Once you as an organization are determined to pursue SOC 2 attestation, one of the key things decide is which of the five Trust Services Principles(recently updated to trust services criteria) they need to include in the SOC 2 attestation. SOC 2 reports can address one or more of the following principles: Security, Confidentiality, Availability, Processing Integrity, or Privacy. Becoming familiar with these principles is the first step towards determining the scope of the SOC 2 audit and deciding which of these principles apply to the services the organization provides.
The Trust Services Principles
Trust Services Criteria
In a non-privacy SOC 2 engagement, the Security principle must be included. Security principle as the common criteria that applies to any SOC 2 engagement and applies across the board to all the principals involved except for privacy. The Security principles address whether the system is protected (both physically and logically) against unauthorized access.
If the services your organization offers deals with sensitive data, such as Personally Identifiable Information (PII) or Protected Health Information (PHI), the Confidentiality principle should be present in your SOC 2 audit report. The Confidentiality principle addresses the agreements that you have with clients in regards to how you use their information, who has access to it, and how you protect it. Are you following your contractual obligations by properly protecting client information?
Are you ensuring that the systems (infrastructure and application) you provide to your clients is available for operation and used as per agreed upon uptimes? Availability addresses whether the services you provide are operating with the type of availability that your clients expect AND documented in your SLA. The Availability principle typically applies to companies providing colocation, data centre, SAAS (Software As A Service) based services or hosting services to their clients.
If the services you provide are financial services or e-commerce services and are concerned with transactional integrity, Processing Integrity is a principle that should be included in your SOC 2 Audit . You must ensure that the services you provide to your clients are complete, accurate, authorized, and on time.
Lastly, we have the Privacy principle. The Privacy principle is very unique and really stands on its own. It specifically addresses how you collect and/or use consumers’ personal information and do they have the rights to opt-out of how their information is used. It ensures that your organization is handling client data in accordance with any commitments in the entity’s privacy notice as committed or agreed and with criteria defined in generally accepted privacy principles issued by the AICPA.
So, you aren’t necessarily required to address all five of the Trust Services Principles in your SOC 2 audit report, however, you should select the principles that are relevant to the services you are providing to your customers…
A few good pointers to make sure you hit the nail on your head:
- A good place to start is always checking with your client on their expectations of what Trust Principles they are expecting you to get attested on.
- You can also check the SLA you have signed for, take stakeholder feedback.
- Last but not least, look at the vision of your company as to what you have pledged to offer to your client even if they are not expecting the same.
While organizations are not necessarily required to address all five of the Trust Services Principles in their SOC 2 audit report, however, they should select the principles that are relevant to the services they provide to their customers. In my opinion, it is best for organizations to discuss the same with consultants to know what is required for their business.
If you’re ready to begin your SOC 2 audit and need some help determining which of the Trust Services Principles you should include, contact us today. With dozens of successful SOC1/2/3 attestations under our belt, we provide our SOC2 attestations services though our US office (VISTA InfoSec LLC) AND we have our own AICPA accredited CPA to ensure the reports are fully legit.
Watch the webinar On SOC2 Trust Principles