SOC 2: The 5 Trust Services Categories

The SOC 2 audit, which can help demonstrate an organisation's commitment to protecting customer data, provides a level of flexibility that is unique and advantageous to organisations navigating information security and compliance. 

 

This flexibility is a significant benefit in enabling organisations to achieve compliance while customising their controls and policies to their unique operational, strategic and technical environments. The SOC 2 Trust Services Criteria (TSC) include focus areas that serve as guidance for organisations striving to assure stakeholders of their commitment to robust data security, confidentiality or privacy and software reliability practices. Having a solid understanding of these criteria and their focus points is essential in building a compliant control environment. This guide discusses the nuances of the SOC 2 criteria, including a look at their organisational and technical dimensions. 

 

The Trust Services Criteria of SOC 2

 

TSC 1: Security

The Security criteria are the foundation of the SOC 2 reports, emphasising the need to implement preventative, detective and corrective controls to reduce the risks across various areas of the organisation, such as unauthorised access, use, or change of information or systems. The focus of this TSC includes the entity level controls, information and communication, risk assessments and management, monitoring activities, control programs, logical and physical access, system operations, and change management. Whether these controls are performed and managed internally or by another service provider, ensuring the relevant controls have been designed and implemented is key to satisfying the Security criteria. 

 

TSC 2: Availability 

The Availability criteria addresses the need to ensure operational continuity and system accessibility for users as agreed upon. This involves an assessment of network performance, site failover solutions, business continuity and disaster recovery procedures to ensure that uptime and system performance objectives are achieved. Thus, reducing the risk of service disruptions. Auditing these controls often involves examining the operational policies, communications and configurations related to maintaining performance standards and recovery procedures, such as the disaster recovery and business continuity plans or automated capacity management configurations.

 

TSC 3: Confidentiality

The Confidentiality criteria looks at the protection of confidential information against unauthorised disclosure or removal. This involves identification and classification of data and applying appropriate measures based on the classification. These measures may include data encryption procedures, access restrictions and contractual agreements that govern the handling of confidential data, ensuring it is protected from internal and external threats. Auditing of this criteria’s controls typically includes review of data governance policies, automated data protection measures, system access controls and agreements with internal and external parties that stipulate how confidential information is to be handled, shared and protected. 

 

TSC 4: Processing Integrity

This criteria ensures that system processing is relevant, complete, accurate, timely, and authorised. This includes the alignment of processing systems with the organisation's goals, examining input and output processing controls, and data validation processes to avoid system errors, data loss, or unauthorised manipulation of data. Auditors look at the processes for data processing and quality assurance to verify that systems perform their intended functions in an unaltered manner and that errors are identified and corrected promptly. 

 

TSC 5: Privacy

The Privacy criteria, which addresses the collection, use, retention, disposal and disclosure of personal information, is based on aligning organisational operations with privacy principles and relevant legal requirements. This typically includes privacy notices, consent processes and data governance policies. Auditing controls for this criteria can include reviewing privacy policies and notices for coverage of key topics such as data subject consent and rights, methods of collecting personal data, types of data collected and how personal data is safeguarded; processing of data in line with defined objectives; processing of data subject requests related to their data; and appropriate disclosure, retention and disposal of data.

 

 

We often see clients undertaking a SOC 2 report with the following three TSCs: Security, Availability and Confidentiality. This provides a foundational compliance standard and demonstrates a commitment to information security. Based on the nature of the service offered, the industry or customer base, Processing Integrity and Privacy can be valuable add ons to this foundation.

Disclaimer: AssuranceLab performs the role of an independent auditor across hundreds of client environments. We do not perform technical roles or assessments and this content is not intended to be comprehensive on those technical or detailed aspects of cybersecurity. You should perform further research and seek professional advice as appropriate before acting on any of the information contained here.

 

Some additional information in one line