SOC 2's Trust Service Criteria
Once you’ve committed to a SOC 2 report, you’re ready to choose your Trust Service Criteria (TSC) categories.
SOC 2's Trust Service Criteria
Once you’ve committed to a SOC 2 report, you’re ready to choose your Trust Service Criteria (TSC) categories.
Once you’ve committed to a SOC 2 report, you’re ready to choose your Trust Service Criteria (TSC) categories. Start by looking at the five categories from your customers’ perspectives:
- What questions do they ask you?
- Are they concerned about uptime and availability?
- Or do they tend to ask more about data protection?
At a minimum, your SOC 2 report must include the Security category, which is called the “Common Criteria” because it provides a foundation for the other four categories. The other four categories—availability, processing integrity, confidentiality, and privacy— specify new commitments.
Often, companies will focus on Security the first year and add additional categories over time as their business matures.
Overview of the Trust Service Criteria (TSC) categories
The Trust Service Criteria consist of 5 categories:
- Security (also known as Common Criteria)
- Availability
- Confidentiality
- Processing integrity
- Privacy
The latest set of Trust Service Criteria, TSP 100 – 2017, includes 33 main requirements (“Trust Service Criteria and Points of Focus”) for the Security category and 28 optional requirements across the other four criteria.
Let’s take a high-level look at each category:
Each requirement should be broken down into 1-5 sub-requirements that describe operational best practices.
Note: In a previous iteration of SOC 2 (for reporting before December 15, 2018), the TSCs were called Trust Service Principles. The acronym TSP is still used in some of AICPA’s formal documentation.
Determine the right categories for your business
Security
Security refers to the protection of:
- information during its collection, creation, use, processing, transmission, and/or storage
- systems that process, transmit or transfer, and store information.
Security controls are often designed to prevent and detect system failure, incorrect processing, theft, or other unauthorized data removal.
Should I include Security in my report? Yes! The Security category is mandatory for all SOC 2 reports.
Availability
Availability refers to whether your customers can access your products and services, and availability controls often concern system uptime, monitoring, and maintenance.
Should I include Availability in my report? You may want to include Availability if your customers often ask you for:
- A status page
- Uptime guarantees
- Service Level Agreements (SLAs) for planned and unplanned downtime
Confidentiality
Confidentiality addresses your company's ability to protect information that’s designated as confidential from its initial collection through its disposal.
Information is “confidential” if you’re required to limit its access, use, and retention or to restrict its disclosure to defined parties. This is distinct from “private information,” which concerns only identifying information.
Should I include Confidentiality in my report? You may want to include it if your customers:
- Often ask you to sign NDAs?
- Request that you delete data when contracts end?
- Store sensitive financial or R&D information in your product?
Processing Integrity
Processing integrity addresses whether your systems maintain data integrity. This means few-to-no errors, delays, omissions, and/or unauthorized or accidental data manipulation.
Should I include Processing integrity in my report? You may want to include it if your customers:
- Rely on your data processing to run parts of their businesses (e.g. you offer a payment processor or a data pipeline tool)
Privacy
Privacy applies only to personal information, such as an individual’s full name or social security number.
The Privacy criteria examines your company’s rules and practices around:
- Notice and communication of objectives: provide privacy notices to users, customers, and anyone whose data you collect
- Choice and consent: communicate choices about the collection, use, retention, disclosure, and disposal of personal information
- Collection: collect only personal information that aligns with the privacy policy
- Use, retention, and disposal: sets limits for the use, retention, and disposal of personal information
- Access: provide users, customers, or anyone whose data you collect with access to their personal information for review, correction, and updates
- Disclosure and notification: disclose personal information only with the consent of the user, customer, or person whose data you collect, and provide breach notification to all affected parties
- Quality: collect and maintain accurate, up-to-date, complete, and relevant personal information
- Monitoring and enforcement: monitor compliance to privacy policies, including a processes to address privacy-related inquiries, complaints, and disputes
Should I include Privacy in my report? You may want to include it if your customers:
- Store information in your product that can identify and is sensitive to individuals, like social security numbers, health information, or financial status
You may also find that GDPR compliance is a sufficient substitute for the Privacy criteria.
Examples of how businesses decide to add criteria
Ultimately, which categories to include is your business decision. Let’s walk through a few examples to understand how others have made the decision:
A small startup makes a recruiting tool that has access to recruiters’ email accounts and chooses to add Confidentiality to their report. Providing a SOC 2 report with Confidentiality demonstrates the company is serious about protecting the access they have to the emails their users send and receive.
A company that provides a CI/CD tool, building and deploying code for its customers, adds Availability to their audit. The company demonstrates it understands that if its service is unavailable, its customers may be unable to build and deploy changes to their services.
The company behind a finance app that transfers money on behalf of its customers adds checks (“controls”) for Processing Integrity. Their customers have additional insurance that the company’s systems for transaction processing is accurate.
Conclusion
We hope this gives you a better picture of how the TSC categories interact with SOC 2 reports, but if you’re still feeling overwhelmed, don’t worry—Vanta will help you select just the right TSC categories for your report.
We’ve worked with hundreds of companies and we understand how these commitments vary with business objectives and time. We can save your team time and ensure that your SOC 2 report helps you to build those essential, trusting relationships with your customers.
