SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Page 3

What are the Trust Services Criteria? Once your organization has decided that you are ready to pursue a SOC 2 attestation, the first thing you have to decide is which of the five Trust Services Criteria (TSP) you want to include in your SOC 2 audit report. A unique benefit of a SOC 2 audit is that you aren’t required to address all five Trust Services Criteria in your SOC 2 report; instead, you only select the categories that are relevant to the services you provide to customers. Becoming familiar with the categories of security, availability, confidentiality, processing integrity, and privacy should be one of the first steps in your scoping process. On a basic level, you can think about the Trust Service Criteria in terms of these concepts: • Security – Is the system protected against unauthorized access? • Availability – Is the system available for operation and use as agreed upon? • Confidentiality – Is the information that’s designated as confidential protected as agreed upon? • Processing Integrity – Are the processing services provided in a complete, accurate, and timely, manner? • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the service organization’s privacy notice and business objectives? Let’s discuss the criteria set forth by the AICPA in TSP Section 100 so that your organization can gain a better understanding of which Trust Services Criteria it should include in a SOC 2 report.

2

What are the Trust Services Criteria?


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.