This article is part of Laika University

SOC 2 Criteria

What are the SOC 2 trust services criteria, and how should you decide what applies to your business?

What are the SOC 2 trust services criteria?

To become SOC 2 compliant, your startup needs to undergo an audit and receive a clean report testifying the quality of your controls. This is determined by the Trust Services Criteria, formerly known as Trust Services Principles, and audit type. 

A SOC 2 report can test against five Trust Services Criteria: security, availability, confidentiality, privacy, and processing integrity. When you engage an auditor, you decide which of the five you’d like tested, if not all. These decisions are often influenced by what enterprise buyers request.

What are the importance of each SOC 2 trust services criteria?

Let’s break down the five components together. 

Security

Also known as the “common criteria,” security is the foundational criteria required in a SOC 2 assessment. Security focuses on the protection of information and systems against unauthorized access. It tests if your customers’ information is protected at all times (collection, creation, use, processing, transmission, and storage) along with the systems that handle it.

Security is required in any SOC audit because it not only sets overarching security standards for your company, but also overlaps with the others: setting security controls for availability, confidentiality, privacy, and processing integrity. 

Availability

Availability addresses network performance, downtime, security event handling, etc. This criterion makes sure your systems are secure and available
 for customers to use when they expect to. This is important for startups that promise customers access to their data and your services at key times.

For example, your team worked hard to get your platform’s uptime to 99.31%. By validating your uptime and other availability considerations with the availability criteria, you’re further demonstrating your reliability to your customers.

Confidentiality 

Confidentiality addresses the handling and protection of information, personal or not, that you’ve agreed to designate confidential and secure for your customers (think of proprietary information like business plans, financial or transaction details, legal documents, etc.) 

In addition to the protections outlined in the security criteria, the confidentiality criteria provides guidance for identifying, protecting, and destroying confidential information.

For example, your platform manages a customer’s documentation about their trade secrets and intellectual property. For obvious reasons, they only want people within the company (and only some of them) to have access to this sensitive information. The confidentiality criteria signals that you’re set up to protect that information and secure access as desired. It also shows that you’re set up to appropriately destroy confidential information if, say, the customer decides to stop using your platform.

Privacy

Privacy addresses the secure collecting, storing, and handling of personal information, like name, address, email, Social Security number, or other identification info, purchase history, criminal history, etc.

Similar to confidentiality, the privacy criteria tests whether you effectively protect your customers’ personal information. Confidentiality, on the other hand, applies to any information you agreed to keep confidential.

Processing Integrity

Processing integrity addresses processing errors and how long it takes to detect and fix them, as well as the incident-free storage and maintenance of data. It also makes sure that any system inputs and outputs are free from unauthorized accessor manipulation. This criteria helps businesses make sure their services are delivered in an accurate, authorized, and timely manner.

For example, the processing integrity criteria demonstrate to customers that your data, processes, and system work as intended, so they don’t have to worry about inaccuracies, delays, errors and whether only authorized people can use your product.

Which trust services criteria should I include in my SOC 2 audit?

Even though the security criteria is the only necessary TSC for a SOC 2 audit, you may choose to test the other criteria that are relevant to your startup and how you serve your customers. 

In our experience, most enterprise customers want to work with startups that are SOC 2 compliant in security and confidentiality. If you’re struggling to decide which criteria to tackle in your first audit, security and confidentiality make a good starting point. Otherwise, add on the criteria your target customers want and are asking for.

How is the COSO framework different from Trust Services Criteria?

In 2013, the Committee of Sponsoring Organizations of the Treadway Commission, also known as COSO, created tighter controls that all businesses must implement in order to achieve a SOC 2 report.

While the Trust Services Criteria assess internal controls over the security, availability, processing integrity, confidentiality, and privacy of a system, the COSO framework addresses the following components: 

  1. Risk assessments: How does an organization assess all types of risk?
  2. Information and communication: How do businesses internally and externally communicate what is expected?
  3. Existing control activities: What existing controls does a business currently have in place? How effective were the controls over a period of time?
  4. Monitoring activities: How do businesses oversee the entire organization? How do they identify and fix processes that aren’t working? 
  5. Control environments: How does a business create procedures that guide the company? How do they make sure that all controls are operating effectively?

Both the TSC and COSO framework provides a way for businesses to assess internal controls. However, not all TSC’s need to be met, and organizations must meet the five COSO components and their relevant controls to achieve a SOC 2 report. 

How do Trust Services Criteria integrate with the COSO framework?

Each Trust Services Criteria maps to various policies and controls that are associated with the particular criteria. However, security in particular, is a TSC that must be met in accordance with the 5 COSO components. The other TSC’s (availability, processing integrity, confidentiality, and privacy) associate with controls that go deeper on a specific topic. 

For example, the Availability TSC has the monitoring COSO component included and other controls that are specific to network performance, downtime, security handling, etc. Aligning the COSO framework with the TSC’s helps businesses better establish, assess, and enhance their internal controls.

Icon

SOC 2 Type 1 vs Type 2

Keep Reading
Jump to a section:
05 SOC 2 Cost 06 SOC 2 Controls List 07 SOC 2 Audit 08 SOC 2 Report 09 SOC 2 Checklist
Icon

SOC 2 Cost

This section will equip you with a realistic timeline of work and effort, and a breakdown of costs to get SOC 2 certified. No surprises.

Icon

SOC 2 Controls List

Specifically, how do you implement SOC 2 within your organization? In this section, we drill down on technical and non-technical controls.

Icon

SOC 2 Audit

How do SOC 2 audits work? This section will cover everything you need to know about a typical SOC 2 audit process.

Icon

SOC 2 Report

This chapter will help you make sense of your SOC 2 report, providing you with an overview of what each section means.

Icon

SOC 2 Checklist

This section runs you through a checklist to better organize all the tasks needed to get SOC 2 certified and assess your readiness for an audit.

Shape
Jump to a section:
05 SOC 2 Cost
Icon

SOC 2 Cost

This section will equip you with a realistic timeline of work and effort, and a breakdown of costs to get SOC 2 certified. No surprises.

Learn more
06 SOC 2 Controls List
Icon

SOC 2 Controls List

Specifically, how do you implement SOC 2 within your organization? In this section, we drill down on technical and non-technical controls.

Learn more
07 SOC 2 Audit
Icon

SOC 2 Audit

How do SOC 2 audits work? This section will cover everything you need to know about a typical SOC 2 audit process.

Learn more
08 SOC 2 Report
Icon

SOC 2 Report

This chapter will help you make sense of your SOC 2 report, providing you with an overview of what each section means.

Learn more
09 SOC 2 Checklist
Icon

SOC 2 Checklist

This section runs you through a checklist to better organize all the tasks needed to get SOC 2 certified and assess your readiness for an audit.

Learn more
Shape Shape

Enterprise-ready compliance
that never slows you down

Request a Demo