Selecting SOC 2 Trust Service Principles

Which Trust Services Criteria Do I Need to Include in my SOC 2 Audit?

Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Principles (recently updated to Trust Services Criteria) you want to include in your SOC 2 audit report. SOC 2 reports can address one or more of the following categories:

  1. Security
  2. Confidentiality
  3. Availability
  4. Processing integrity
  5. Privacy

Becoming familiar with these five principles should be the first step in determining the scope of your SOC 2 audit and deciding which of these principles apply to the services your organization provides.

Selecting SOC 2 Principles with Joseph Kirkpatrick

The 5 SOC 2 Trust Services Principles

Trust Service Principle 1 - Security


In a non-privacy SOC 2 engagement, the security category must be included. Security is the common criteria that applies to all engagements, and is what the other Trust Services Criteria are based off of. The security category addresses whether the system is protected (both physically and logically) against unauthorized access.


Trust Service Principle 3 - ConfidentialityConfidentiality

If the services your organization offers deal with sensitive data, such as Personally Identifiable Information (PII) or Protected Health Information (PHI), the confidentiality category should be present in your SOC 2 audit report. The confidentiality principle addresses the agreements that you have with clients in regard to how you use their information, who has access to it, and how you protect it. Are you following your contractual obligations by properly protecting client information?

Trust Service Principle 2 - AvailabilityAvailability

Are you ensuring that the system you provide your clients is available for operation and used as agreed? Availability addresses whether the services you provide are operating with the type of availability that your clients would expect. The availability category typically applies to companies providing colocation, data center, or hosting services to their clients.


Trust Service Principle 4 - Processing Integrity

Processing Integrity

If the services you provide are financial services or e-commerce services and are concerned with transactional integrity, processing integrity is a category that should be included in your SOC 2 report. Are the services you provide to your clients provided in a complete, accurate, authorized, and timely manner? Are you ensuring that these things are happening?


Trust Service Principle 5 - Privacy


Lastly, we have the privacy principle. The privacy category really stands on its own, as it specifically addresses how you collect and use consumers’ personal information. It ensures that your organization is handling client data in accordance with any commitments in the entity’s privacy notice as committed or agreed, and with criteria defined in generally accepted privacy principles issued by the AICPA.


Should You Include All 5 Trust Services Criteria in Your SOC 2 Audit?

You aren’t necessarily required to address all five of the Trust Services Criteria in your SOC 2 audit report; however, you should select the categories that are relevant to the services you are providing to your customers. If you’re ready to begin your SOC 2 audit report and need some help determining which of the Trust Services Principles you should include, contact us today.

More SOC 2 Resources

SOC 2 Academy 

Understanding Your SOC 2 Report 

SOC 2 Compliance Handbook: The 5 Trust Services Criteria 

Video Transcription

One of the first things that you have to do in order to prepare for a SOC 2 audit engagement is select which principles from the trust services principles will be included in your SOC 2 audit report. The principles again are: Security, Availability, Confidentiality, Processing Integrity and Privacy.

Security must be included in any non-privacy principle SOC 2 audit engagement. We refer to the security principle as the common criteria that applies to any SOC 2 engagement and applies across the board to all the principles involved except for privacy.

So you must include that one, but from there you will look at confidentiality. Do you have agreements with your clients about how you will use the information, who has access to it and how you will protect that, and are you abiding by those contracts that you’ve entered in to?

Processing integrity has to do with providing your services in a complete manner, in an accurate manner, in a timely manner and are you doing those things?

Availability has to do with, is your system available to your clients as agreed? The services that you provide – are you maintaining the type of availability that your clients would expect for your services to be available to them?

Then finally, Privacy really kind of stands on its own. It’s a very unique principle, it’s very different from the other four. And we usually issue that as its own type of report because it addresses how you collect and use personal information of consumers, and do they have rights to opt out of how their information is used. Do they have the ability to file a complaint and get a response from you on how information is being utilized?

So think about those five principles and what would be included in your SOC 2 audit engagement.

Why am I Being Asked about SOC 2 Compliance?

If you’re being asked about SOC 2 compliance for the first time, you may be wondering why. It’s becoming increasingly common for organizations to request that their vendors become SOC 2 compliant so they can ensure that the companies they are working with are appropriately protecting their sensitive information.

Perhaps you’re a vendor of a larger organization who is being audited by a publicly traded company, or maybe you want to demonstrate that security is a critical part of your organization. These clients will require you to demonstrate SOC 2 compliance to address any information security risk concerns. The SOC 2 report addresses principles (known as the Trust Services Principles) such as security, availability, processing integrity, confidentiality, and privacy.

Demonstrating that you’re SOC 2 compliant means demonstrating that the policies, procedures, and controls you have in place properly address the Trust Services Principles you have selected for your SOC 2 audit report. These principles are addressed by answering the following questions:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

If you’re being asked to demonstrate SOC 2 compliance, or if you’re simply wanting to get ahead in your industry, engaging a third-party auditing firm to perform a SOC 2 audit is the right next step. SOC 2 compliance shows that you have matured the practices at your organization and are committed to gaining client trust. Are you confident your internal controls are protecting systems that process sensitive information? Are you ready to decide whether a SOC 2 report is what your organization needs? Contact us today using the form below and speak with a SOC 2 expert and find out how you can begin your SOC 2 audit.

Video Transcription

If you have been asked for a SOC 2 Audit Report, this might be the first time that you’ve had that request and you might be wondering what a SOC 2 Audit Report is. It seems to be very popular right now for organizations to ask their vendors about whether or not they are SOC 2 compliant. SOC 2 addresses principles such as, security, availability, confidentially and processing integrity.

And so as a vendor to a larger organization that’s perhaps being auditing by a publicly traded company, they may ask you for a SOC 2 Audit Report because it’s specifically designed for Service Organizations. And it’s addressing matters of information security that are so important today as people are concerned about their third parties and whether or not they’re handling their information in a secure and effective manner. So look into a SOC 2 Audit Report, determine if it’s right for you, and contact us today to see if we can help in any way.

The History of SOC 2 Reports

How did SOC 2 Reports Come to Be?

In order to understand the purpose of a Service Organization Control (SOC) 2 Report, it’s important to understand the background and history of how the SOC 2 came in to existence as a way for service organizations to manage the risks associated with outsourcing services.

The original standard was known as SAS 70 and was a way service organizations could demonstrate the effectiveness of internal controls at their organization. The SAS 70 audit was performed by a CPA and the result was a report on the effectiveness of internal control over financial reporting. Although not the intended purpose, organizations began using the SAS 70 report to prove that a vendor was secure and safe to work with. When the SSAE 16 or SOC 1 report replaced SAS 70, the SOC 2 was introduced as a report that addresses security.

The SOC 2 was welcomed with open arms and intended to give a wide range of organizations with a need for information security assurance services related to internal controls that affect the security, availability, processing integrity, confidentiality, and/or privacy of a system. The SOC 2 is based on these predefined criteria known as the Trust Services Principles. The AICPA has defined these principles to ensure the following:

  • Security – The system is protected against unauthorized access.
  • Availability – The system is available for operation and use as committed or agreed
  • Processing integrity – System processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality – Information designated as confidential is protected as committed or agreed.
  • Privacy – Personal information is collected, used, retained, disclosed and destroyed in accordance with the privacy notice commitments.

Understanding the purpose behind the SOC 2 can help bring added benefits to your organization. A SOC 2 report can give you a competitive advantage by helping you to prioritize your risks in order to ensure that you’re delivering high quality services to your clients. KirkpatrickPrice encourages companies who are interested in demonstrating their commitment to privacy and security to consider engaging a third-party auditor to perform a SOC 2 audit.


Video Transcription

Joseph Kirkpatrick on The History of SOC 2 Reports

In order to understand the SOC 2 audit report, I think it’s important to understand the background and the history of Service Organization Control Reports.

The original audit was referred to as a SAS 70 and it addressed internal controls which can definitely include security, but over the years’ people started treating the SAS 70 as a report in order to prove that a vendor was secure, when that was not the original intention of that service organization control report. And so when the SAS 70 was replaced with the SSAE 16 standard, the AICPA renamed that the SOC 1 and they introduced the SOC 2 audit report in 2009 by issuing the Trust Services Principles that address security, availability, confidentiality, process integrity and privacy.

So finally we had a standard, we had some principles to rest upon that allowed us to address security and that’s what the SOC 2 report is all about. You are able to choose which principles to include into that report and security is always the core principle that has to be included in a non-privacy principle SOC 2 audit report.