The 5 Trust Services Criteria Explained
So what goes into a SOC 2 report, anyway?
There are five trust services criteria (TSC) that can be included in a SOC 2 report: security, availability, confidentiality, processing integrity, and privacy. Let’s take a closer look at each:
1. Security
Unlike the other criteria, the security TSC is required for all SOC 2 reports.
The objective of the security TSC is to ensure information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems.
There are a total of 9 security ‘points of focus’ to be met in order to meet the security criteria. These include:
CC1: Control Environment
CC2: Communication and Information
CC3: Risk Assessment
CC4: Monitoring Activities
CC5: Control Activities
CC6: Logical and Physical Access Controls
CC7: System Operations
CC8: Change Management
CC9: Risk Mitigation
The entity—in other words, the business or organization—is required to have control activities in place to meet the objectives of these ‘points of focus.’ Each point should be supported by at least two to three controls. That way, even if one control fails, the criteria is still supported by the additional control activities and will not result in a qualified opinion.
2. Availability
The objective of the availability TSC is to ensure that systems are available and that information is accessible to the user. There are three additional ‘points of focus’ to meet to achieve the availability criteria.
3. Confidentiality
The objective of the confidentiality TSC is to ensure that information defined as confidential within the system is protected. There are two additional ‘points of focus’ to meet to achieve the confidentiality criteria.
4. Processing Integrity
The objective of the processing integrity TSC is to ensure that system and information processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. There are five additional ‘points of focus’ to meet to achieve the processing integrity criteria.
5. Privacy
There are eight additional ‘points of focus’ to meet to achieve the privacy criteria. This can be the biggest lift for most entities, both due to the sheer number of privacy points of focus there are and due to the specific requirements within each of those points of focus.
Notably, the availability, confidentiality, processing integrity, and privacy TSCs are optional. These additional criteria are not required to have a complete SOC 2 report, but can be useful additions. Typically, an entity will add additional criteria when there is a business need or when a customer requires them to highlight the processes and procedures surrounding one or more of these areas.
Including additional criteria does come at a higher cost and involves additional control activities, but most audit firms can and will highlight existing controls from the security category to help clients achieve the additional criteria, making it less of a hassle. Adding additional criteria, when necessary, can be a great way to add value and build trust with customers.
That said, a common mistake we see is companies piling on additional criteria without a business need. An example could be a company wanting to add the privacy TSC, even though they don’t maintain personal information within their system. This creates more work for the organization when the payoff may be minimal to the customers.
Ready to learn how Audora can streamline the SOC 2 compliance process? Contact us today to get started.