Data security plays a vital role in building the trust of clients and partners, especially if you are a SaaS provider. Thus, organizations use a SOC 2 report to prove to their clients, vendors and stakeholders that they can handle the data safely.
During a SOC 2 audit, the organization’s internal controls are evaluated against 5 Trust Services Criteria (TSC), formerly called SOC 2 Trust Services Principles (TSP). Trust Services Criteria is established by the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA).
Trust Services Criteria are used to evaluate and report the design and operating effectiveness of controls concerned with Security, Processing Integrity, Availability, Confidentiality, and Privacy across an entire entity, operating unit level and within a function related to compliance objectives.
Now, let’s go in-depth to understand which of the 5 Trust Services Criteria to include during your SOC 2 audit.
5 AICPA SOC 2 Trust Services Criteria
It is imperative to clearly understand each criterion that constitutes the SOC 2 report for two primary reasons. Firstly, the 5 TSCs focus on your infosec posture to become compliant. Secondly, it describes a group of compliance objectives your organization must adhere to.
The security trust criterion helps protect information throughout an organization’s lifecycle. According to SOC 2 guidelines, it is mandatory to include Security Trust Services Criteria in all SOC 2 reports.
Security provides specific guidelines to address the control environment, control activities, risk assessment, communication and information, and monitoring of controls concerned with the design and implementation of controls.
Moreover, security TSC helps in preventing or detecting system failure, incorrect processing, theft, unauthorized removal of information or system resources, and misuse of applications such as unauthorized alteration, destruction, or disclosure of information that could compromise the confidentiality, availability, integrity, and privacy of information or systems that affect the entity’s ability to achieve its objectives.
The availability trust criterion addresses whether information and systems are available for operation and use to meet the entity’s objectives. It typically applies to organizations that provide data centers, Software as a Service (SaaS), or hosting services to their clients.
Consider including the availability Trust Services Criterion in your SOC 2 if
- You have a platform that offers continuous delivery or deployment
- Any electrical damage would prevent your clients from deploying changes into the cloud
- Your customers have issues regarding downtime, including SLAs (Service Level Agreements)
3. Processing Integrity
The processing integrity trust criterion is focused on data accuracy. It oversees the completeness of the end-to-end process to ensure that applications function without delay, error, omission, or accidental data manipulation. Processing integrity is aided by Quality Assurance (QA) to ensure that the system achieves its purpose.
The processing integrity criterion requires you to describe precisely how data is processed within a system, as it can add much value to your SOC 2 report, giving the auditors, potential customers, and partners a good idea of how your system works.
Consider including processing integrity criterion in your SOC 2 report if
- Your organization performs transactions regularly
- You process transactions on behalf of your clients
- You are an e-commerce company
The confidentiality trust criterion evaluates how organizations protect confidential information – by limiting access, storage, and use. It ensures that only authorized individuals can view sensitive information like legal documents or Personally Identifiable Information (PII).
Consider including confidentiality criteria in your SOC 2 if your organization handles confidential data like Personal Information (PI), passwords, and financial reports.
Furthermore, the protections outlined in the security criterion and the confidentiality criterion provide direction for identifying, protecting, or destroying confidential information.
Confidentiality and privacy Trust Services Criteria share similarities in terms of functionality yet are subtly different.
The confidentiality TSC assures clients that their confidential information is protected, whereas privacy evaluates how an organization protects its customer’s PII. Privacy assesses how, why, and when an organization shares that information.
Privacy criterion addresses personal information like name, address, email, other identification info, and purchase history. Your organization must include the privacy Trust Services Criterion in the SOC 2 report if you hold customers’ personal information directly.
Moreover, privacy criterion is not mandatory if you are compliant with GDPR or CCPA.
It’s important to note that your organization need not require addressing all five Trust Services Criteria in your SOC 2 report. However, select the TSC that are relevant to the services that you provide to your clients while keeping Security TSC as a mandatory requirement.
Scrut Automation is a smart and radically simple governance, risk, and compliance automation platform for growing startups and mid-market enterprises. With Scrut, compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA, and CCPA. Schedule your demo today to see how it works.
Frequently Asked Questions (FAQs)
Frankly speaking, it depends on your organization’s services. Few organizations choose confidentiality and privacy TSC, while others choose confidentiality and availability or all the 4 TSCs.
Of the 5 TSCs, all the SOC 2 reports must include security trust service, while the other four are optional – added to the examination at the discretion of management.
No, Trust Services Criteria was formerly called Trust Services Principles. The concept and the five categories encompassed in the framework have remained the same.
A SOC 2 report proves to their clients, vendors, stakeholders, and investors that they can handle the data safely. It also helps in increasing new sign-ups.