Five SOC 2 Trust Service Criteria Principles and Why They Are Important

As business continues to become more mature, SOC 2 reporting is an increasingly important way to demonstrate security and trustworthiness to partners and customers alike. 

A SOC 2 report is an audit conducted by an independent third party that evaluates an organization’s non-financial controls and processes that protect customer data. To accomplish this, auditors rely on a rigorous set of criteria called the Trust Services Criteria (TSC), which includes security, availability, processing integrity, confidentiality, and privacy. 

But no two companies or digital services are alike, and customer concerns vary widely across industries. For example, a healthcare app might have extensive privacy concerns, whereas a B2B app focused on reporting might prioritize fast and reliable data processing. 

With all these unique concerns, why should their SOC 2 reports look the same?

In short, they don’t have to.

While it’s easy to think that a business must be audited against all five criteria, that’s often not the case. Instead, choosing a more targeted audit, focused on your most important criteria, can save time and money while still delivering the assurance your customers need. 

But how do you know which criteria are the most relevant for your business?

In this article, we’ll dive into each of the five Trust Service Criteria, explain why they matter, and provide guidance on securing a SOC 2 audit that provides clients and partners with the assurance they need.

What Is Trust Service Criteria?

The Trust Service Criteria (TSC) are defined by the Association of International Certified Professional Accountants (AICPA). It covers five key areas:

1. Security
2. Availability
3. Processing Integrity
4. Confidentiality
5. Privacy

These areas are crucial for building confidence with customers who entrust you with their sensitive data and mission-critical systems. 

Importantly, not every organization needs to be evaluated against all five criteria – in fact, very few do. Instead, organizations should work with their SOC 2 auditor to select the specific criteria most relevant to their services and customers’ needs.

This flexibility allows you to tailor the SOC 2 audit process to your unique business requirements. You don’t have to undergo a full assessment of every single criterion.

We’ll explore each criterion, what it entails, and how to determine if it’s right for you.

Security

The security criteria is the foundation of the SOC 2 framework and is mandatory for all SOC 2 audits. 

It ensures that an organization has protected its systems and information against unauthorized access, disclosure, and damage.

 It includes nine topics, or Common Criteria, that auditors evaluate:

• CC1 – Control Environment: This covers the organization’s commitment to integrity and ethical values, board oversight, organizational structure, and accountability. 
• CC2 – Communication and Information: Auditors assess how the organization communicates internally and externally about security-related matters.
• CC3 – Risk Assessment: The organization’s processes for identifying, analyzing, and responding to security risks. 
• CC4 – Monitoring Activities: Ongoing monitoring and evaluation of the security controls to ensure they continue to be effective. 
• CC5 – Control Activities: The design and implementation of controls to mitigate security risks. 
• CC6 – Logical and Physical Access Controls: Processes for managing access to systems, networks, and physical facilities. 
• CC7 – System Operations: Configuration management, backup and recovery procedures, and incident response. 
• CC8 – Change Management: Controls around changes to products, services, and systems. 
• CC9 – Risk Mitigation: Identification and mitigation of potential business disruptions, as well as vendor risk management.

To succeed in a SOC 2 security criteria audit, an organization must have controls in place for each of the nine common criteria. Ideally, each criterion should be supported by several controls so that systems are still protected even if one control fails. 

Availability

The availability criterion focuses on ensuring that an organization’s systems are usable and accessible enough to meet the operational needs of the business itself and its customers. This generally involves setting limits around an application’s maximum allowable downtime and recovery time and creating backup systems and other redundancies to maintain availability if something goes wrong.

The three topics for availability are: 

• Capacity Management: Organizations must be able to analyze and predict their system usage and scale their resources according to those predictions.
• Environmental Controls and Backups: Organizations must have plans to protect their systems and data against environmental disasters (such as floods or fires). This includes establishing regular, secure data backups.
• Recovery Plan: Organizations must have an established recovery plan, including data and infrastructure restoration, and it must be regularly tested to ensure its functionality.

The availability criteria are a good fit for any organization whose services depend on providing consistent, reliable access at all times. For example, a company offering cloud-based software-as-a-service (SaaS) would likely need to include the availability criteria in its SOC 2 audit to show its commitment to stability and uptime.

Processing Integrity

The Processing Integrity criteria evaluates whether an organization’s systems process data and transactions reliably, without integrity issues like inaccuracies, delays, omissions or unauthorized changes.

It includes five topics:

• Information Quality: Organizations need to support their processes or services with relevant, high-quality information. They also need to explain what data is needed and why to consumers.
• System Inputs: Organizations need to create policies and procedures governing their system inputs—in other words, the data being entered into the system—to ensure that it is complete and accurate.
• System Processing: Organizations need policies and procedures governing how data is processed safely and accurately and what must be done if errors occur.
• System Outputs: Organizations should establish policies and procedures governing the outputs generated by the system–for example, reports and analytics. These policies should ensure timely delivery, accuracy, secure delivery and recordkeeping.
• Data Storage: Organizations should have systems and processes to safely store all input and output data, as well as storing records about processing integrity systems, policies and procedures.

The Processing Integrity criteria is especially important for organizations that process data or transactions regularly, such as financial services, e-commerce, or data reporting platforms. 

Confidentiality

While the privacy criterion concerns personally identifiable information, confidentiality typically concerns data—intellectual property, sensitive business information, and things of that nature. The confidentiality criterion mainly focuses on protecting confidential information from unauthorized access or disclosure.

The two key topics for confidentiality are:

• Identification and protection: Organizations should have a standardized process for determining which information is confidential and established safeguards to protect it from unauthorized access and disclosure.
• Access controls: Organizations should restrict access to confidential information so that it can only be viewed or modified by authorized personnel.

The confidentiality criteria is ideal for organizations that handle sensitive data, even if they do not collect personal information directly. For example, a SaaS company that offers project management and CRM platforms would likely include the confidentiality criteria but not privacy because it does not collect personal information directly from individuals.

Privacy

The privacy criterion focuses on an organization’s ability to protect its users’ personal information from collection through usage, disclosure, and disposal. This includes personally identifiable information like names, addresses, and social security numbers.

It includes eight topics:

• Notice: Organizations must inform users about what information will be collected, why, and how it will be used.
• Choice and consent: Users must be able to consent or opt out of personal information collection.
• Collection: Organizations must limit their collection of personal data to that which closely aligns with their needs and purposes. For example, if you only need demographic information, you cannot collect additional personal information along with it.
• Use, retention, and disposal: Any information collected should only be used for its intended purpose (e.g., what was established in the notice and consented to) and should be disposed of once it no longer serves that purpose.
• Access: Users whose information is collected must be given access to review and update it as needed. If this access is denied, the organization should promptly provide a compelling reason and allow for an appeal process.
• Disclosure and notification: If data is shared with third parties, organizations must communicate what data has been shared. Each third party should have privacy practices consistent with the organization’s own, which the user has agreed to. Finally, if any data breaches occur with the third party, the user should be notified immediately.
• Quality: Organizations should maintain accurate and high-quality data by enabling users to access and update their information and conducting due diligence if data is collected through third-party sources.
• Monitoring and enforcement: Organizations should have an established process for monitoring compliance, answering questions, and addressing disputes. As part of this process, users should be provided with contact information for inquiries or complaints.

Organizations that handle sensitive personal data on behalf of individuals—for example, a healthcare organization that manages patient data or a consumer-focused financial services organization—would likely need to include the privacy criteria in their SOC 2 audit.

How to Choose The Right Trust Service Criteria for Your SOC 2 Report

When selecting the appropriate Trust Service Criteria for your SOC 2 audit, partner with a SOC 2 auditor you can trust. Together, you’ll follow a few key steps to determine the most appropriate criteria to include in the SOC 2 audit.

First, identify your services and customer needs. 

Start by closely reviewing the specific services and solutions you offer to your customers. Also, review the terms and conditions or other service-level agreements you make to your customers. What are the most important factors they care about? Understanding your customers’ priorities will help you determine which TSC should be the focus of your SOC 2 report. In many instances, Security, Availability, and Confidentiality will be the factors that are most important to clients and partners – though this may differ depending on the type of business you operate.

Second, assess your current controls. What internal controls or security measures have you already implemented? Are there any gaps or weaknesses? If so, take steps to address that problem. Then, proceed with an audit based on the TSC that aligns with that issue.

Finally, determine your SOC 2 audit scope. Use the information gathered during the first two steps about your customer needs, services, and internal controls to select Trust Services Criteria relevant to each one. 

Benefits of a Targeted SOC 2 Audit

One of the advantages of the SOC 2 framework is the ability to refine your audit by selecting only the specific Trust Service Criteria that are most relevant and valuable for your organization. This streamlines your efforts and aligns your SOC 2 report with your core business objectives and compliance priorities.

This can result in several key benefits: 

• Cost-Effectiveness: Rather than paying for a full assessment of all five TSCs, you’ll only be evaluated on the criteria that matter most to your organization. This can be significantly less expensive than a comprehensive audit covering areas that may not be critical for your business. 
• Efficiency: With a streamlined audit process focused on your key areas of emphasis, your audit will often be completed more quickly. Narrowing the scope also allows your team and the auditors to dedicate full attention to the targeted criteria. 
• Relevance: Demonstrating your commitment to the specific issues your customers and stakeholders care about most builds trust and confidence in your products and services. It shows that you’re taking a strategic, prioritized approach to security and compliance rather than pursuing a one-size-fits-all certification.

By undergoing a targeted SOC 2, you can achieve certification on the criteria that provide the most value to your organization and customer base, and showcase your commitment to security in the areas that matter most. 

The specific TSCs you select should be driven by a careful analysis of your unique services, customer concerns, and overall organizational needs. But a targeted SOC 2 approach allows you to send a powerful message about your commitment to the security controls that matter most, in a more budget-conscious way.

Streamline Your SOC 2 with Smith + Howard

SOC 2 reports show customers that they can trust a business with their most important data by evaluating its internal controls and security practices. Undergoing these audits helps businesses build trust with their customer base and potential partners.

Tailoring your SOC 2 report by focusing only on the Trust Services Criteria that matter most to your business and your customers can streamline the audit process, saving time and money. 

A trustworthy partner like Smith + Howard’s SOC Reporting Team can help you evaluate your SOC 2 needs, select the best criteria, and undergo a successful audit. 

To find out how Smith + Howard can help you navigate a seamless SOC 2 reporting process, please provide your name and organization here and Katelan Suzanne Price will reach out to you soon.