Selecting SOC 2 Principles

Selecting SOC 2 Principles

Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Principles (recently updated to Trust Services Criteria) you want to include in your SOC 2 audit report. SOC 2 reports can address one or more of the following principles: Security, Confidentiality, Availability, Processing Integrity, or Privacy. Becoming familiar with these principles should be the first step in determining the scope of your SOC 2 audit and deciding which of these principles apply to the services your organization provides.

Selecting SOC 2 Principles with Joseph Kirkpatrick

The Trust Services Principles

Trust Service Principle 1 - Security


In a non-privacy SOC 2 engagement, the Security principle must be included. Security is the common criteria that applies to all engagements, and is what the other Trust Services Principles are based off of. The Security principles addresses whether the system is protected (both physically and logically) against unauthorized access.


Trust Service Principle 3 - ConfidentialityConfidentiality

If the services your organization offers deal with sensitive data, such as Personally Identifiable Information (PII) or Protected Health Information (PHI), the Confidentiality principle should be present in your SOC 2 audit report. The Confidentiality principle addresses the agreements that you have with clients in regards to how you use their information, who has access to it, and how you protect it. Are you following your contractual obligations by properly protecting client information?

Trust Service Principle 2 - AvailabilityAvailability

Are you ensuring that the system you provide your clients is available for operation and used as agreed? Availability addresses whether the services you provide are operating with the type of availability that your clients would expect. The Availability principle typically applies to companies providing colocation, data center, or hosting services to their clients.


Trust Service Principle 4 - Processing Integrity

Processing Integrity

If the services you provide are financial services or e-commerce services and are concerned with transactional integrity, Processing Integrity is a principle that should be included in your SOC 2 report. Are the services you provide to your clients provided in a complete, accurate, authorized, and timely manner? Are you ensuring that these things are happening?


Trust Service Principle 5 - Privacy


Lastly, we have the Privacy principle. The Privacy principle really stands on its own, as it specifically addresses how you collect and use consumers’ personal information. It ensures that your organization is handling client data in accordance with any commitments in the entity’s privacy notice as committed or agreed, and with criteria defined in generally accepted privacy principles issued by the AICPA.


So, you aren’t necessarily required to address all five of the Trust Services Principles in your SOC 2 audit report, however, you should select the principles that are relevant to the services you are providing to your customers. If you’re ready to begin your SOC 2 audit report and need some help determining which of the Trust Services Principles you should include, contact us today.


Video Transcription

One of the first things that you have to do in order to prepare for a SOC 2 audit engagement is select which principles from the trust services principles will be included in your SOC 2 audit report. The principles again are: Security, Availability, Confidentiality, Processing Integrity and Privacy.

Security must be included in any non-privacy principle SOC 2 audit engagement. We refer to the security principle as the common criteria that applies to any SOC 2 engagement and applies across the board to all the principles involved except for privacy.

So you must include that one, but from there you will look at confidentiality. Do you have agreements with your clients about how you will use the information, who has access to it and how you will protect that, and are you abiding by those contracts that you’ve entered in to?

Processing integrity has to do with providing your services in a complete manner, in an accurate manner, in a timely manner and are you doing those things?

Availability has to do with, is your system available to your clients as agreed? The services that you provide – are you maintaining the type of availability that your clients would expect for your services to be available to them?

Then finally, Privacy really kind of stands on its own. It’s a very unique principle, it’s very different from the other four. And we usually issue that as its own type of report because it addresses how you collect and use personal information of consumers, and do they have rights to opt out of how their information is used. Do they have the ability to file a complaint and get a response from you on how information is being utilized?

So think about those five principles and what would be included in your SOC 2 audit engagement.

4 replies
  1. Avatar
    Larry says:

    I keep finding that anyone is able to generate a SOC 2 report and a CPA is not a requirement for a SOC 2 certification. Is this true?


Trackbacks & Pingbacks

  1. […] of security, availability, processing integrity, confidentiality, and privacy, also known as the Trust Services Principles. These principles address internal controls unrelated to […]

  2. […] Identifying the relevant TSPs is so important because your next step is to determine which systems, policies, and procedures support those principles. They will be what your SOC 2 audit examines. On a practical basis, that means SOC 2 audits covering multiple TSPs can sweep lots of your firm’s systems and controls into scope. […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *