SOC 2 checklist

Use this checklist to assess your SOC 2 audit readiness and implementation status.

Want to improve your score and compliance? Let CyberArrow do it for you. Schedule a live demo

Control Control Name Control Description Implementation Status

ID
CC1- Perform employee The entity performs background checks on new
Not Implemented
1.1 background check employees.
CC1- Acknowledgement of The entity requires contractor agreements to
1.2 contractor Code of include a code of conduct or reference to The Not Implemented
Conduct entity code of conduct.
CC1- Acknowledgement The entity requires employees to acknowledge
1.3 and enforcement of a code of conduct at the time of hire.
employee Code of Employees who violate the code of conduct are Not Implemented
Conduct subject to disciplinary actions in accordance
with a disciplinary policy.
CC1- Confidentiality The entity requires contractors to sign a
1.4 agreement confidentiality agreement at the time of Not Implemented
acknowledged by engagement.
contractors
CC1- Confidentiality The entity requires employees to sign a
1.5 agreement confidentiality agreement during onboarding.
Not Implemented
acknowledged by
employees
CC1- Conducting annual The entity managers are required to complete
1.6 performance performance evaluations for direct reports at Not Implemented
evaluations least annually.
CC1- Board oversight The entity's board of directors or a relevant
2.1 briefings conducted subcommittee is briefed by senior management
at least annually on the state of The entity's
Not Implemented
cybersecurity and privacy risk. The board
provides feedback and direction to
management as needed.
CC1- Documented charter The entity's board of directors has a
2.2 for Board documented charter that outlines its oversight Not Implemented
responsibilities responsibilities for internal control.
CC1- Development of board The entity's board members have sufficient
2.3 expertise expertise to oversee management's ability to
design, implement and operate information
security controls. The board engages third- Not Implemented
party information security experts and
consultants as needed.
CC1- Conducting annual The entity's board of directors meets at least
Not Implemented
2.4 board meetings annually and maintains formal meeting minutes.

1 cyberarrow.io
 The board includes directors that are
independent of The entity.
CC1- Charter for board The entity's board of directors has a
3.1 responsibilities documented charter that outlines its oversight Not Implemented
responsibilities for internal control.
CC1- Defined management The entity management has established
3.2 roles and defined roles and responsibilities to oversee the Not Implemented
responsibilities design and implementation of information
security controls.
CC1- Documented The entity maintains an organizational chart
3.3 organizational chart that describes the organizational structure and Not Implemented
reporting lines.
CC1- Assignment of roles Roles and responsibilities for the design,
3.4 and responsibilities development, implementation, operation,
maintenance, and monitoring of information Not Implemented
security controls are formally assigned in job
descriptions and/or the Roles and
Responsibilities policy.
CC1- Formal assignment of Roles and responsibilities for the design,
4.1 roles and development, implementation, operation,
responsibilities maintenance, and monitoring of information
Not Implemented
security controls are formally assigned in job
descriptions and/or the Roles and
Responsibilities policy.
CC1- Perform employee The entity performs background checks on new
Not Implemented
4.2 background checks employees.
CC1- Conduct annual The entity managers are required to complete
4.3 performance performance evaluations for direct reports at Not Implemented
evaluations least annually.
CC1- Periodic security The entity requires employees to complete
4.4 awareness training security awareness training within thirty days of Not Implemented
sessionss hire and at least annually thereafter.
CC1- Specifying roles and Roles and responsibilities for the design,
5.1 responsibilities development, implementation, operation,
maintenance, and monitoring of information Not Implemented
security controls are formally assigned in job
descriptions and/or the Roles and
Responsibilities policy.
CC1- Code of Conduct The entity requires employees to acknowledge
5.2 acknowledged by a code of conduct at the time of hire.
employees and Employees who violate the code of conduct are Not Implemented
enforced subject to disciplinary actions in accordance
with a disciplinary policy.
CC1- Annually conducted The entity managers are required to complete
5.3 performance performance evaluations for direct reports at Not Implemented
evaluations least annually.

2 cyberarrow.io
CC2- Conducting annual The entity performs control self-assessments at
1.1 contro self- least annually to gain assurance that controls
assessments are in place and operating effectively.
Corrective actions are taken based on relevant Not Implemented
findings. If The entity has committed to an SLA
for a finding, the corrective action is completed
within that SLA.
CC2- Utilized log The entity utilizes a log management tool to
1.2 management tool identify events that may have a potential impact Not Implemented
on The entity's ability to achieve its security
objectives.
CC2- Scanning and Host-based vulnerability scans are performed
1.3 remidiating at least quarterly on all external-facing systems.
Not Implemented
vulnerabilities Critical and high vulnerabilities are tracked to
remediation.
CC2- Establishment of The entity has established a formalized
2.1 whistle-blower policy whistleblower policy, and an anonymous
Not Implemented
communication channel is in place for users to
report potential issues or fraud concerns.
CC2- Defining management The entity management has established
2.2 roles and defined roles and responsibilities to oversee the
Not Implemented
responsibilities design and implementation of information
security controls.
CC2- Specified roles and Roles and responsibilities for the design,
2.3 responsibilities development, implementation, operation,
maintenance, and monitoring of information
security controls are formally assigned in job Not Implemented
descriptions and/or the Roles and
Responsibilities policy.
CC2- Establish and review The entity's information security policies and
2.4 information security procedures are documented and reviewed at
Not Implemented
policies and least annually.
procedures
CC2- Communicate system The entity communicates system changes to Not Implemented
2.5 changes authorized internal users.
CC2- Establish incident The entity has security and privacy incident
2.6 response policies and response policies and procedures that are
procedures documented and communicated to authorized Not Implemented
users.
CC2- Communicate product The entity provides a description of its products
2.7 and service and services to internal and external users. Not Implemented
description
CC2- Implement complete The entity requires employees to complete
2.8 security awareness security awareness training within thirty days of Not Implemented
training hire and at least annually thereafter.
CC2- Communicate system The entity notifies customers of critical system Not Implemented
3.1 changes to customers changes that may affect their processing.

3 cyberarrow.io
CC2- Availability of The entity has an external-facing support
3.2 external-facing system in place that allows users to report
support system system information on failures, incidents, Not Implemented
concerns, and other complaints to appropriate
personnel.
CC2- Communication of The entity's security commitments are
3.3 security commitments communicated to customers in Master Service Not Implemented
to customers Agreements (MSA) or Terms of Service (TOS).
CC2- Availability of external The entity provides guidelines and technical
3.4 support to customers support resources relating to system operations Not Implemented
to customers.
CC2- Communication of The entity provides a description of its products
3.5 services to internal and services to internal and external users. Not Implemented
and external users
CC2- Establish written The entity has written agreements in place with
3.6 agreements with vendors and related third-parties. These
Not Implemented
vendors and third- agreements include confidentiality and privacy
parties commitments applicable to that entity.
CC3- Specify objectives for The entity specifies its objectives to enable the
1.1 risk assessment identification and assessment of risk related to Not Implemented
the objectives.
CC3- Documenting risk The entity has a documented risk management
1.2 management program program in place that includes guidance on the
identification of potential threats, rating the
Not Implemented
significance of the risks associated with the
identified threats, and mitigation strategies for
those risks.
CC3- Annual testing of The entity has a documented business
2.1 business continuity continuity/disaster recovery (BC/DR) plan and Not Implemented
and disaster recovery tests it at least annually.
CC3- Perform risk The entity's risk assessments are performed at
2.2 assessments annually least annually. As part of this process, threats
and changes (environmental, regulatory, and
technological) to service commitments are
identified and the risks are formally assessed. Not Implemented
The risk assessment includes a consideration
of the potential for fraud and how fraud may
impact the achievement of objectives.
CC3- Establish risk The entity has a documented risk management
2.3 management program program in place that includes guidance on the
identification of potential threats, rating the Not Implemented
significance of the risks associated with the
identified threats, and mitigation strategies for
those risks.
CC3- Implement vendor The entity has a vendor management program Not Implemented
2.4 management program in place. Components of this program include:
- - critical third-party vendor inventory;

4 cyberarrow.io
- - vendor's security and privacy requirements;
and
- - review of critical third-party vendors at least
annually.
CC3- Perform risk The entity's risk assessments are performed at
3.1 assessments least annually. As part of this process, threats
and changes (environmental, regulatory, and
technological) to service commitments are Not Implemented
identified and the risks are formally assessed.
The risk assessment includes a consideration
of the potential for fraud and how fraud may
impact the achievement of objectives.
CC3- Establishment of risk The entity has a documented risk management
3.2 management program program in place that includes guidance on the
identification of potential threats, rating the Not Implemented
significance of the risks associated with the
identified threats, and mitigation strategies for
those risks.
CC3- Establish The entity has a configuration management
4.1 configuration procedure in place to ensure that system
Not Implemented
management configurations are deployed consistently
procedure throughout the environment.
CC3- Annual penetration The entity's penetration testing is performed at
4.2 testing least annually. A remediation plan is developed Not Implemented
and changes are implemented to remediate
vulnerabilities in accordance with SLAs.
CC3- Risks assessments The entity's risk assessments are performed at
4.3 are performed least annually. As part of this process, threats
annually and changes (environmental, regulatory, and
technological) to service commitments are Not Implemented
identified and the risks are formally assessed.
The risk assessment includes a consideration
of the potential for fraud and how fraud may
impact the achievement of objectives.
CC3- Risk management The entity has a documented risk management
4.4 program is program in place that includes guidance on the
established identification of potential threats, rating the
significance of the risks associated with the Not Implemented
identified threats, and mitigation strategies for
those risks.
CC4- Control self- The entity performs control self-assessments at
1.1 assessments are least annually to gain assurance that controls
conducted are in place and operating effectively.
Corrective actions are taken based on relevant Not Implemented
findings. If The entity has committed to an SLA
for a finding, the corrective action is completed
within that SLA.

5 cyberarrow.io
CC4- Perform penetration The entity's penetration testing is performed at
1.2 testing annually least annually. A remediation plan is developed
Not Implemented
and changes are implemented to remediate
vulnerabilities in accordance with SLAs.
CC4- Establish vendor The entity has a vendor management program
Not Implemented
1.3 management program in place. Components of this program include:
- - critical third-party vendor inventory;
- - vendor's security and privacy requirements;
and
- - review of critical third-party vendors at least
annually.
CC4- Vulnerabilities are Host-based vulnerability scans are performed
1.4 scanned and at least quarterly on all external-facing systems. Not Implemented
remediated Critical and high vulnerabilities are tracked to
remediation.
CC4- Control self- The entity performs control self-assessments at
2.1 assessments least annually to gain assurance that controls
conducted for are in place and operating effectively.
effective operation Corrective actions are taken based on relevant Not Implemented
findings. If The entity has committed to an SLA
for a finding, the corrective action is completed
within that SLA.
CC4- Vendor management The entity has a vendor management program
2.2 program is in place. Components of this program include: Not Implemented
established
- - critical third-party vendor inventory;
- - vendor's security and privacy requirements;
and
- - review of critical third-party vendors at least
annually.
CC5- Security policies and The entity's information security policies and
1.1 procedures are procedures are documented and reviewed at
Not Implemented
established and least annually.
reviewed
CC5- Risk management The entity has a documented risk management
1.2 program is program in place that includes guidance on the
established for identification of potential threats, rating the
Not Implemented
guidance significance of the risks associated with the
identified threats, and mitigation strategies for
those risks.
CC5- SDLC is established The entity has a formal systems development
2.1 life cycle (SDLC) methodology in place that
governs the development, acquisition,
Not Implemented
implementation, changes (including emergency
changes), and maintenance of information
systems and related technology requirements.

6 cyberarrow.io
CC5- Security policies and The entity's information security policies and
2.2 procedures procedures are documented and reviewed at
Not Implemented
established and least annually.
reviewed annually
CC5- Document the The entity's access control policy documents
2.3 requirements for the requirements for the following access Not Implemented
access control control functions:
functions
- - adding new users;
- - modifying users; and/or
- - removing an existing user's access.
CC5- Retention and The entity has formal retention and disposal
3.1 disposal procedures procedures in place to guide the secure Not Implemented
for company and retention and disposal of company and
customer data customer data.
CC5- Management of The entity requires changes to software and
3.2 changes to software infrastructure components of the service to be
and infrastructure authorized, formally documented, tested, Not Implemented
components reviewed, and approved prior to being
implemented in the production environment.
CC5- Documented systems The entity has a formal systems development
3.3 development life cycle life cycle (SDLC) methodology in place that
governs the development, acquisition,
implementation, changes (including emergency Not Implemented
changes), and maintenance of information
systems and related technology requirements.
CC5- Establishment of data The entity's data backup policy documents
3.4 backup policy requirements for backup and recovery of Not Implemented
customer data.
CC5- Roles and Roles and responsibilities for the design,
3.5 responsibilities are development, implementation, operation,
specified maintenance, and monitoring of information
Not Implemented
security controls are formally assigned in job
descriptions and/or the Roles and
Responsibilities policy.
CC5- Documentation and The entity's information security policies and
3.6 review of information procedures are documented and reviewed at
Not Implemented
security policies and least annually.
procedures
CC5- Document and The entity has security and privacy incident
3.7 communicate security response policies and procedures that are
Not Implemented
and privacy incident documented and communicated to authorized
response policies users.
CC5- Specified risk related The entity specifies its objectives to enable the
3.8 to objectives identification and assessment of risk related to Not Implemented
the objectives.

7 cyberarrow.io
CC5- Documenting risk The entity has a documented risk management
3.9 management program program in place that includes guidance on the
for managing identification of potential threats, rating the
Not Implemented
identified risks significance of the risks associated with the
identified threats, and mitigation strategies for
those risks.
CC5- Program for vendor The entity has a vendor management program
Not Implemented
3.1 management in place. Components of this program include:
- - critical third-party vendor inventory;
- - vendor's security and privacy requirements;
and
- - review of critical third-party vendors at least
annually.
CC6- Maintaining The entity maintains a formal inventory of
1.1 production system production system assets. Not Implemented
inventory
CC6- Restricted access for The entity restricts access to migrate changes
1.2 migration of changes to production to authorized personnel. Not Implemented
to production
CC6- Enforcing secure The entity requires authentication to production
1.3 authentication to datastores to use authorized secure
production datastores authentication mechanisms, such as unique Not Implemented
SSH key.
CC6- Restricted access to The entity restricts privileged access to
1.4 encryption keys encryption keys to authorized users with a Not Implemented
business need.
CC6- Encrypt sensitive The entity's datastores housing sensitive
Not Implemented
1.5 customer data customer data are encrypted at rest.
CC6- Enforce unique The entity requires authentication to systems
1.6 account and applications to use unique username and
Not Implemented
authentication password or authorized Secure Socket Shell
(SSH) keys.
CC6- Establish data The entity has a data classification policy in
1.7 classification policy place to help ensure that confidential data is
Not Implemented
properly secured and restricted to authorized
personnel.
CC6- Restricted system System access restricted to authorized access
Not Implemented
1.8 access only
CC6- Documented access The entity's access control policy documents
1.9 control policy the requirements for the following access Not Implemented
control functions:
- - adding new users;
- - modifying users; and/or
- - removing an existing user's access.

8 cyberarrow.io
CC6- Restricted access to The entity restricts privileged access to
1.1 database databases to authorized users with a business Not Implemented
need.
CC6- Restricted access to The entity restricts privileged access to the
1.11 firewall firewall to authorized users with a business Not Implemented
need.
CC6- Restricted access to The entity restricts privileged access to the
1.12 operating system operating system to authorized users with a Not Implemented
business need.
CC6- Restricted access to The entity restricts privileged access to the
1.13 production network production network to authorized users with a Not Implemented
business need.
CC6- Configure passwords The entity requires passwords for in-scope
1.16 according to entity system components to be configured according Not Implemented
password policy to The entity's policy.
CC6- Secure authentication The entity requires authentication to the
1.15 for production network "production network" to use unique usernames
Not Implemented
and passwords or authorized Secure Socket
Shell (SSH) keys.
CC6- MFA for remote The entity's production systems can only be
1.17 access to production remotely accessed by authorized employees
Not Implemented
system possessing a valid multi-factor authentication
(MFA) method.
CC6- Approved encryption The entity's production systems can only be
1.18 connection for remote remotely accessed by authorized employees Not Implemented
access via an approved encrypted connection.
CC6- Purge customer data The entity purges or removes customer data
5.3 after revoking service containing confidential information from the
application environment, in accordance with Not Implemented
best practices, when customers leave the
service.
CC6- Implementing network The entity's network is segmented to prevent
Not Implemented
1.19 segmentation unauthorized access to customer data.
CC6- Document access The entity's access control policy documents
2.1 control policy the requirements for the following access Not Implemented
control functions:
- - adding new users;
- - modifying users; and/or
- - removing an existing user's access.
CC6- Quarterly review of The entity conducts access reviews at least
2.2 access quarterly for the in-scope system components
to help ensure that access is restricted Not Implemented
appropriately. Required changes are tracked to
completion.

9 cyberarrow.io
CC6- Revoke access upon The entity completes termination checklists to
2.3 termination ensure that access is revoked for terminated Not Implemented
employees within SLAs.
CC6- Enforce encrypted The entity's production systems can only be
6.3 remote access remotely accessed by authorized employees Not Implemented
connections via an approved encrypted connection.
CC6- Enforce secure The entity requires authentication to the
2.5 mechanisms for "production network" to use unique usernames Not Implemented
authentication to and passwords or authorized Secure Socket
production network Shell (SSH) keys.
CC6- Establishment of The entity's access control policy documents
3.1 access control the requirements for the following access Not Implemented
functions control functions:
- - adding new users;
- - modifying users; and/or
- - removing an existing user's access.
CC6- Conducting access The entity conducts access reviews at least
3.2 reviews quarterly for the in-scope system components
to help ensure that access is restricted Not Implemented
appropriately. Required changes are tracked to
completion.
CC6- Revoking access for The entity completes termination checklists to
3.3 terminated employees ensure that access is revoked for terminated Not Implemented
employees within SLAs.
CC6- Use of secure data The entity uses secure data transmission
6.5 transmission protocol protocols to encrypt confidential and sensitive Not Implemented
data when transmitted over public networks.
CC6- Secure authenication The entity requires authentication to the
3.5 to production network "production network" to use unique usernames Not Implemented
and passwords or authorized Secure Socket
Shell (SSH) keys.
CC6- Access reviews The entity conducts access reviews at least
4.1 conducted quarterly quarterly for the in-scope system components
to help ensure that access is restricted Not Implemented
appropriately. Required changes are tracked to
completion.
CC6- Physical access The entity has processes in place for granting,
4.2 processes established changing, and terminating physical access to
company data centers based on an Not Implemented
authorization from control owners.
CC6- Review data center The entity reviews access to the data centers at
Not Implemented
4.3 access annually least annually.
CC6- Enforce procedures The entity requires visitors to sign-in, wear a
4.4 for data center visitors visitor badge, and be escorted by an authorized
Not Implemented
employee when accessing the data center or
secure areas.

10 cyberarrow.io
CC6- Enforce proper asset The entity has electronic media containing
5.1 disposal procedures confidential information purged or destroyed in
accordance with best practices, and certificates Not Implemented
of destruction are issued for each device
destroyed.
CC6- Establish data The entity has formal retention and disposal
5.2 retention and disposal procedures in place to guide the secure
Not Implemented
procedures retention and disposal of company and
customer data.
CC6- Secure data The entity uses secure data transmission
7.3 transmission over protocols to encrypt confidential and sensitive Not Implemented
public networks data when transmitted over public networks.
CC6- Checklists for The entity completes termination checklists to
5.4 revoking access after ensure that access is revoked for terminated Not Implemented
termination employees within SLAs.
CC6- Secure authenication The entity requires authentication to the
6.1 for production network "production network" to use unique usernames
Not Implemented
access and passwords or authorized Secure Socket
Shell (SSH) keys.
CC6- Enforced MFA for The entity's production systems can only be
6.2 remote access remotely accessed by authorized employees
Not Implemented
possessing a valid multi-factor authentication
(MFA) method.
CC6- Access based on job The entity ensures that user access to in-scope
1.14 role system components is based on job role and
function or requires a documented access Not Implemented
request form and manager approval prior to
access being provisioned.
CC6- Documenting access The entity ensures that user access to in-scope
2.4 request forms system components is based on job role and
function or requires a documented access Not Implemented
request form and manager approval prior to
access being provisioned.
CC6- Access through The entity ensures that user access to in-scope
3.4 manager's approval system components is based on job role and
function or requires a documented access Not Implemented
request form and manager approval prior to
access being provisioned.
CC6- Review firewall The entity reviews its firewall rulesets at least
6.6 rulesets annually. Required changes are tracked to Not Implemented
completion.
CC6- Preventing The entity uses firewalls and configures them to
6.7 unauthorized access prevent unauthorized access. Not Implemented
using firewalls
CC6- Continuous The entity uses an intrusion detection system to
6.4 monitoring of network provide continuous monitoring of The entity's Not Implemented
using IDS

11 cyberarrow.io
 network and early detection of potential security
breaches.
CC6- Maintain service The entity has infrastructure supporting the
6.9 infrastructure service patched as a part of routine
maintenance and as a result of identified
Not Implemented
vulnerabilities to help ensure that servers
supporting the service are hardened against
security threats.
CC6- Encrypting portable The entity encrypts portable and removable
Not Implemented
7.1 and removable media media devices when used.
CC6- Mobile devices The entity has a mobile device management
7.2 centrally managed (MDM) system in place to centrally manage Not Implemented
using MDM mobile devices supporting the service.
CC6- Maintain network and The entity's network and system hardening
6.8 system hardening standards are documented, based on industry Not Implemented
best practices, and reviewed at least annually.
CC6- Establish formal The entity has a formal systems development
8.1 systems development life cycle (SDLC) methodology in place that
life cycle governs the development, acquisition,
implementation, changes (including emergency Not Implemented
changes), and maintenance of information
systems and related technology requirements.
CC6- Deploy anti-malware The entity deploys anti-malware technology to
8.2 on all relevant environments commonly susceptible to
systems malicious attacks and configures this to be Not Implemented
updated routinely, logged, and installed on all
relevant systems.
CC6- Service infrastructure The entity has infrastructure supporting the
8.3 patch maintenance service patched as a part of routine
maintenance and as a result of identified
Not Implemented
vulnerabilities to help ensure that servers
supporting the service are hardened against
security threats.
CC7- Configuration The entity has a configuration management
1.1 management system procedure in place to ensure that system
Not Implemented
established configurations are deployed consistently
throughout the environment.
CC7- Enforce proper The entity requires changes to software and
1.2 change management infrastructure components of the service to be
for software and authorized, formally documented, tested, Not Implemented
infrastructure reviewed, and approved prior to being
components implemented in the production environment.
CC7- Policies for The entity's formal policies outline the
1.3 vulnerability requirements for the following functions related
management and to IT / Engineering: Not Implemented
system monitoring
- - vulnerability management;

12 cyberarrow.io
- - system monitoring.
CC7- Formally assessed The entity's risk assessments are performed at
1.4 risks through risk least annually. As part of this process, threats
assessments and changes (environmental, regulatory, and
technological) to service commitments are
Not Implemented
identified and the risks are formally assessed.
The risk assessment includes a consideration
of the potential for fraud and how fraud may
impact the achievement of objectives.
CC7- Scan and remediate Host-based vulnerability scans are performed
1.5 vulnerabilities on all at least quarterly on all external-facing systems. Not Implemented
external-facing Critical and high vulnerabilities are tracked to
systems remediation.
CC7- Annual penetration The entity's penetration testing is performed at
2.1 testing and least annually. A remediation plan is developed
Not Implemented
remediation and changes are implemented to remediate
vulnerabilities in accordance with SLAs.
CC7- IDS for early detection The entity uses an intrusion detection system to
2.2 of potential security provide continuous monitoring of The entity's
Not Implemented
breaches network and early detection of potential security
breaches.
CC7- Utilizing log The entity utilizes a log management tool to
2.3 management tool for identify events that may have a potential impact
Not Implemented
event identification on The entity's ability to achieve its security
objectives.
CC7- Tool for monitoring An infrastructure monitoring tool is utilized to
2.4 infrastructure monitor systems, infrastructure, and
Not Implemented
performance performance and generates alerts when
specific predefined thresholds are met.
CC7- Establish vulnerability The entity's formal policies outline the
2.5 and system requirements for the following functions related Not Implemented
monitoring procedures to IT / Engineering:
- - vulnerability management;
- - system monitoring.
CC7- Routine maintenance The entity has infrastructure supporting the
2.6 for service service patched as a part of routine
infrastructure maintenance and as a result of identified
Not Implemented
vulnerabilities to help ensure that servers
supporting the service are hardened against
security threats.
CC7- Vulnerability scanning Host-based vulnerability scans are performed
2.7 and remediation at least quarterly on all external-facing systems. Not Implemented
Critical and high vulnerabilities are tracked to
remediation.
CC7- Documenting security The entity has security and privacy incident
Not Implemented
3.1 and privacy incident response policies and procedures that are

13 cyberarrow.io
 response policies and documented and communicated to authorized
procedures users.
CC7- Management of The entity's security and privacy incidents are
3.2 incident through logged, tracked, resolved, and communicated
response policy and to affected or relevant parties by management Not Implemented
procedures according to The entity's security incident
response policy and procedures.
CC7- Testing incident The entity tests their incident response plan at Not Implemented
4.1 response plan least annually.
CC7- Documenting and The entity has security and privacy incident
4.2 communicating response policies and procedures that are
incident response documented and communicated to authorized Not Implemented
policies and users.
procedures
CC7- Enforcement of The entity's security and privacy incidents are
4.3 incident response logged, tracked, resolved, and communicated
policy and procedures to affected or relevant parties by management Not Implemented
according to The entity's security incident
response policy and procedures.
CC7- Maintenance of The entity has infrastructure supporting the
4.4 service infrastructure service patched as a part of routine
maintenance and as a result of identified
vulnerabilities to help ensure that servers Not Implemented
supporting the service are hardened against
security threats.
CC7- Quarterly scanning for Host-based vulnerability scans are performed
4.5 vulnerabilities and at least quarterly on all external-facing systems.
remediation Critical and high vulnerabilities are tracked to Not Implemented
remediation.
CC7- Testing business The entity has a documented business
5.1 continuity/disaster continuity/disaster recovery (BC/DR) plan and Not Implemented
recovery annually tests it at least annually.
CC7- Test the incident The entity tests their incident response plan at
Not Implemented
5.2 response plan least annually.
CC7- Incident response The entity has security and privacy incident
5.3 policies and response policies and procedures that are
Not Implemented
procedures documented and communicated to authorized
users.
CC7- Security and privacy The entity's security and privacy incidents are
5.4 incident management logged, tracked, resolved, and communicated
to affected or relevant parties by management Not Implemented
according to The entity's security incident
response policy and procedures.
CC8- Enforcing change The entity requires changes to software and
1.1 management infrastructure components of the service to be Not Implemented
procedures authorized, formally documented, tested,

14 cyberarrow.io
 reviewed, and approved prior to being
implemented in the production environment.
CC8- Restricted access for The entity restricts access to migrate changes
Not Implemented
1.2 production changes to production to authorized personnel.
CC8- Establishment of The entity has a formal systems development
1.3 formal systems life cycle (SDLC) methodology in place that
development life cycle governs the development, acquisition,
methodology implementation, changes (including emergency Not Implemented
changes), and maintenance of information
systems and related technology requirements.
CC8- Perform annual The entity's penetration testing is performed at
1.4 peneration testing least annually. A remediation plan is developed
Not Implemented
and changes are implemented to remediate
vulnerabilities in accordance with SLAs.
CC8- Maintenance of The entity's network and system hardening
1.5 network and system standards are documented, based on industry Not Implemented
hardening standards best practices, and reviewed at least annually.
CC8- Service infrastructure The entity has infrastructure supporting the
1.6 management service patched as a part of routine
maintenance and as a result of identified
Not Implemented
vulnerabilities to help ensure that servers
supporting the service are hardened against
security threats.
CC8- Vulnerabilities Host-based vulnerability scans are performed
1.7 scanned and at least quarterly on all external-facing systems.
Not Implemented
remediated Critical and high vulnerabilities are tracked to
remediation.
CC9- Business continuity The entity has Business Continuity and
1.1 and disaster recovery Disaster Recovery Plans in place that outline
plans communication plans in order to maintain Not Implemented
information security continuity in the event of
the unavailability of key personnel.
CC9- Maintenance of The entity maintains cybersecurity insurance to
1.2 cybersecurity mitigate the financial impact of business Not Implemented
insurance disruptions.
CC9- Risks assessments The entity's risk assessments are performed at
1.3 performed annually least annually. As part of this process, threats
and changes (environmental, regulatory, and
technological) to service commitments are
Not Implemented
identified and the risks are formally assessed.
The risk assessment includes a consideration
of the potential for fraud and how fraud may
impact the achievement of objectives.
CC9- Documented risk The entity has a documented risk management
1.4 management program program in place that includes guidance on the Not Implemented
identification of potential threats, rating the
significance of the risks associated with the

15 cyberarrow.io
 identified threats, and mitigation strategies for
those risks.
CC9- Establishment of third- The entity has written agreements in place with
2.1 party agreements vendors and related third-parties. These Not Implemented
agreements include confidentiality and privacy
commitments applicable to that entity.
CC9- Necessary The entity has a vendor management program
2.2 components for in place. Components of this program include:
Not Implemented
vendor management
program
- - critical third-party vendor inventory;
- - vendor's security and privacy requirements;
and
- - review of critical third-party vendors at least
annually.
SD-1 System description for The entity shall complete a description of the Not Implemented
audit report system for Section III of the SOC 2 audit report

16 cyberarrow.io