Disaster Recovery Controls Within SOC 1 Test of Controls Matrix
Published: Sep 14, 2015
Last Updated: Mar 14, 2016
Can I have disaster recovery controls within my SOC 1 test of controls matrix?
The short answer is No. The long answer is that the AICPA considers disaster recovery and business continuity planning to be plans and not controls. Additionally, while disaster recovery and business continuity planning may be of interest to user entities, the AICPA does not consider business continuity to be relevant to internal controls over financial reporting, and therefore cannot be included in the description of controls or test of controls within a SOC 1.
Controls related to redundancy and availability can be included, if appropriate, but disaster recovery is typically included in Section 5 (Additional Information Provided by Management) or the service organization can consider other assessments that discuss disaster recovery (such as SOC 2, ISO certification, etc.).
About Lauren Edmonds
Lauren Edmonds is a Managing Director at Schellman based in Denver, Colorado. With more than 20 years of audit and compliance experience, Lauren has participated in more than 2,000 assessments including SOC 1, SOC 2, SOC 3, WebTrust, PCI DSS, FedRAMP, IRAP, NIST, HIPAA, ISO certification reviews and general attestation projects evaluating and assessing global corporations’ IT control environments and business processes. In addition, she has internal audit experience in network security, risk assessment, IT general controls, and systems development. Through the various audits performed, Lauren has evaluated risks and controls for a number of industries and organizations including financial services, manufacturing, marketing, distribution, and service-based organizations, such as telecommunications providers, data center, managed, and security service providers. Lauren is a PCI QSA and maintains the CISSP, CISA, and CCSK certifications. Additionally, Lauren is trained as a lead auditor for ISO 27001 (27017, 27018, 27701), ISO 9001, ISO 20000-1 and ISO 22301 Standards.