A guide to the Trust Services Criteria
Knowing when to include the various SOC 2 Trust Services Criteria (TSC) (also, criteria) can seem like a daunting task, but it does not have to be. Different industries have differing third-party assurance requirements and expectations, and the SOC 2 TSC have been designed to address the most common categories. Your customers may also expect specific criteria to be applied based on your industry, company, and specific organizational needs.
The breakdown below will help you decide which Trust Services Criteria to include in your SOC 2 report.
The Security criteria constitute the baseline for all SOC 2 reports and are known as the “common criteria,” as they are common to all SOC 2 reports. All additional TSC are optional.
If your company is looking to obtain their first SOC 2 report, we recommend that you begin with just the Security TSC, unless there is a contractual obligation or industry relevance, which would necessitate additional TSC being added to the scope of the SOC 2 report.
Since SOC 2 often requires some organizational change and implementing of controls to address identified gaps, exercising economy of force in starting with Security only can be helpful. A company can always elect to add additional TSC to their SOC 2 scope at a later time for future SOC 2 reporting.
The 33 common criteria include the following topics around information security:
- Control Environment (Leadership, Governance, HR)
- Communications & Information (Internal & External Communications)
- Risk Assessment (Risk Management Program)
- Monitoring Activities (Monitoring, Alerting, Reporting)
- Control Activities (Internal Control)
- Logical & Physical Access Controls
- System Operations (Configuration, Detection, Vulnerability Management, Incident Response, etc.)
- Change Management (Configuration changes and SDLC)
- Risk Mitigation (Third-party Risk Management, Risk Transfer)
Regardless of the industry or organization, these criteria will need to be met in order to obtain a SOC 2 report.
To meet the Security criteria, companies must design and implement SOC 2 controls to adequately address and meet the AICPA-defined SOC 2 criteria. The exercise of designing SOC 2 controls, commonly referred to as ‘Design of Controls’, should be something that the company does with their audit firm (e.g. risk3sixty).
The audit firm will be able to validate your company’s design of controls to consider current organizational processes and business objectives and that are ‘right-sized’ for your company. It is best when leadership and key internal stakeholders are a part of this design process.
This is also where an experienced audit firm that focuses on quality work and quality of service is invaluable. An audit firm that tries to force your company to implement a generic set of controls is doing your business a disservice.
The Availability category consists of three criteria covering the availability of information systems, specifically:
- Capacity Planning & Demand: maintain, monitor, and evaluate processing capacity and use of system components (infrastructure, data, software)
- Environmental Protection, Data back-up Processes, Recovery Infrastructure
- Disaster Recovery Planning and Testing
This category exists to enable companies to demonstrate that information systems are available, to meet service and contract commitments. If your company is frequently asked about availability of services or products by a client or asked to include availability commitments in contracts and service level-agreements (SLA), the Availability TSC likely needs to be included in your SOC 2 scope.
Software-as-a-Service (SaaS) companies may also consider implementing this category, as should organizations, whose clients depend on the availability and continuity of their services.
In short, if your organization is making ‘five-to-nines’ or other up-time commitments in your contracts, inclusion of the Availability TSC may be an expectation of your customers and prospects.
The Confidentiality criteria, of which there are two, enable companies to demonstrate their commitment to protecting confidential information.
The focus of this TSC is on identifying, maintaining, and disposing of confidential information to meet regulatory environments, company commitments, and business objectives. These criteria are most applicable to firms that handle sensitive and confidential information such as trade secrets, protected health information (PHI/ePHI), personally identifiable information (PII), intellectual property, and/or data contractually classified as confidential.
Healthcare organizations and service providers, manufacturing companies, and data centers are high on the list of companies to which these criteria apply.
If you want to showcase your company’s commitment to confidentiality of information, then these criteria are must-haves in your SOC 2 report.
The Processing Integrity category, for which there are five additional criteria, is a “must-have” for any company that is involved in financial transactions and/or has a need for quality, completeness, and accuracy of data processing.
Topics in this category include:
- Quality of data input
- Completeness and accuracy of system inputs
- System processing
- Completeness, accuracy, timeliness of data output
- Protection & Storage of data records
Including the Processing Integrity TSC in a SOC 2 report will allow your company to demonstrate that it has controls in place designed to address the lifecycle and reliability of data processing. Naturally, companies with data processing environments will want to include this category in their SOC 2 report, but if your firm manufactures physical products or offers applications that depend on data being error-free, this is a TSC you may want to include, as well.
The Privacy TSC is a must-have if your company handles personal information such as medical records (e.g. ePHI), personal data (PII), and/or information that directly affects individuals in countries with strict data privacy laws (e.g. GDPR in Europe, CCPA in California).
This TSC includes eighteen additional criteria and is most applicable to organizations in the Healthcare industry but may also apply to firms providing advertising, marketing, and legal services. The Privacy TSC is limited to personal information, so if your company handles additional sensitive information, you should consider including the Confidentiality Criteria as well.
Privacy Topics in the Privacy TSC include:
- Providing notice to data subjects about company privacy practices
- Data subject choices in the company’s collecting of personal information
- How personal information is collected
- Data subject consent for collection of personal information
- Limited use of personal information
- Retention of personal information
- Secure disposal of personal information
- Data subject access to stored personal information
- Correction, amendment, or appendment of personal information
- Disclosure of personal information to third parties
- Record of authorized disclosures of personal information
- Unauthorized disclosures of personal information
- Privacy commitments from third-parties and vendor compliance checks
- Third-party reporting requirements for unauthorized disclosures
- Data subject notification of breaches and incidents affecting them
- Disclosure of personal information to data subject
- Collection and maintenance of accurate personal information
- Process for resolution of inquiries, complaints, and disputes from data subjects
Example SOC 2 Scope – Recommendations per Industry:
What trust service categories would we recommend including as a starting point for different types of companies? Here is table with examples for consideration. This table is not meant to be exhaustive or prescriptive, but to promote discussion around what categories may be appropriate to include in your company’s SOC 2 report:
There is not a “one-size-fits-all” SOC 2 report. Selecting only the TSC that apply to your company can be an efficient use of your effort and time.
Ultimately, a SOC 2 report is best when it is designed to reflect your company’s unique control environment to meet the SOC 2 criteria and also designed to meet customer and partner expectations. A SOC 2 report with only the Security TSC is no less of a SOC 2 than one with all five TSC in-scope, provided that Security is the only TSC that applies to the nature of your business.
Would you like help thinking through which Trust Services Criteria to include in your SOC 2 report? Our SOC 2 team is ready to help. Contact us here!