System Description is a SOC 2 report on business systems, rules, and practices about the Trust Services criteria of security, availability, processing integrity, confidentiality, and privacy reports. Also included in the SOC 2 report, the System Description is a crucial part of a SOC 2 audit.
The SOC 2 System Description serves the objective of informing the auditor and SOC 2 report users about the systems and controls of the service organization. The explanation ought to be thorough, addressing every facet of the systems and controls of the service organization that are pertinent to the Trust Services Criteria.
The System Description ought to be customized to the particular requirements of the company and ought to highlight the special features of its controls and systems. To make sure that it appropriately represents the systems and controls in place at the service organization, it should be evaluated and updated regularly.
Information on the service organizations presented here includes:
- Operations of businesses
- Data structures
- Environment of control
- Procedure for risk assessment
- keeping an eye on things
- Procedures for responding to incidents
- Practices for security management
- Policies for the destruction and keeping of data
- Policies and procedures regarding privacy
- Methods of availability management
- Controls for processing integrity