Once you’ve committed to a SOC 2 report, you’re ready to choose your Trust Service Criteria (TSC) categories. Start by looking at the five categories from your customers’ perspectives:
At a minimum, your SOC 2 report must include the Security category, which is called the “Common Criteria” because it provides a foundation for the other four categories. The other four categories—availability, processing integrity, confidentiality, and privacy— specify new commitments.
Often, companies will focus on Security the first year and add additional categories over time as their business matures.
The Trust Service Criteria consist of 5 categories:
The latest set of Trust Service Criteria, TSP 100 – 2017, includes 33 main requirements (“Trust Service Criteria and Points of Focus”) for the Security category and 28 optional requirements across the other four criteria.
Let’s take a high-level look at each category:
Each requirement should be broken down into 1-5 sub-requirements that describe operational best practices.
Note: In a previous iteration of SOC 2 (for reporting before December 15, 2018), the TSCs were called Trust Service Principles. The acronym TSP is still used in some of AICPA’s formal documentation.
Security refers to the protection of:
Security controls are often designed to prevent and detect system failure, incorrect processing, theft, or other unauthorized data removal.
Should I include Security in my report? Yes! The Security category is mandatory for all SOC 2 reports.
Availability refers to whether your customers can access your products and services, and availability controls often concern system uptime, monitoring, and maintenance.
Should I include Availability in my report? You may want to include Availability if your customers often ask you for:
Confidentiality addresses your company's ability to protect information that’s designated as confidential from its initial collection through its disposal.
Information is “confidential” if you’re required to limit its access, use, and retention or to restrict its disclosure to defined parties. This is distinct from “private information,” which concerns only identifying information.
Should I include Confidentiality in my report? You may want to include it if your customers:
Processing integrity addresses whether your systems maintain data integrity. This means few-to-no errors, delays, omissions, and/or unauthorized or accidental data manipulation.
Should I include Processing integrity in my report? You may want to include it if your customers:
Privacy applies only to personal information, such as an individual’s full name or social security number.
The Privacy criteria examines your company’s rules and practices around:
Should I include Privacy in my report? You may want to include it if your customers:
You may also find that GDPR compliance is a sufficient substitute for the Privacy criteria.
Ultimately, which categories to include is your business decision. Let’s walk through a few examples to understand how others have made the decision:
A small startup makes a recruiting tool that has access to recruiters’ email accounts and chooses to add Confidentiality to their report. Providing a SOC 2 report with Confidentiality demonstrates the company is serious about protecting the access they have to the emails their users send and receive.
A company that provides a CI/CD tool, building and deploying code for its customers, adds Availability to their audit. The company demonstrates it understands that if its service is unavailable, its customers may be unable to build and deploy changes to their services.
The company behind a finance app that transfers money on behalf of its customers adds checks (“controls”) for Processing Integrity. Their customers have additional insurance that the company’s systems for transaction processing is accurate.
We hope this gives you a better picture of how the TSC categories interact with SOC 2 reports, but if you’re still feeling overwhelmed, don’t worry—Vanta will help you select just the right TSC categories for your report.
We’ve worked with hundreds of companies and we understand how these commitments vary with business objectives and time. We can save your team time and ensure that your SOC 2 report helps you to build those essential, trusting relationships with your customers.