Just how do the SOC2 people decide who qualifies to certify? The answer lies in the SOC 2 Trust Services Criteria.
A Service Organization Controls (SOC) report evaluates the internal controls of an Outsource Service Provider (OSP), using trust services principles and criteria.
The SOC Trust Services Criteria are control criteria used to assess and document whether an organization has suitably designed and implemented controls for Security, Availability, Processing Integrity, Confidentiality, or Privacy of information and systems. They used to be known as the Trust Services Principles.
There are 5 Trust Service Criteria and together they make up the format of the audit and report:
- Security – this category is mandatory, the others are voluntary.
- Availability
- Confidentiality
- Integrity of processing
- Privacy
The AICPA Trust services principles were defined by “The American Institute of CPAs”. AICPA is the world’s largest member association representing the accounting profession, with more than 428,000 members, and a history of serving the public interest since 1887.
What are the criteria trying to determine?
Security (Mandatory)
Systems and data stored by a company are protected against unauthorized access and unauthorized disclosure. AICPA definition: “Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”
Availability
Ensuring information and systems are available as needed for operation and use.
Confidentiality
Ensuring confidential information is protected.
Integrity of Processing
System processing is complete, valid, accurate, timely, and authorized. Customer data remains correct throughout the course of data processing.
Privacy
SOC 2 confirms that personal information is collected, used, retained, disclosed, and disposed of in accordance with pre-stated policies. Although the Confidentiality category applies to any sensitive information, the Privacy category applies only to personal information.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Mandatory Vs. Optional SOC 2 Trust Criteria
The AICPA trust services principles consist of standards established by the American Institute of Certified Public Accountants (AICPA) to guide organizations in managing and securing sensitive information. The SOC guidelines that distinguish between mandatory and optional criteria reflect businesses’ diverse nature and varying information security needs. Here’s an explanation of why only one criterion is mandatory while others are optional:
Security (Mandatory)
Security is the only mandatory of the five SOC 2 trust services criteria. Security is at the core of SOC 2 audits and is broadly applicable to all organizations. Unauthorized access, disclosure, or damage to systems can have severe consequences, compromising the availability, integrity, confidentiality, and privacy of information. As such, evaluating security controls is essential for any organization to demonstrate a baseline level of protection.
Availability, Confidentiality, Integrity, and Privacy (Optional)
Not all businesses handle personal information to the same extent, and the importance of criteria such as availability and processing integrity can vary based on industry and business model.
Flexibility: The optional criteria allow organizations to tailor their SOC 2 audits to focus on specific aspects that are relevant to their business. For example, an organization that doesn’t handle personal information extensively may opt out of the Privacy criterion, while a data processing service may emphasize processing integrity more.
Cost Considerations: Each additional criterion adds complexity to the audit process and may increase associated costs. Allowing flexibility in choosing criteria enables organizations to align the audit scope with their business priorities and budget constraints.
Industry Relevance: The optional criteria recognize that different industries may have specific regulatory requirements or customer expectations. For instance, an organization in healthcare may find the Privacy criterion more relevant due to the handling of sensitive patient information.
The COSO Framework and SOC 2
The COSO Framework is intended for use by businesses to evaluate the efficiency of the internal control system to achieve the goals set by management. The foundation for a successful internal control system (that directs company activities toward operating effectiveness) is laid out in COSO by their five components and 17 principles taken together.
Auditors must look at how one has used the COSO framework in order to align COSO objectives with SOC 2 reports. The American Institute of Certified Public Accountants (AICPA) wanted to make the transition more seamless so they renamed the Trust Services Principles and Criteria (TSP) to Trust Services Criteria to minimize confusion with the established COSO principles (TSC) We refer to these in SOC2 as common criteria.
Summary
The trust service criteria, based on COSO, will allow organizations to assess and improve their internal controls ready to be audited by the SOC2 auditor. Automate the process using the Centraleyes Risk and Compliance Management Platform, with built-in questionnaires to measure and achieve your compliance with SOC2, COSO or both!
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
