Selecting SOC2 Principles
Once you as an organization are determined to pursue SOC 2 attestation, one of the key things which causes confusion and sometimes a show stopper is deciding which of the five Trust Services Principles (recently updated to Trust Services Criteria) you want to include in your SOC 2 attestation. SOC 2 reports can address one or more of the following principles: Security, Confidentiality, Availability, Processing Integrity, or Privacy. Becoming familiar with these principles is the first step in determining the scope of your SOC 2 audit and deciding which of these principles apply to the services your organization provides.
The Trust Services Principles or Trust Services Criteria
In a non-privacy SOC 2 engagement, the Security principle must be included. Security principle as the common criteria that applies to any SOC 2 engagement and applies across the board to all the principals involved except for privacy. The Security principles addresses whether the system is protected (both physically and logically) against unauthorized access.
If the services your organization offers deals with sensitive data, such as Personally Identifiable Information (PII) or Protected Health Information (PHI), the Confidentiality principle should be present in your SOC 2 audit report. The Confidentiality principle addresses the agreements that you have with clients in regards to how you use their information, who has access to it, and how you protect it. Are you following your contractual obligations by properly protecting client information.
Are you ensuring that the systems (infrastructure and application) you provide to your clients is available for operation and used as per agreed upon uptimes? Availability addresses whether the services you provide are operating with the type of availability that your clients expect AND documented in your SLA. The Availability principle typically applies to companies providing colocation, data center, SAAS (Software As A Service) based services or hosting services to their clients.
If the services you provide are financial services or e-commerce services and are concerned with transactional integrity, Processing Integrity is a principle that should be included in your SOC 2 report. Are the services you provide to your clients provided in a complete, accurate, authorized, and timely manner? Are you ensuring that these things are happening?
Lastly, we have the Privacy principle. The Privacy principle is very unique and really stands on its own. It specifically addresses how you collect and/or use consumers’ personal information and do they have rights to opt out of how their information is used. It ensures that your organization is handling client data in accordance with any commitments in the entity’s privacy notice as committed or agreed, and with criteria defined in generally accepted privacy principles issued by the AICPA.
So, you aren’t necessarily required to address all five of the Trust Services Principles in your SOC 2 audit report, however, you should select the principles that are relevant to the services you are providing to your customers…
A few good pointers to make sure you hit the nail on your head:
1. A good place to start is always checking with your client on their expectations of what Trust Principles they are expecting you to get attested on.
2. You can also check the SLA you have signed for, take stakeholder feedback.
3. Last but not least, look at the vision of your company as to what you have pledged to offer to your client even if they are not expecting the same.
If you’re ready to begin your SOC 2 audit and need some help determining which of the Trust Services Principles you should include, contact us today. With dozens of successful SOC1/2/3 attestations under our belt, we provide our SOC2 attestations services though our US office (VISTA InfoSec LLC) AND we have our own AICPA accredited CPA to ensure the reports are fully legit.
If you need more information on SOC2, feel free to visit (and subscribe) our YouTube Page.
visit us on www.vistainfosec.com