking yourself, “do I really need a SOC 2 report?”
Blog

January 22, 2024
The Right Compliance Framework for Your Startup: Common Compliance Frameworks

A guide to compliance frameworks for startups, with everything you need to know about the most common frameworks and how they apply.
Blog

January 9, 2024
SOC 2 Report Examples for 2024: Insights into Top-Tier Compliance

A SOC 2 report demonstrates how effectively your business has implemented SOC 2 security controls across the five TSC.
Blog

January 3, 2024
The Importance of SOC 2 Templates

In this piece, we're talking about SOC 2 templates and their role in making the compliance process far less complicated.
Blog

December 5, 2023
5 Reasons Why You Need a SOC 2 Report

Here’s five of the most compelling reasons why your business needs SOC 2.
Blog

November 20, 2023
SOC 2 Scope: How it’s Defined

How creating a comprehensive SOC 2 scope can benefit your business, and how to get there.
Blog

October 11, 2023
How Long Does It Really Take To Get SOC 2 Compliant?

When considering how long SOC 2 takes to achieve, you need to consider the entire SOC 2 journey.
Blog

September 4, 2023
What is SOC 2 Compliance Automation Software and Why is it Important?

SOC 2 automation doesn’t simply make compliance easier, it also makes it possible.
Blog

August 7, 2023
What to Look for During a SOC 2 Readiness Assessment

A SOC 2 readiness assessment is a way of examining your systems to make sure it’s compliant with security controls of the SOC 2 standard.