A common misconception is that all five Trust Service Criteria categories are required in SOC 2 reports.
It's actually very rare to include all five categories (formerly Principles) in your SOC 2 reports. Even the industry leading AWS and Microsoft don't include Privacy, and AWS doesn't include Processing Integrity either. Those two categories are quite rare; primarily because they are complex, subjective, and therefore require more work, and result in higher costs.
Availability and Confidentiality are commonly included. They are clear-cut and require a relatively small amount of additional work, and therefore cost. Availability in particular is a popular one. It covers a different assurance aspect; providing your customers assurance that your services are reliable and dependable, rather than just keeping information secure.
So what are the Trust Services Categories?
The Security criteria are required for all SOC 2 reports and are based on common criteria that support the four additional criteria areas. It covers the control environment, information and communication, risk management, monitoring of controls, control activities, logical and physical access, system operations, change management and risk mitigation. For many end users and types of services, the security criteria are sufficient without additional criteria.
Additional criteria focused on ensuring availability of the systems and/or services to meet end users business requirements. This is often included for business critical applications and where disruption to the services would have a significant impact on users. It adds ~10% to the base level of work for Security where outsourced cloud infrastructure is used, or more like 20% where critical infrastructure is managed in-house.
Additional criteria focused on the classification and protection of your customers data. This is often included where customer data is varied and broad in scope, or is considered commercially sensitive or otherwise highly confidential. It adds ~10% to the base level of work for Security; with minimal additional focus on categorising, labelling, retaining and disposing of the confidential data, and in some cases additional controls for ensuring employees and third-parties apply confidentiality practices appropriately.
Additional criteria focused on protecting personal data and applying appropriate control practices to protect users privacy rights. This is included where highly sensitive personal data is collected from users of the system, like healthcare services. It adds ~30-50% to the base level of work for Security.
AssuranceLab's customers tend to follow one of two strategies; (1) Report over SOC 2 Security only "to start" and consider expanding after the first report, OR (2) Issue a "comprehensive" report with Security, Availability and Confidentiality to ensure it meets all expectations. Unless our customers are in healthcare, we generally don't recommend Privacy, and suggest a privacy notice be included in the unaudited section (Section V) of the report instead. Processing Integrity is only relevant if there's important end user objectives related to the processing activities performed by your system.
Don't know which Trust Services Categories are best for you?