When the AICPA published the Trust Services Criteria, they adopted the COSO idea of having points of focus that relate to each of the criteria. They define it as, “important characteristics of the criteria.” The way to think about these is that they are meant as a “guide” for meeting criteria. They are not required, you don’t have to have controls that match their verbiage, and you likely won’t need controls that relate to every point of focus in order to meet criteria.
What are the SOC2 “Points of Focus” I hear about?
They are a guide, not required

Written by Mr. ByteChek
Updated over a week ago
Updated over a week ago