Since CUEC's are controls your Vendor is expecting you to implement within your organization and complement the controls at the vendor, I would definitely review both the ones listed for the Common Criteria as well as for any additional specific criteria. You can then eliminate any that don't specifically apply to your use of the Vendor product or service or you as an organization. Generally speaking, we recommend the following high level steps when approaching CUECs:
•Review the CUECs and their associated control objectives to ensure context is understood
•Determine which CUECs apply to you as not all will always apply
•Assign each CUEC to a person/team/role for responsibility
•Determine which CUECs you are already addressing
•Address each applicable remaining CUEC
•Record how each CUEC is addressed
•Assess CUECs with each new SOC report or with any significant internal changes
Interested to hear if others have any thoughts on this.
Original Message:
Sent: 09-14-2021 11:08 AM
From: Anonymous Member
Subject: SOC2 CUECs
This message was posted by a user wishing to remain anonymous
In reviewing SOC2 CUECs, should you review ALL the CUECs including any additional specific criteria for availability (A), processing integrity (PI), confidentiality (C), and privacy categories (P) on the report, or just the common criteria (CC)?