SOC 2 Terminology Updates
In the AICPA’s recent updates to SOC 2 reporting, many will notice that there are quite a few SOC 2 terminology changes. Most notably, the Trust Services Principles and Criteria will now be strictly referred to as the Trust Services Criteria. However, it’s important to note that the AICPA did not update the acronym to reflect this change. Instead, the acronym for Trust Services Criteria will remain TSP.
An additional SOC 2 terminology update is that security, availability, confidentiality, processing integrity, and privacy will now be referred to as categories as opposed to criterion or principles. So, for example, when a service organization begins their SOC 2 audit journey, one of the first steps they will take will be to determine which of the categories they’ll need to include in their audit.
Common Criteria and Additional Criteria
The common criteria will still refer to the complete set of criteria for the security category, which is what the remaining categories are based on. There will also be additional criteria for each individual category. For example, if a service organization includes both security and availability categories, the SOC 2 audit will be assessed on compliance with the common criteria as well as the following additional criteria for the availability category:
- The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
- The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
- The entity tests recovery plan procedures supporting system recovery to meet its objectives.
More SOC 2 Resources
There are some slight terminology changes in the 2017 SOC 2 Trust Services Criteria. Security, availability, processing integrity, confidentiality, and privacy are now known as categories. Anything that relates to all five of those categories is still referred to as common criteria. There’s additional criteria that’s provided for availability, processing integrity, confidentiality, and privacy – basically anything other than security. It’s important to know how this criteria is organized throughout the SOC 2 framework so that you can tackle your audit and become compliant with the SOC 2 requirements.