Updated Core (SOC 2) Security Controls 

At Trustero, our mission is to empower your organization with reliable and trustworthy compliance solutions that reduce risk and ensure peace of mind. To that end, we are constantly enhancing our GRC AI functionality, which includes the ongoing examination and testing of controls.

Our latest updates are designed to make your governance, risk, and compliance (GRC) journey smoother and more robust. The newly revised control details improve the accuracy and reliability of our “Examine and Test” GRC AI feature, formerly known as AuditScan. These updates address a critical gap reported by customers—reducing false positives and ensuring that control results truly reflect their operational effectiveness.

This means fewer surprises during manual audits, less time spent chasing inaccurate results, and more confidence in the health of your governance, risk, and compliance (GRC) program.

Ready to upgrade? If yes, fill out this form to get your control upgrades scheduled. 

Why Upgrade?

Here are the high-level improvements included in this release:

Updated Controls Across Multiple Frameworks:

1. Provide users with better actionable guidance across SOC 2 and controls applicable to other frameworks, including PCI, HIPAA, NIST CSF, and HITRUST.
2. Update required evidence and test procedures for Examine and Test (formerly AuditScan), enhancing the reliability, consistency, and trustworthiness of results when assessing the operating effectiveness of controls.

Note: *There is no material impact to current customers using these controls.

*What does this mean? This update refines and enhances controls without altering their core implementation. If you are a current customer already using these controls, no additional effort is required to maintain alignment. These refinements are designed to provide clearer guidance and more precise assessments for future use.

By the Numbers

This update includes 67 changes, of which 51 are specific to SOC 2 controls, also known as the core security controls that form the foundation of every framework. These updates also include controls outside of the recent ISO 27001 changes, applicable to other critical frameworks such as PCI, HIPAA, NIST CSF, and HITRUST.

• Policy Changes: 0
• Controls Updated: 67
• Control Names Updated: 0
• Objectives Updated: 51 (*19 based on user feedback, 32 minor tweaks or similar updates)
• General Guidance Updated: 67
• Required Evidence Updated: 67
• Test Procedures Updated: 67

Control Objective Changes

Why Objectives Matter
Control objectives provide context and guardrails for what each control encompasses. These are high-level, precise summaries of the end goal of a control, answering:

• “What is covered within this control?”
• “Why does this control even exist, and why is it important?”

Controls exist to mitigate potential threats to the organization, such as system downtime, loss of data integrity or trustworthiness (negative news exposure), or monetary losses due to regulatory fines or lawsuits. The updated objectives ensure clarity and alignment with real-world risks and organizational needs.

*What Changed in This Update

• Of the 51 updated objectives, 19 changes were based directly on user feedback. These updates completely revised the language of the objectives to provide greater clarity, but do not require any additional effort from users beyond what was already required.
• The remaining 32 objectives underwent slight tweaks or similar updates to improve their precision and readability.
• Expanded Context for GRC Success: All updated objectives now include additional GRC insights, adding depth and clarity to the original objectives. These enhancements are designed to support users and improve the reliability of the Examine and Test feature.

These changes ensure that objectives are not only clear and actionable but also aligned with evolving user needs and organizational priorities.

General Guidance Updates

What General Guidance Does
General guidance offers universally applicable, high-level advice for implementing each control. It’s designed to provide direction without assuming specific organizational contexts or environments.

Addressing the Gaps
While general guidance is helpful, its universality can leave gaps for individual organizations. To address this, the Tailored Guidance field was created, enabling users to incorporate actionable tasks specific to their environment, as defined on the Scope page.

Required Evidence Changes

Why the Changes Matter
The updated required evidence definitions are more explicit and uniform, ensuring clarity around what’s needed to pass control tests. These revisions were designed to enable Examine and Test to assess compliance with control objectives more accurately.

Aligning Evidence with Objectives
The focus is on what the “output” should be when users operationalize controls based on the General Guidance action items. This alignment ensures that evidence supports both audit assurance and operational effectiveness to mitigate associated risks.

Test Procedures Updates

How Test Procedures Have Improved
The revised test procedures are more concrete and objective, enabling Examine and Test to evaluate evidence against all aspects of the control tests more accurately. These updates are designed to maximize consistency and reliability, providing a “green” response only when control objectives are met.

Maximizing Your Value with Trustero
These updates were made with your success in mind, ensuring that Trustero curated content delivers maximum value by improving the reliability of our GRC AI functionality. Upgrade today to take full advantage of these enhancements and experience smoother, more accurate risk and compliance management.

Ready to upgrade? If yes, fill out this form to get your control upgrades scheduled.