The SOC 2 Trust Service Criteria (TSC) are a set of principles that guide the evaluation of an organization's controls for managing customer data. They are based on five key principles, each addressing a specific area of trust and security.
Here is a brief summary of each:
SecuritySecurity refers to the protection of information and systems from unauthorized access, disclosure, and damage. Controls under this criterion ensure that systems are protected against attacks like malware, ransomware, or hacking.
Availability
This principle concerns whether systems are available for operation and use as agreed or required. It ensures that service commitments (such as uptime guarantees) are met.
Confidentiality
Confidentiality focuses on protecting sensitive information from unauthorized access and disclosure. This could include business secrets, financial data, or personally identifiable information (PII).
Processing Integrity
Processing integrity ensures that systems process data accurately, completely, and in a timely manner, according to business objectives. It ensures that data is not altered inappropriately during processing.
Privacy
Privacy relates to how personal information is collected, used, stored, and disclosed in accordance with the organization’s privacy policies and regulatory requirements (e.g., GDPR, CCPA).
Which Trust Service Criteria are suitable for your organization?
The first thing to note is that Security is the only mandatory criteria that must be undertaken in order to complete a SOC 2 audit.
While the rest are optional, we offer a standard audit scope to include Security, Availability and Confidentiality as there is a high level of control overlap between these three criteria, making it achievable for the vast majority of organizations.
Processing Integrity is a great criterion to include for companies that handle or process data in a way that impacts the accuracy, completeness, and timeliness of that data.
Privacy is a very useful criterion suitable for companies particularly relevant for companies that collect, store, process, or share personal data, especially when dealing with sensitive customer information. These companies must demonstrate that they have adequate controls in place to handle personal information in compliance with privacy policies and regulations (e.g., GDPR, CCPA). It also complements these regulations well over which we can provide an attestation audit.
Our agile audit approach allows organizations to easily establish the scope of their audit as well as being able to subsequently add criteria and other requirements to their existing scope. Get in touch with our experts today to help get you started on this journey!