What are the SOC 2 Trust Service Criteria?

Updated: Aug 18


Vector Representation of SOC2 Trust Service Criteria
What are the SOC2 Trust Service Criteria?

Data security plays a crucial role in building the trust of clients and partners, especially if you are a SaaS provider. Organizations use a SOC 2 certification to prove to their clients that they can handle data safely. Now, the question is - why SOC 2?

SOC 2 compliance is based on Trust Service Criteria (TSCs). These Trust Service Criteria were established by the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA). They are used to evaluate and report the suitability of the design and operating effectiveness of controls relevant to the following principles;


1. Security

2. Availability

3. Processing Integrity

4. Confidentiality

5. Privacy

These 5 Trust Service Criteria act as the evaluation structure of the SOC 2 audit and report. Out of the 5 TSCs, all the SOC 2 reports must include the Security Trust Service Criteria. The other 4 TSCs are optional and can be added to the report at the discretion of management.


Five AICPA Trust Services Criteria (TSCs)


It is imperative to clearly understand each criterion that constitutes the SOC 2 report for two primary reasons. Firstly, it will help you understand each criterion's controls and processes. Secondly, it will distinguish the criteria applicable and useful for your organization.

Security

Safeguard the information and systems against unauthorized access and disclosure of details

Availability

Information and systems should meet your organization's service objectives mentioned in SLAs

Processing integrity

Systems should perform their functions thoroughly and accurately to meet the organization's objectives

Confidentiality

Systems should perform their functions thoroughly and accurately to meet the organization's objectives

Privacy

Encrypt the data, so no one uses, retains, or discloses clients' personal data or information

Let's discuss each Trust Service Criteria in detail for better understanding.


1. Security


The security trust criterion helps protect information throughout an organization's lifecycle. According to SOC 2 guidelines, It is mandatory to include Security Trust Service Criteria in all SOC 2 reports. This criterion protects the data from unauthorized access and unauthorized disclosure.

Security controls are designed to include an array of risk-mitigating solutions such as endpoint protection and network monitoring tools. Security controls include tools like;

  • Firewalls for both your network and web applications

  • Multi-factor authentication

  • Intrusion detection

2. Availability


The availability trust criterion helps determine whether the organization's employees, clients, and partners can rely on its systems to do their work.

Availability does not operate on a minimum acceptable performance level. However, it does address whether systems include controls to support and maintain system operation. Examples include performance monitoring, sufficient data backups, and disaster recovery plans. For instance, you have power and computer redundancies if your data center is flooded. By including this, data availability is guaranteed even in the case of hardware failure.

Consider including the Availability Trust Service Criteria in your SOC 2 if:

  • You have a platform that offers continuous delivery or deployment.

  • any electrical damage would prevent your clients from building or deploying changes to their services, such as cloud computing or cloud data storage providers.

  • If your customers have issues regarding downtime, including SLAs (Service Level Agreements).

The Availability principle typically applies to companies providing data centers, SAAS (Software As A Service), or hosting services to their clients.

3. Processing Integrity


The processing integrity trust criterion is focused on data accuracy. It oversees the completeness of the end-to-end process to ensure that applications function without delay, error, omission, or accidental data manipulation. Processing integrity is aided by quality assurance (QA) to ensure that the system achieves its purpose.

For instance, all hospital systems must have precise information regarding the blood types of patients. The program must process and store data reliably in order to maintain processing integrity. Accordingly, it follows that the Software Development Lifecycle (SDLC), the code is written, and how information is handled offer data security and integrity.

Consider including the Processing Integrity criterion in your SOC 2 report if


  • Your organization performs transactions on a regular basis

  • Process transactions on behalf of your clients

  • You are an e-commerce company

4. Confidentiality


The confidentiality trust criterion evaluates how organizations protect confidential information – limiting access, storage, and use. It ensures that only authorized individuals can view sensitive information like legal documents or Personally Identifiable Information (PII).

Consider including confidentiality criteria in your SOC 2 if your organization handles confidential data like Personal information (PI), passwords, and financial reports.


5. Privacy


Confidentiality and Privacy Trust Service Criteria share similarities in terms of functionality yet are subtly different.

The Confidentiality TSC assures clients that their confidential information is protected, whereas Privacy evaluates how an organization protects its customer's PII. Privacy assesses how, why, and when an organization shares that information.

This criterion addresses personal information like name, address, email, any other identification info, and purchase history. Your organization must include the Privacy Trust Service Criteria in SOC 2 report if you directly hold customers' personal information.

Final Word


It's important to note that your organization need not require to address all five of the Trust Services Criteria in our SOC 2 report; however, select the TSC that are relevant to the services that you provide to your clients while keeping Security TSC as a mandatory checklist.

Scrut Automation is a smart and radically simple Governance, Risk, and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.


6 views