System Description (Section III)

What is a system description? 

Generally speaking, a system description is a section of a technical document or report that provides an overview of the system, its structure and components, and explains how it works. It may also provide information about related systems and technologies used in conjunction with the main system. System descriptions are often included in user manuals, software documentation, project plans, proposal documents, business cases, feasibility studies and other technical reports.

What is a SOC 2 system description?

The SOC 2 reporting system is designed to provide assurance that an organization has established effective controls necessary to meet its objectives as they relate to the Trust Service Principles. A SOC 2 report enables companies to demonstrate their commitment to protecting customer data by providing an independent evaluation of their internal control environment.

A SOC 2 system description is a required document that describes the systems, processes and controls relevant to a service organization’s system. A system description is the way in which management describes the organization’s system that supports the delivery of products, solutions or services to its customers.

The system description is important because it provides a comprehensive overview of the system and its components. It helps to define the scope, objectives, and functionality of the system, as well as provide an understanding of how the system works. This information can be used to help identify potential areas for improvement that would increase information security, efficiency or performance. Additionally, it can help support decision-making when considering changes to existing systems or implementing new ones.

SOC 2 Type 2 controls

The system description also outlines the specific requirements of the Trust Service Principles (and relevant controls) included in your scope that must be met in order for your organization to achieve compliance with the AICPA‘s Service Organization Control (SOC) 2 standards. The Type 2 controls are designed to provide assurance that these criteria have been implemented and maintained over a specified period of time, usually one year. Therefore, having a detailed, accurate system description is essential for any organization looking to prove their compliance with SOC 2 Type 2 requirements.

What is included in a SOC 2 system description?

The following is a simple outline of how organizations should structure their system description of their SOC 2 report:

Types of services provided

This includes a description of the company and the system being audited. 

Principal service commitments and system requirements

This includes all commitments you have to customers, partners, etc., as well as your commitment to adhere to any laws and regulations. 

System components

The infrastructure, software, people, procedures, and data that back your system. 

Trust services criteria and corresponding controls

Includes details on the criteria that are in your scope. From there, a description of your control environment is needed.

Complementary user entity controls

The list of the controls your customers need to implement so that your system and control environment can operate securely and achieve its objectives.

Complementary subservice organization controls

The list of subservice organizations performing controls on behalf of the client. Once completed, you need to list the subservice organization controls that support your company’s system and control environment. 

System incidents

List of any security incidents during your reporting period. If there were such incidents, you will need to detail where your organization failed to meet specific criteria, customer commitments, or system requirements.

Significant changes to the system during the period

Any relevant changes that occurred during the reporting period, and any significant effects from those changes.