The 5 SOC 2 Trust Services Criteria Explained

Originally published by BARR Advisory.

Written by Christine Falk.

So what goes into a SOC 2 report, anyway?

There are five trust services criteria (TSC) that can be included in a SOC 2 report: security, availability, confidentiality, processing integrity, and privacy. Amanda Parnigoni, senior consultant for BARR’s attest services team, explains each criteria so you can better understand what categories you should include in your audit. Let’s dive in.

1. Security

• Unlike the other criteria, the security TSC is required for all SOC 2 reports.
• The objective of the security TSC is to ensure information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems.
• There are a total of 9 security ‘points of focus’ to be met in order to meet the security criteria. These include:
  • CC1: Control Environment
  • CC2: Communication and Information
  • CC3: Risk Assessment
  • CC4: Monitoring Activities
  • CC5: Control Activities
  • CC6: Logical and Physical Access Controls
  • CC7: System Operations
  • CC8: Change Management
  • CC9: Risk Mitigation
• The entity—in other words, the business or organization—is required to have control activities in place to meet the objectives of these ‘points of focus.’ Each point should be supported by at least two to three controls. That way, even if one control fails, the criteria is still supported by the additional control activities and will not result in a qualified opinion.

2. Availability

• The objective of the availability TSC is to ensure that systems are available and that information is accessible to the user. There are three additional ‘points of focus’ to meet to achieve the availability criteria.

3. Confidentiality

• The objective of the confidentiality TSC is to ensure that information defined as confidential within the system is protected. There are two additional ‘points of focus’ to meet to achieve the confidentiality criteria.

4. Processing Integrity

• The objective of the processing integrity TSC is to ensure that system and information processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. There are five additional ‘points of focus’ to meet to achieve the processing integrity criteria.

5. Privacy

• There are eight additional ‘points of focus’ to meet to achieve the privacy criteria. This can be the biggest lift for most entities, both due to the sheer number of privacy points of focus there are and due to the specific requirements within each of those points of focus.

Notably, the availability, confidentiality, processing integrity, and privacy TSCs are optional. These additional criteria are not required to have a complete SOC 2 report, but can be useful additions. Typically, an entity will add additional criteria when there is a business need or when a customer requires them to highlight the processes and procedures surrounding one or more of these areas.

Including additional criteria does come at a higher cost and involves additional control activities, but most audit firms can and will highlight existing controls from the security category to help clients achieve the additional criteria, making it less of a hassle. Adding additional criteria, when necessary, can be a great way to add value and build trust with customers.

That said, a common mistake we see is companies piling on additional criteria without a business need. An example could be a company wanting to add the privacy TSC, even though they don’t maintain personal information within their system. This creates more work for the organization when the payoff may be minimal to the customers.