What are the SOC 2 trust services criteria, and how should you decide what applies to your business?
To become SOC 2 compliant, your startup needs to undergo an audit and receive a clean report testifying the quality of your controls. This is determined by the Trust Services Criteria, formerly known as Trust Services Principles, and audit type.
A SOC 2 report can test against five Trust Services Criteria: security, availability, confidentiality, privacy, and processing integrity. When you engage an auditor, you decide which of the five you’d like tested, if not all. These decisions are often influenced by what enterprise buyers request.
Let’s break down the five components together.
Also known as the “common criteria,” security is the foundational criteria required in a SOC 2 assessment. Security focuses on the protection of information and systems against unauthorized access. It tests if your customers’ information is protected at all times (collection, creation, use, processing, transmission, and storage) along with the systems that handle it.
Security is required in any SOC audit because it not only sets overarching security standards for your company, but also overlaps with the others: setting security controls for availability, confidentiality, privacy, and processing integrity.
Availability addresses network performance, downtime, security event handling, etc. This criterion makes sure your systems are secure and available for customers to use when they expect to. This is important for startups that promise customers access to their data and your services at key times.
For example, your team worked hard to get your platform’s uptime to 99.31%. By validating your uptime and other availability considerations with the availability criteria, you’re further demonstrating your reliability to your customers.
Confidentiality addresses the handling and protection of information, personal or not, that you’ve agreed to designate confidential and secure for your customers (think of proprietary information like business plans, financial or transaction details, legal documents, etc.)
In addition to the protections outlined in the security criteria, the confidentiality criteria provides guidance for identifying, protecting, and destroying confidential information.
For example, your platform manages a customer’s documentation about their trade secrets and intellectual property. For obvious reasons, they only want people within the company (and only some of them) to have access to this sensitive information. The confidentiality criteria signals that you’re set up to protect that information and secure access as desired. It also shows that you’re set up to appropriately destroy confidential information if, say, the customer decides to stop using your platform.
Privacy addresses the secure collecting, storing, and handling of personal information, like name, address, email, Social Security number, or other identification info, purchase history, criminal history, etc.
Similar to confidentiality, the privacy criteria tests whether you effectively protect your customers’ personal information. Confidentiality, on the other hand, applies to any information you agreed to keep confidential.
Processing integrity addresses processing errors and how long it takes to detect and fix them, as well as the incident-free storage and maintenance of data. It also makes sure that any system inputs and outputs are free from unauthorized accessor manipulation. This criteria helps businesses make sure their services are delivered in an accurate, authorized, and timely manner.
For example, the processing integrity criteria demonstrate to customers that your data, processes, and system work as intended, so they don’t have to worry about inaccuracies, delays, errors and whether only authorized people can use your product.
Even though the security criteria is the only necessary TSC for a SOC 2 audit, you may choose to test the other criteria that are relevant to your startup and how you serve your customers.
In our experience, most enterprise customers want to work with startups that are SOC 2 compliant in security and confidentiality. If you’re struggling to decide which criteria to tackle in your first audit, security and confidentiality make a good starting point. Otherwise, add on the criteria your target customers want and are asking for.
In 2013, the Committee of Sponsoring Organizations of the Treadway Commission, also known as COSO, created tighter controls that all businesses must implement in order to achieve a SOC 2 report.
While the Trust Services Criteria assess internal controls over the security, availability, processing integrity, confidentiality, and privacy of a system, the COSO framework addresses the following components:
Both the TSC and COSO framework provides a way for businesses to assess internal controls. However, not all TSC’s need to be met, and organizations must meet the five COSO components and their relevant controls to achieve a SOC 2 report.
Each Trust Services Criteria maps to various policies and controls that are associated with the particular criteria. However, security in particular, is a TSC that must be met in accordance with the 5 COSO components. The other TSC’s (availability, processing integrity, confidentiality, and privacy) associate with controls that go deeper on a specific topic.
For example, the Availability TSC has the monitoring COSO component included and other controls that are specific to network performance, downtime, security handling, etc. Aligning the COSO framework with the TSC’s helps businesses better establish, assess, and enhance their internal controls.
This section will equip you with a realistic timeline of work and effort, and a breakdown of costs to get SOC 2 certified. No surprises.
Specifically, how do you implement SOC 2 within your organization? In this section, we drill down on technical and non-technical controls.
How do SOC 2 audits work? This section will cover everything you need to know about a typical SOC 2 audit process.
This chapter will help you make sense of your SOC 2 report, providing you with an overview of what each section means.
This section runs you through a checklist to better organize all the tasks needed to get SOC 2 certified and assess your readiness for an audit.