SOC 2 Compliance: The 5 Trust Services Criteria
What are the Trust Services Criteria?
Once your organization has decided that you are ready to pursue a SOC 2 attestation, the first thing you have to decide is which of the five Trust Services Criteria (TSP) you want to include in your SOC 2 audit report. Becoming familiar with the categories of security, availability, confidentiality, processing integrity, and privacy should be one of the first steps in your scoping process. On a basic level, you can think about the Trust Service Criteria in terms of these concepts:
- Security – Is the system protected, both physically and logically, against unauthorized access?
- Availability – Is the system available for operation and use as agreed upon?
- Confidentiality – Is the information that’s designated as confidential protected as agreed upon?
- Processing Integrity – Are the processing services provided in a complete, accurate, and timely, manner?
- Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the service organization’s privacy notice and business objectives?
Which Trust Services Criteria Apply to My Organization?
Security is the category that applies to all engagements and is what the remaining Trust Services Criteria are based on. In a non-privacy SOC 2 engagement, the security category must be included. The security category consists of the complete set of the common criteria, which integrate with the 2018 COSO Internal Control — Integrated Framework. The common criteria are categorized based on the following:
- Control environment
- Communication and information
- Risk assessment
- Monitoring activities
- Control activities
- Logical and physical access controls
- System operations
- Change management
- Risk mitigation
It’s important to note, though, that your organization isn’t required to address all five of the Trust Services Criteria in our SOC 2 report; however, you should select the categories that are relevant to the services that you provide to your clients. So, aside from security, which apply to your organization: availability, processing integrity, confidentiality, and/or privacy?