One of the first steps you’ll take when preparing for a SOC 2 audit is selecting which trust services criteria (TSC) may be included in the report. Every SOC 2 audit includes the Security criterion, as it is the required component from which other criteria can be added. But what other criteria are there? And how do you know which ones your company should include? Here’s a quick overview.
What are trust services criteria?
TSC are criteria used to evaluate and report on controls over information and systems. This can be company wide or specific to a department or division within a company.
Trust Services Criteria Categories
There are five categories to consider:
- Security: This category looks at how your data and systems are protected against unauthorized access, use, and disclosure to reduce the risk of damage to systems. It is a required category within all SOC 2 reports because it protects data availability, integrity, confidentiality, and privacy issues, which can affect a company’s ability to meet security objectives.
- Availability: This category demonstrates how information and systems are accessible and maintained to meet the entity’s objectives.
- Confidentiality: Sensitive data or information that is classified as confidential is protected.
- Processing Integrity: This shows system processing and data are complete, valid, accurate, timely, and authorized to meet objectives.
- Privacy: This demonstrates personal information that is obtained, used, retained, disclosed, and disposed of in accordance with entity objectives and policies.
In short, TSC are used to evaluate the suitability of the design and operating effectiveness of controls.
Which categories should your company include in your SOC 2 report?
Let’s look at each category and discuss why you may want to include it.
- Security: This category is required for all SOC 2 reports and is designed to prevent and detect system failure, incorrect processing, theft, or other unauthorized data removal.
- Availability: This category is useful to include if customers ask you about downtime service-level agreements, uptime guarantees, a status page, and other accessibility requests.
- Confidentiality: If your clients want data deleted when contracts end, have private or sensitive information stored in your company’s platform, or require non-disclosure agreements when they do business with you or others, the Confidentiality category is vital to include in your SOC 2 report.
- Processing Integrity: If your company is a data pipeline platform or offers a payment system of some kind, your customers likely rely on you for data processing. That means the Processing Integrity category may be one of the TSC within your SOC 2 report.
- Privacy: When clients store personally identifiable information or sensitive personal data (e.g., social security numbers, financial information, etc.), you may want to include this TSC in your SOC 2 report.
The selection of which TSC to include is up to each unique business given their policies, objectives, time, size, and a number of other factors.
The ultimate goal is to complete a successful SOC 2 report that demonstrates to your customers that their data is safe with you.
To learn more about TSC, the SOC auditing process, or get started, contact us.