SOC 2 Academy: Trust Services Criteria
by Joseph Kirkpatrick / May 16th, 2023
SOC 2 Terminology
The Trust Services Criteria are a set of criteria established by the AICPA to be used when evaluating the suitability of the design and operating effectiveness of controls in a SOC 2 audit. There are five categories:
- Security – Is the system protected, both physically and logically, against unauthorized access?
- Availability – Is the system available for operation and use as agreed upon?
- Confidentiality – Is the information that’s designated as confidential protected as agreed upon?
- Processing Integrity – Are the processing services provided in a complete, accurate, and timely, manner?
- Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the service organization’s privacy notice and business objectives?
All organizations must be audited against the security category, but they can decide which of the other categories to include based upon their unique environments and service offerings.
In the AICPA’s updates to SOC 2 reporting in 2018, there were quite a few SOC 2 terminology changes. Most notably, the Trust Services Principles and Criteria are now strictly referred to as the Trust Services Criteria. However, it’s important to note that the AICPA did not update the acronym to reflect this change. Instead, the acronym for Trust Services Criteria will remain TSP.
An additional SOC 2 terminology update is that security, availability, confidentiality, processing integrity, and privacy are now referred to as categories as opposed to criterion or principles. So, for example, when a service organization begins their SOC 2 audit journey, one of the first steps they will take will be to determine which of the categories they’ll need to include in their audit.
Common Criteria and Additional Criteria
The common criteria refer to the complete set of criteria for the security category, which is what the remaining categories are based on. There is additional criteria for each individual category. For example, if a service organization includes both security and availability categories, the SOC 2 audit will be assessed on compliance with the common criteria as well as the following additional criteria for the availability category:
- The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
- The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
- The entity tests recovery plan procedures supporting system recovery to meet its objectives.
Work with KirkpatrickPrice to Meet Your SOC 2 Compliance Goals
For assistance deciding which categories best apply to your organization, or with help meeting your SOC 2 compliance goals, connect with one of our experts today!
More SOC 2 Resources
Understanding Your SOC 2 Report
SOC 2 Compliance Handbook: The 5 Trust Services Criteria
There are some slight terminology changes in the 2017 SOC 2 Trust Services Criteria. Security, availability, processing integrity, confidentiality, and privacy are now known as categories. Anything that relates to all five of those categories is still referred to as common criteria. There’s additional criteria that’s provided for availability, processing integrity, confidentiality, and privacy – basically anything other than security. It’s important to know how this criteria is organized throughout the SOC 2 framework so that you can tackle your audit and become compliant with the SOC 2 requirements.
