Service Organization Control 2 (SOC 2) is a security compliance framework used to validate an organization’s information security measures. As previously discussed in Cherry Bekaert’s article A Guide to Understanding Service Organization Control (SOC) Reports, SOC 2 examinations evaluate management’s service commitments and system requirements against the AICPA’s Trust Services Criteria.
The criteria have defined five categories for evaluating SOC 2 compliance: security, availability, processing integrity, confidentiality and privacy. The information below summarizes key points of the guidance provided by the AICPA within their published criteria.
What Are the Trust Services Categories and Criteria?
There are five categories within the Trust Services Criteria (TSC) that can be included in a SOC 2 report. TSC categories include security, availability, processing integrity, confidentiality and privacy. It should be noted that the security criteria, also known as the common criteria, is the only required category to address in a SOC 2 report.
Security
The objective of the security criteria is to ensure that information and systems are protected against unauthorized access, unauthorized disclosure of information and damage to systems.
The nine common criteria (CC) that make up the security category include:
- CC1: Control Environment
- CC2: Information and Communication
- CC3: Risk Assessment
- CC4: Monitoring Activities
- CC5: Control Activities
- CC6: Logical and Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
The security criteria are the foundation of all SOC 2 reports and address an organization’s control elements ranging from human resources (HR) and onboarding processes to software development and change management.
The remaining TSCs are optional and can be included within the scope of the SOC 2 report, based on the nature of the service commitments upheld by the service organization and the needs of the users of the report.
Availability
The objective of the availability criteria is to ensure that information and systems are available for operation and use. This includes the accessibility of information used by the entity’s systems as well as the products or services provided to its customers.
Availability criteria is beneficial for data centers, hosted Software-as-a-Service (SaaS) applications, Platform-as-a-Service (PaaS) offerings, critical business software and other systems that require accessibility and continuous uptime to process critical data.
Processing Integrity
The objective of the processing integrity criteria is to ensure system processing is complete, valid, accurate, timely and authorized to meet the entity’s objectives.
A system or service may need to elect to pursue the processing integrity criteria if the service:
- Takes data inputs
- Processes information and provides the outputs to users
- Requires data accuracy and completeness, such as online payment platforms, data analytics platforms, and document production and distribution services
Confidentiality
The objective of the confidentiality criteria is to ensure that information classified as confidential within the system is protected from unauthorized exposure. This is different from the privacy criteria because privacy (discussed below) only applies to personal information.
Companies will likely pursue this criteria if they utilize systems that handle highly sensitive customer data, which could include banking platforms, customer relationship management (CRM) systems or SaaS applications.
Privacy
The objective of the privacy criteria is to ensure that personal data is handled in accordance with laws and regulations and customer requirements.
Companies will likely pursue the privacy criteria if they deal with:
- Healthcare Records Systems
- CRM Systems
- Human Resource Management Systems (HRMS)
- Other systems that collect and store personal information such as names, addresses, financial information and medical history
What Is SOC 2+?
SOC 2+ refers to a SOC 2 report that expands upon the standard SOC 2 framework by incorporating additional compliance requirements and subject matters beyond the five TSCs. Common examples include Health Insurance Portability and Accountability Act (HIPAA), NIST CSF and General Data Protection Regulation (GDPR). A SOC 2+ demonstrates to users of the report that the company is compliant with multiple standards.
What Are Points of Focus?
Each of the five TSCs are divided into sub-criteria (see example of this breakout in the security criteria described above), each of which are defined by several associated points of focus, as detailed further in AICPA TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus — 2022), to meet the objectives of the respective criteria. The points of focus provide guidance by highlighting important characteristics and considerations for each individual criterion.
It is important to note that the points of focus are items to consider when documenting and implementing the service’s organization’s system of control activities to meet each of the applicable trust services criteria. These are not prescriptive “requirements” and not all points of focus may be relevant to the service organization. However, all points of focus should be considered and may also identify areas of improvement that a company may make to strengthen its control environment.
Which Trust Services Criteria Apply to Us?
A common misconception is that SOC 2 compliance is synonymous with “SOC 2 Certification.” SOC 2 is a reporting framework, and it is the responsibility of each service organization to properly scope its SOC 2 control set and report to meet the needs of its users and its services commitments. As such, a company is not required to address all five TSC.
As mentioned above, the security criteria is the only required category. Before undergoing a SOC 2 examination, the company should first determine the scope of services that will be covered under the examination and identify any commitments made to the users of these services. From there, it can be determined which, if any, of the additional categories or criteria are applicable.
It is also important to note that the certain common criteria addressed by the security category may overlap with other criteria such as confidentiality and availability. For example, a company may have a control stating that tabletop exercises are performed to test the company’s business continuity and disaster recovery plans. This control addresses both security (CC9.2), as well as availability (A1.2 and A1.3).
How Can Cherry Bekaert Help
Cherry Bekaert’s Risk & Cybersecurity professionals have more than three decades of SOC and information assurance experience across all industries and disciplines and serve on state-level boards and AICPA committees, overseeing the implementation of TSC standards updates. Whether you are just beginning your SOC compliance journey or completing your recurring annual audit, our specialized teams work closely with your organization to get you there. Reach out to your Cherry Bekaert advisor or a member of our Information Assurance & Cybersecurity practice to get a conversation started.
Related Insights
