Frameworks Control Sets
A control set is a collection of security controls designed to help organizations meet specific cybersecurity frameworks or compliance requirements. These sets are organized by level or tailored to specific requirements, providing a structured approach to managing your security program.
In the context of SOC 2, organizations can select up to five categories of Trust Services Criteria that align with their system’s service commitments and requirements, as well as the related control activities they perform to meet their objectives.
What Are the SOC 2 TSCs?
The TSC a five-category categories that organizes the SOC 2 controls:
(CC) Security, also known as common criteria: Controls that protect against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.
(A) Availability: Controls that ensure data and systems are available for operation and use to meet business objectives.
(C) Confidentiality: Controls that protect confidential information to meet the entity’s objectives.
(PI) Processing integrity: Controls that ensure the organizational systems' processing of data is complete, accurate, and timely and authorized to meet the entity’s objectives.
(P) Privacy: Controls that ensure personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
The Security TSC is mandatory for anyone receiving a SOC 2 report; however, the other four categories, availability, confidentiality, processing integrity, and privacy, are optional for inclusion and may be included if deemed applicable to your business and service commitments (i.e., objectives).
Changing the SOC 2 TSCs in Vanta
Before changing the control set, it's essential to assess which TSCs align best with your organization’s service commitments and requirements related to the in-scope system(s) and data handling practices.
Keep in mind that adding TSCs can introduce additional controls that may require significant investment in IT resources and staff training.
Similarly, only having Security in scope may reduce the control burden, but it could expose your organization to increased risk if not carefully considered.
Please note: Only Vanta Admins have the privilege to make changes to the control set. Changing your control set during an active audit can delay or compromise your audit. Modifying the control set during an audit could alter the audit scope, potentially impacting the accuracy of the audit results and increasing audit costs.
Locate the Control Set Filter
From the Frameworks page, select SOC 2
You will see a filter icon located below the framework name (“Control Set:”). Select the pen icon to edit.
Click the filter to view a list of available control sets (Security, Availability, Confidentiality, Processing Integrity, Privacy). This list will show the current set your organization is using and the available sets you can add.
Once you select a different control set, a modal will appear. This modal will display the following:
The current control set your organization is using.
The control set you are about to update to.
An important note stating changes to a framework control set are not allowed during an active audit.
2. Review the Impact
Carefully review the differences between your current control set and the one you plan to implement.
After reviewing, confirm the change. Be aware that updating the control set can have a significant impact on your compliance environment, including:
New controls may require additional resources to implement and maintain.
Removing controls could reduce your organization’s overall security posture, potentially leaving it more vulnerable to cyber threats.
Custom changes to your control set will not automatically deactivate or add controls to the SOC 2 baseline. If you deactivate a control manually or introduce a new one, these actions will be lost in the TSC control set if the criteria is deactivated.
3. Impact on Your SOC 2 Control Environment:
Modifying your SOC 2 control set by adding or removing TSC, especially during an active audit, can disrupt the audit process. Changes in the control set will alter the scope of the audit, affecting its accuracy and potentially leading to additional audit fees. Ensure you align with your auditor on which TSC your SOC 2 audit will include before commencing the audit.
Adding TSC to your SOC 2 scope may introduce controls that require:
Increased operational capacity: Implementing new controls may require additional staff, training, or IT infrastructure.
Ongoing monitoring and maintenance: As your control scope becomes more robust, your organization will need to monitor these controls to ensure continuous compliance and security.