Recommended Password Manager Capabilities for SOC 2 Audits

An SOC 2 certification is a valuable attestation for businesses such as cloud service providers, software providers, web marketing companies, and financial services organizations, as it certifies the business has acceptable controls in place to address risks associated with the use of their systems and/or services.

In order to achieve SOC 2 certification, businesses have to pass an SOC 2 audit conducted by an accredited representative of the Association of International Certified Professional Accountants (AICPA). The audit is based on AICPA´s Trust Services Criteria, which are divided into five “Principals”.

  • Security– The system is protected against unauthorized access, both physical and logical.
  • Availability– The system is available for operation and use as committed or agreed.
  • Processing Integrity– System processing is complete, accurate, timely, and authorized.
  • Confidentiality– Information designated as confidential is protected as committed or agreed.
  • Privacy– Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted Privacy Principles (GAPP).

During an audit, businesses have to demonstrate compliance with the Principles relevant to the use of their systems and/or services. For example, the Availability Principle most often applies to businesses providing colocation, data center, hosting services, and Software-as-a-Service facilities with a Service Level Agreement (SLA) in place. If a business does not offer an SLA to customers – or commits to a level of operability – it does not need to comply with the Availability Principle.

The Common Criteria for SOC 2 Security Compliance

Most businesses must comply with the Common Criteria (CC) for SOC 2 security compliance to pass an SOC 2 audit. In the context of recommended password manager capabilities, the Common Criteria to consider are those relating to “logical access controls” in CC6 of the Trust Services Criteria. These stipulate:

  • 1. “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.”
  • 2. “Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.”
  • 3. “The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.”

One of the most logical solutions for complying with these requirements is an enterprise-scale password manager such as Bitwarden that has a customizable management and administration hierarchy which can assign, monitor, manage, and remove system access according to users´ roles and responsibilities in order to protect information from unauthorized access.

Additional Recommended Password Manager Capabilities

Many password managers support a degree of customization; but, to use this capability to its full extent without increasing the administration overhead, it is important the password manager syncs with LDAP and other directory services to streamline user provisioning and deprovisioning. It is also important the password manager has a granular policy engine for fine-tuning RBACs.

Other recommended password manager capabilities include options to automate access, assign custom roles, and restrict users to read-only access. Capabilities such as the options to hide passwords, disable the password “copy” function, and hide TOTP Authentication seeds also helps businesses demonstrate compliance with the Common Criteria for SOC 2 security compliance.

One final consideration is the end user experience. Whereas a Type 1 SOC 2 certification is a point-in-time certification attesting acceptable controls exist, businesses may find customers are more interested in a Type II SOC 2 certification which attests not only that acceptable controls exist, but also that they are operating effectively – i.e., that end users are using the controls.

If a password manager is complicated to configure or inconvenient to use, the likelihood exists that controls may not be applied correctly or that end users will circumnavigate the controls “to get the job done”. With Bitwarden´s ease of use and extensive range of client apps, the possibility of a business´s compliance efforts being undermined by a poor user experience is considerably reduced.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of