Understanding SOC 2 Trust Service Criteria

Written By Zoe Lowes

When it comes to achieving SOC 2 compliance, one of the key considerations is defining the scope of the audit. The Trust Services Criteria (TSC) are a set of standards developed by the American Institute of Certified Public Accountants (AICPA) to evaluate the design and effectiveness of a service organization’s controls related to security, availability, processing integrity, confidentiality, and privacy. Each of these five categories plays a crucial role in ensuring that organizations meet their service commitments while protecting sensitive data and systems.

1. Security: Protecting Information and Systems

At the core of SOC 2 compliance is the Security category, which focuses on safeguarding information and systems from unauthorized access, disclosure, damage, or any other form of compromise that could affect the integrity, confidentiality, or availability of data. This category emphasizes the importance of:

  • Prevention and Detection: Controls must be in place to prevent or detect unauthorized access or activities, such as system failures, incorrect processing, theft, unauthorized removal of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information.

  • System Security: This involves ensuring that systems used to process, store, or transmit data are properly secured to prevent breaches or malfunctions that could compromise the organization’s service commitments.

In practice, security controls can range from access restrictions, encryption and firewalls to intrusion detection systems, ensuring that the organization's information is always protected.

2. Availability: Ensuring Operations Are Ongoing and Accessible

The availability category addresses whether systems and information are accessible and available when needed, ensuring the organization can meet its service commitments. While availability does not dictate performance levels (e.g. how fast a system should run), it ensures that systems are capable of operating, monitoring, and being maintained effectively.

Key elements of availability include:

  • Access Control: Controls to ensure that services or information are always accessible for authorized users.

  • System Monitoring: Ongoing monitoring of systems to ensure they are functional and available when needed.

  • Maintenance Plans: Well-defined plans for disaster recovery and system resilience to prevent prolonged downtime.

Availability guarantees that your systems are reliable and continuously operational, reducing any risk of service disruption to customers.

3. Confidentiality: Protecting Sensitive Information

The confidentiality category focuses on ensuring that sensitive or classified information is protected in accordance with the entity’s objectives. This can include proprietary data, intellectual property, or customer-specific data, which may be subject to contracts, regulations, or internal policies governing access and retention. Some of the essential confidentiality controls include:

  • Access Restrictions: Limiting access to sensitive data to authorized parties only.

  • Data Handling: Safeguarding data throughout its lifecycle—from collection or creation to its eventual disposal.

  • Encryption and Deletion Protocols: Ensuring that data is encrypted during transmission and securely deleted when no longer needed.

Confidentiality also differs from privacy in that it encompasses a broad range of sensitive information, not just personal data. However, protecting this information is equally crucial to meet both regulatory requirements and customer expectations.

4. Privacy: Protecting Personal Information

Unlike confidentiality, which refers to a variety of sensitive information, the privacy category specifically deals with personal data. It focuses on ensuring that personal information is collected, used, retained, disclosed, and disposed of in compliance with privacy regulations, policies, and customer agreements. The privacy criteria include:

  1. Notice and communication of objectives: The entity provides notice to data subjects about its objectives related to privacy.

  2. Choice and consent: The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects.

  3. Collection: The entity collects personal information to meet its objectives related to privacy.

  4. Use, retention, and disposal: The entity limits the use, retention, and disposal of personal information to meet its objectives related to privacy.

  5. Access: The entity provides data subjects with access to their personal information for review and correction (including updates) to meet its objectives related to privacy.

  6. Disclosure and notification: The entity discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators, and others to meet its objectives related to privacy.

  7. Quality: The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet its objectives related to privacy.

  8. Monitoring and enforcement: The entity monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints, and disputes.

5. Processing Integrity: Ensuring Data Accuracy and Timeliness

The processing integrity category ensures that system processes are complete, valid, accurate, and timely. It emphasizes that systems should perform their intended functions without errors or delays, ensuring that data is processed as expected. Key elements of processing integrity include:

  • Accuracy and Completeness: Systems must process data without errors or omissions and ensure that outputs are complete and reliable.

  • Timeliness: Processing should occur in a timely manner, with no undue delays that could affect business operations or customer outcomes.

  • Authorization: Processes must be authorized and meet defined standards to avoid errors or unauthorized changes.

Summary 

Whether you handle customer data, provide IT services, or manage cloud infrastructure, aligning your operations with these criteria can help ensure that you deliver secure, reliable, and privacy-conscious services. The specific categories that apply to your organization depend on the data you handle, your service agreements, and the regulatory environment in which you operate.


Zoe Lowes
Previous

SOC 2 Common Questions
Next

The Power of Transparency: Our Client Certificates Now Verifiable on IAF CertSearch