Breaking Down the SOC 2 Trust Services Criteria: Security

At the core of every SOC 2 report is one foundational element: security.

There are five trust services criteria (TSC) that underpin SOC 2 reports—and one of those criteria is security, which is required whether you’re pursuing a SOC 2 Type 1 or Type 2.

Here’s a quick glance at what you need to know about the security criteria:

Security is the foundation of every SOC 2 report.
This criterion is evaluated through nine specific “points of focus.”
Security is the only TSC that is required for all SOC 2 reports.

Let’s dive deeper into this key pillar of SOC 2 reports:

The Basics

Trust services criteria, which were developed by the American Institute of Certified Public Accountants (ACIPA), are used to evaluate and report on controls over information and systems. These controls may apply across an entire organization or be scoped to a specific system, depending on the SOC 2 report.

According to BARR Advisory Attest Services Manager Amanda Parnigoni, “the objective of the security TSC is to ensure that information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems.”

In practice, this means auditors are evaluating whether your organization has designed and implemented controls that help prevent and detect system failures, incorrect processing, theft, or other unauthorized removal or misuse of data.

Points of Focus

To meet the security criteria, organizations must address nine specific “points of focus.” These include:

CC1: Control Environment
CC2: Information and Communication
CC3: Risk Assessment
CC4: Monitoring Activities
CC5: Control Activities
CC6: Logical and Physical Access Controls
CC7: System Operations
CC8: Change Management
CC9: Risk Mitigation

SOC 2 requires organizations to have control activities in place that support each of these points of focus. As a best practice, each point should be backed by two to three controls. This layered approach helps ensure that if one control fails, others are in place to support the criteria and reduce the risk of a qualified audit opinion.

Common Obstacles

One of the most common challenges organizations face during a SOC examination is underestimating the breadth of the security criteria. While many organizations have some security controls in place, those controls may not be formally documented, consistently applied, or monitored in a way that meets audit expectations.

Other common obstacles include unclear ownership of controls, gaps in risk assessment processes, and change management practices that aren’t well defined. Addressing these issues early as part of a readiness assessment can significantly reduce friction and the chance of surprises popping up during the audit.

Other Trust Services Criteria

Security is the only TSC that is required for all SOC 2 reports. The other four criteria—availability, confidentiality, processing integrity, and privacy—are optional.

“These additional criteria are not required to have a complete SOC 2 report, but can be useful additions,” Parnigoni wrote in a blog post. “Adding additional criteria, when necessary, can be a great way to add value and build trust with customers.”

She added, “Including additional criteria does come at a higher cost and involves additional control activities, but most audit firms can and will highlight existing controls from the security category to help clients achieve the additional criteria, making it less of a hassle.”

The Bottom Line