Introduction to SOC 2
SOC 2 Trust Principles: Everything you need to know
SOC 2 is all about trust. It’s a compliance standard that’s used to show customers, prospects, and partners that you’re following information security best practices and demonstrate how you’ll keep their data safe. The foundation of SOC 2 is its trust principles — these principles determine which security controls are needed within an organization's security infrastructure.
In this article, we’ll explain what the SOC 2 trust principles are and how to determine which to include in the scope of your SOC 2 report.
What are the SOC 2 trust principles?
The five SOC 2 trust principles are security, availability, processing integrity, confidentiality, and privacy.
SOC 2 and its principles were created by the Association of International Certified Professional Accountants (AICPA). The SOC 2 trust principles were renamed the Trust Services Criteria in 2018, but are still referred to as the trust principles in some formal AICPA documents.
Not all five principles are required for each SOC 2 report. The security principle, also referred to as the common criteria, is required of every organization seeking SOC 2 compliance. However, the other four principles only need to be included in your SOC 2 if they apply to your business. For example, if your business doesn’t process data on your customer’s behalf, the processing integrity principle doesn’t need to be part of your SOC 2.
What are the five SOC 2 trust principles?
A crucial step in the SOC 2 compliance process is defining the scope of your report by determining which of the SOC 2 trust principles apply to your organization. This section will provide an overview of each principle and the types of criteria they include.
The security trust principle is the core of SOC 2. It is the most extensive of the five principles with a list of over 30 criteria, all of which are mandatory for a SOC 2 report. The security criteria help you create a system that protects your data from unauthorized access with measures like access controls, physical security, and data encryption.
Some example security criteria include:
- CC3.3: The entity considers the potential for fraud in assessing risks to the achievement of objectives.
- CC4.1: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
The availability principle ensures that data is accessible by customers and employees when needed for its intended purpose. This principle also covers the recovery of that data in case your systems experience a technical failure or breach.
Some example availability criteria include:
- A1.2: The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.
- A1.3: The entity tests recovery plan procedures supporting system recovery to meet its objectives.
All data must be protected under SOC 2. The trust principle of confidentiality takes that one step further to ensure that any confidential information — such as your customer’s business secrets, intellectual property, or personal information — remains confidential.
Some example confidentiality criteria include:
- C1.1: The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
- C1.2: The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
The processing integrity principle impacts businesses that process, run analytics, or otherwise manipulate data on behalf of their customers. This principle ensures that any data you process or analyze for your customers is accurate and reliable.
Some example processing integrity criteria include:
- PI1.2: The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives.
- PI1.5: The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.
The privacy principle covers the rights of consumers and their data. It includes criteria that protects the privacy of consumer’s data and gives them control over the way that data is collected and used.
Some example privacy criteria include:
- P3.2: For information requiring explicit consent, the entity communicates the need for such consent as well as the consequences of a failure to provide consent for the request for personal information and obtains the consent prior to the collection of the information to meet the entity’s objectives.
- P4.1: The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy.
Within the official SOC 2 trust principles (now called the Trust Services Criteria) you’ll see the term supplemental criteria as a subset within the security principle. These criteria are from a framework created in 2013 called the COSO framework (Committee of Sponsoring Organizations of the Treadway Commission). The COSO framework was an information security guide to help service organizations protect their data, much like SOC 2.
Many of the original requirements of the COSO framework are now included in SOC 2, which is why you’ll see some security criteria labeled with a COSO framework number (for example, CC1.3 is also COSO Principle 3). The supplemental criteria were not part of the original COSO framework but are still a necessary part of SOC 2 compliance.
- CC6: Logical and physical access controls
- CC7: System operations
- CC8: Change management
- CC9: Risk mitigation
How to get your SOC 2
To start your SOC 2 compliance journey, the first step is scoping. With an understanding of the five trust principles, you can determine which of the criteria apply to the operations of your business and implement them into the scope of your SOC 2.
Compliance automation can simplify the process for scoping your SOC 2 and getting the controls in place for each trust principle With Vanta’s trust management platform, you can assess your risk, identify areas of non-compliance, and get a checklist of actions to help you make the needed changes. From there, Vanta will help you automate the evidence collection process and centralize all your documents ahead of your audit. We can even help you find an auditor.
See how you can automate SOC 2 compliance by requesting a demo.