SOC 2 Service Commitments and System Requirements

by Alan DeVaughan

One of the major sections of a SOC 2 report is the system description (usually Section 3 of the report).  This section is a narrative description of the services provided by the organization as well as the controls which were tested by the auditor.  Most people focus on the controls as they want to ensure those controls were designed and operated effectively throughout the reporting period.  While the controls are important, a more fundamental part of the system description is your service commitments and system requirements.

These two items are the foundational building block for your SOC 2 description and provide the baseline standards implemented by your organization to anyone reading the report.  Let’s discuss these two key pieces of your report.

Service Commitments

These are formal commitments your organization is making to your clients or other users of the system(s) in scope. These commitments define what can be expected for each of the trust services criteria categories of security, availability, processing integrity, confidentiality, and privacy.  For more information on what these categories mean, see my previous post here.

The commitments usually appear in documents such as service level agreements (SLAs), client contracts, security or privacy policies, or marketing/sales materials. The commitments form the expectations for the systems in scope and any outcomes on which your clients rely.

System Requirements

System requirements are the operational and technical capabilities your organization has established to support the service commitments. These typically include items such as infrastructure components, software (both internal and third-party tools), people, and processes. The system requirements provide definitions around how in-scope systems are designed, implemented, and maintained to provide the promised services to your clients.

So What Do They Really Mean?

Another way to think of them is that service commitments describe what you are delivering to your clients and the system requirements explain how you deliver those services.

Your service commitments and system requirements define the scope of the Type 2 examination environment.  The auditor tests the controls supporting the service commitments and system requirements.  Upon completion of testing, the auditor issues their opinion on whether the controls were suitably designed and operating effectively to meet the service commitments.

Final Thoughts

Understanding and documenting your service commitments and system requirements is a critical first step in any SOC 2 examination. They form the foundation of the report and the lens through which your organization’s performance is evaluated.

At Meditology, we have years of experience helping organizations like yours establish strong information security practices and improving your cybersecurity. Our tailored SOC 2 approach provides readiness assessments and remediation guidance to prepare you for the formal SOC 2 examination. We can customize your SOC 2 control set to match your organization’s goals without exceeding your capabilities.

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them.

About the Author

Alan DeVaughan | Senior Manager, IT Risk Management

Alan DeVaughan is an experienced compliance and information security senior manager specializing in assisting organizations with SOC 2 readiness assessments and examinations for over 10 years. In addition to leading the firm's SOC 2 service line, he serves as a consultant team leader focused on advising healthcare clients of varying sizes and complexity in areas of IT, privacy, security, and compliance. Alan has in-depth knowledge of security technology frameworks such as NIST, HITRUST, SOC 1 / SOC 2, HIPAA, and FFIEC. With a background in network administration, he has over 25 years’ experience in information technology consulting for a wide variety of organizations and industries.