Key Takeaways
Five Core Principles: SOC 2® reports provide detailed assurance regarding controls in five categories, known as the Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Security is Mandatory: The Security criterion is the baseline requirement for every SOC 2® report. It focuses on protecting information and systems from unauthorized access, unauthorized disclosure, and damage.
Customized Compliance: Organizations should work with their assessor to select the most applicable criteria (beyond Security) to ensure the final report best supports their specific compliance goals and client assurance needs.
Understanding SOC 2® Reports
SOC 2® reports provide detailed information and assurance about the controls at a service organization relevant to security, availability, and integrity of the systems used to process data, as well as the confidentiality and privacy of the information processed. These are called the SOC 2® Trust Services Criteria.
It’s important to understand the SOC 2® Trust Services Criteria so you can choose the most applicable criteria for your organization. Your assessor can work with you to help ensure that your report best supports your organization and compliance goals.
SOC 2®* Trust Services Criteria
- Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems.
- Availability: Information and systems are available for operation and use to meet the entity’s objectives.
- Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
Speak to a Compliance Specialist.
Turn to Auditwerx for SOC 2®* Compliance
Our simple SOC 2® process makes it easy for any size organization to receive the accreditation they need to build trust with their clients. Our experienced team will help you align your compliance efforts across frameworks, working around your business needs for an easy and efficient assessment experience. If you’re ready to get started, contact us today.
FAQs
What are the five Trust Services Criteria for a SOC 2® engagement?
The five Trust Services Criteria (TSC) are:
Security: Protecting systems and information from unauthorized access or damage.
Availability: Ensuring systems are operational and usable as required to meet objectives.
Processing Integrity: Confirming system processing is complete, valid, accurate, timely, and authorized.
Confidentiality: Protecting information designated as confidential to meet objectives.
Privacy: Managing the collection, use, retention, disclosure, and disposal of personal information.
What is the goal of the Processing Integrity criterion?
The goal of the Processing Integrity criterion is to assure clients that the service organization’s system processing is reliable. This involves verifying that all system processing is conducted completely, is valid, is accurate, is timely, and has been properly authorized to meet all relevant objectives.
How does the Privacy criterion differ from the Confidentiality criterion?
While both deal with protection, Confidentiality focuses on protecting any information that the entity designates as confidential (like trade secrets or proprietary data). Privacy specifically relates to the protection of personal information—how it is collected, used, retained, disclosed, and ultimately disposed of, to meet regulatory and entity objectives.
What is the purpose of the Availability criterion in a SOC 2 report?
The Availability criterion assures that the service organization’s information and systems are consistently available for operation and use. This criterion addresses concerns related to system performance, monitoring, and recovery from disruptions, ensuring clients can rely on the service to meet their own business objectives.
About the Author
