Introduction to SOC 2
SOC 2 Trust Services Criteria
SOC 2 is one of the most respected compliance standards today. It provides a framework for implementing data security best practices and offers a verified method for evaluating and certifying your security infrastructure. The security policies and practices for SOC 2 are organized around five categories known as the Trust Services Criteria (TSC) — previously called the Trust Service Principles (TCPs) prior to 2018. During your SOC 2 audit, your auditor will assess your security infrastructure against these five criteria.
If you’re preparing to get your SOC 2, it’s important to know how each of the Trust Services Criteria applies to your business and what controls are needed in each. This article will explain each of the TSC areas and how they might apply to your SOC 2.
What are the 5 Trust Services Criteria?
The Trust Services Criteria are five categories that organize the SOC 2 controls:
- (CC) Security, also known as common criteria: Controls that protect data from unauthorized access.
- (A) Availability: Controls that ensure data can be accessed when needed for business use.
- (C) Confidentiality: Controls that restrict unauthorized access to systems and data.
- (PI) Processing integrity: Controls to ensure that organizational systems process data accurately and reliably.
- (P) Privacy: Controls that protect the rights of consumers and their data.
Within each of the TSC there are controls, practices, or processes that need to be met. The current version of the Trust Services Criteria – 2017 (With Revised Points of Focus – 2022), includes 33 core requirements under the security category and 28 additional controls across the other four criteria.
The controls within the security category, the common criteria, provide the foundation for the other four categories. Every organization seeking a SOC 2 must adhere to all of the controls in the security category. The other four categories — availability, processing integrity, confidentiality, and privacy — only need to be included in your SOC 2 audit if you want to create controls for the ones applicable to the way your business uses or processes data. For example, you should add confidentiality to the scope of your report if that criteria is relevant to your business and your SOC 2 report.
Many early-stage companies will focus on the common criteria during their first year and add the additional categories as their business matures.
Which organizational systems do the Trust Services Criteria apply to?
Because SOC 2 is designed for data security, many people assume it only applies to your digital infrastructure and systems, but SOC 2 encompasses much more. It includes controls that protect your data from various risks across your entire organization, such as employee negligence or malice, gaps in physical security, and risks from third-parties.
Below are the systems and departments that SOC 2 impacts:
- Physical infrastructure: Where your data is stored (server room, data center) and security practices to control access to these spaces (employee badges, user authentication).
- Digital infrastructure: How your network is configured to segregate data that limits internal and external access.
- Third-party vendors: How you close security gaps and prevent risks from third-party tools and applications.
- Internal operations: Which procedures and practices your staff and contractors follow.
- People: What hiring practices you have in place (background checks) as well as how you onboard and offboard employee’s access to systems.
- Leadership: How your leaders communicate and prioritize security across the organization.
Because SOC 2 touches so many teams and functions, it requires collaboration across multiple departments throughout your organization.
When to include each TSC in your SOC 2
The security criteria are mandatory for anyone receiving a SOC 2, but the other four categories — availability, processing integrity, confidentiality, and privacy — only need to be included if they’re applicable to your business. It’s important to know which ones apply to your organization so you can properly prepare your infrastructure for audit.
In this section, we’ll break down each TSC category to help you assess which ones apply to you.
Security (common criteria)
Security, or the common criteria, is the cornerstone of SOC 2. The controls for this section must be included for all completed SOC 2 reports. This category outlines controls that are about securing data against unauthorized access and breaches.
Here’s what's included in the security criteria:
- Control environment: Establish an environment that values integrity and security.
- Communication and information: Document policies and communicate data handling expectations to internal and external stakeholders.
- Risk assessment: Monitor and assess potential risks.
- Monitoring controls: Ensure security controls are effective.
- Control activities: Reduce risk by implementing the right controls, processes, and technologies.
- Logical and physical access controls: Block unauthorized access and activities to sensitive data, devices, and locations.
- System operations: Set up system monitoring capabilities and establish a recovery plan.
- Change management: Test and approve system changes before deploying them.
- Risk mitigation: Monitor risk from third-parties with vendor risk management.
When to include security in your SOC 2:
Security is a mandatory element of every SOC 2 report. Organizations that don’t have all the controls listed under the security criteria will not receive a SOC 2.
The availability category is an additional criteria of SOC 2 that ensures data is available when needed for its intended use. This requires that your systems be reliable enough that employees and customers have continued access to the data and functionalities they need. It also requires that you have a recovery plan in case an incident occurs that results in a loss of data.
Here is a summary of the controls needed for the availability criteria:
- Manage, forecast, and adjust capacity demands.
- Establish environmental protections, backup processes, and recovery infrastructure.
- Test recovery plan procedures.
When to include availability in your SOC 2:
Availability is applicable to organizations that offer data-centered services. It’s especially important if employees or customers need your data to do their jobs or use your products. Some examples could be businesses that provide cloud storage solutions or CRM software.
Each of the Trust Services Criteria help keep your clients’ data secure, but the confidentiality category is used when those protections need to be enhanced even further. The confidentiality criteria are relevant if your business handles certain datasets that must be kept confidential and requires only authorized users have access to it.
Here is a summary of the controls for the confidentiality criteria:
- Identify and maintain the confidentiality of information used for designated purposes.
- Dispose of confidential information properly.
When to include confidentiality in your SOC 2:
The confidentiality criteria apply to your organization if you handle confidential or potentially sensitive data. Some examples include your customer’s intellectual property, trade secrets, or private financial reports.
The processing integrity category is an additional criteria that ensures your systems are all working properly without producing any errors or incorrectly manipulating the data. The processing integrity category includes criteria around the reliability of your systems to accurately process data and prevent your customers or employees from receiving inaccurate results.
Here are the controls for the processing integrity criteria:
- Maintain and use quality information for data processing.
- Implement policies and procedures around system inputs.
- Implement policies and procedures around system processing.
- Implement policies and procedures to ensure data outputs are accurate and made available in a timely fashion.
- Implement policies and procedures to store inputs, items in processing, and outputs.
When to include processing integrity in your SOC 2:
If your business or product processes data (such as running calculations or analysis) on your customers’ behalf, this will be something you may consider adding to your SOC 2. Adding this to your SOC 2 attests to your customers that they can trust the accuracy of the analysis and results you generate for them.
The privacy category protects the rights of consumers and their data. These criteria ensure businesses follow the proper protocols to collect consumer data, protect it from unauthorized access or misuse, and dispose of it properly when it’s no longer needed or at the consumer's request.
Here are the controls for the privacy criteria:
- Notice and communication: Provide notice to data subjects about privacy practices.
- Choice and consent: Give consumers options about how they want their data to be handled.
- Collection: Collect only the necessary pieces of information to complete the intended business objective and get consent from the consumer prior to collecting it.
- Use, retention, and disposal: Maintain privacy during the collection, storage, and disposal of consumer data.
- Access: Give consumers access to their information and the ability to edit it.
- Disclosure and notification: Disclose what information is collected, and in the case of a breach or loss of data, notify affected parties.
- Quality: Maintain accurate, up-to-date, complete, and relevant information.
- Monitoring and enforcement: Implement processes for receiving and processing privacy complaints or inquiries.
When to include privacy in your SOC 2:
You should consider adding the privacy category to your SOC 2 if you deal with customer data and want to assure customers you’ve created processes with privacy in mind. If you collect any type of consumer data, including data from users on your app, cookies on your website, and personal or contact information consider adding this to your report.
Simplify your SOC 2 audit
The average SOC 2 process takes roughly a year from the moment you start preparing the controls to when you have a completed SOC 2 report in hand. What takes the most time is preparing your infrastructure and getting all the controls that apply to your organization in place.
However, you can cut this time in half with compliance automation. With Vanta’s compliance automation capabilities, you can assess your risk holistically, identify areas of non-compliance, and get a checklist of actions to help you make the needed changes. From there ,Vanta will help you automate the evidence collection process and centralize all your documents to prepare you for audit. We can even help you find an auditor.
Get your SOC 2 quickly and easily with Vanta. Start by requesting a demo.