The SOC 2 Trust Services Criteria (TSCs) for information technology, is a framework for designing, implementing and evaluating information system controls. The purpose of controls is to ensure your information system can meet its objectives. The TSCs address system controls according to five main categories. These categories define the five main business objectives within the scope of your information system.
- Processing Integrity
The Trust Service Criteria are a framework for building the business controls necessary to meet information system objectives. TSCs are specific to five business components as seen in the table below.
= Business Objectives =
= Business Controls =
SOC 2 Trust Services Criteria
TSC1.1 – Commitment to integrity and ethics
TSC1.2 – Oversight independence
TSC1.3 – Chain of command
TSC1.4 – Commitment to competent personnel
Provides Training to Maintain Competence The organization provides continuing education to develop and maintain the relevant skill sets of employees, contractors, and vendors.
TSC1.5 – Individual accountability
TSC3.1 – Clear objectives
TSC3.2 – Prioritized risk assessment
Consider the Significance of the Risk – The organizations’ consideration of risk includes
determining the criticality of assets,
assess the impact of threats and vulnerabilities,
assess the likelihood of threats, and
determine the risk based on criticality, impact, and likelihood.
TSC3.3 – Consideration of potential fraud
TSC3.4 – Change management
TSC5.1 – Risk mitigation
TSC5.2 – Technology
TSC5.3 – Policies
TSC5.3 addresses organizational controls deployed through policies and procedures.
The TSCs pertaining to policies and procedures:
- Logical and physical access controls TSC6.1 - 6.8
- System operations TSC7.1 – 7.5
- Change management TSC8.1
- Risk mitigation TSC9.1 – 9.2
TSC9.2 The organization manages risks associated with vendors and partners.
Establish Requirements for Vendor and Partner Engagements – The organization establishes requirements for vendors and partners including
- scope of services and product specs,
- roles and responsibilities,
- compliance requirements, and
- service level agreements.
Information and Communication
TSC2.1 – Quality, relevant information
TSC2.2 – Effective internal communications
TSC2.3 – Effective external communications
Example: Additional Point of focus related to SOC 2 TSC engagements
Communicate Objectives Related to Privacy – The organization communicates to all stakeholders including users, vendors, and partners objectives related to data privacy.
TSC4.1 – Ongoing independent evaluations
Considers Different Types of Ongoing, Independent Evaluations – Management uses different types of evaluations including pen-testing, standards-based certifications e.g. ISO 27001, and internal audits.
TSC4.2 – Corrective actions
Additional Trust Services Criteria
The TSCs above are sometimes known as the common criteria because they are common to all five TSC categorical objectives. In addition to the common criteria, TSCs provide additional guidance with respect to four of the five Trust Service Categories.
- Availability A1.1 – 1.3
- Processing Integrity PI 1.1 – 1.5
- Confidentiality C1.1 – 1.2
- Privacy P1.0 – P 8.1
P4.3 – (When appropriate) The organization securely disposes of protected personal information.
Disposes of, Destroys, and Redacts Personal Information – PI no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access.
Why SOC 2?
A SOC 2 program is an effective business tool meeting operations, reporting, and compliance objectives.
SOC 2 Program
= Business Value =
= Business Objectives =
= Business Controls =
INFORMATION AND COMMUNICATION
During a SOC 2 audit, the examiner reports on control design, effectiveness, and relevance to operational objectives based on TSCs. The system under audit can be an entire entity or a single business unit. It can be tightly focused on examining a specific function or tracking the flow of a specific type of information. The scope is meant to be flexible to meet your specific business requirements.
A SOC 2 report certified by the American Institute of CPAs demonstrates to stakeholders that your organization has the controls necessary to meet its business objectives. As a sales took, the SOC 2 report quickly ends customer security questions and moves the conversation to discuss the value of your service.
A SOC 2 REPORT EVALUATES
information system controls for
Business Benefits of SOC 2 Compliance:
- Competitive Advantage
- Customer Demand
- Security and Privacy Risk Management – Business Resiliency
- Build external stakeholder confidence in the organization's ability to meet business objectives
SOC 2 compliance is a nationally recognized standard for assuring the confidentiality, availability, and processing integrity of an information management system. SaaS and enterprise service providers use SOC 2 reports to satisfy customers' and partners' cyber-governance requirements. For executives, SOC 2 compliance can help streamline sales, build trust in the marketplace and maintain business continuity.
A SOC 2 report in hand, quickly satisfies customer cybersecurity requirements.
Get Started on SOC 2 Compliance Now
When preparing for a SOC 2 audit, the path often seems unclear and overwhelming. A trusted cybersecurity firm like Truvantis can help take the mystery out of the SOC 2 process. Download this SOC 2 Project Plan for more details.
Truvantis provides full-service support for your SOC 2 program. We will advise on the best approach and choices, work with you and your auditor to agree on the design of your program, and manage the implementation. We will then train your staff and guide you through the audit. Let's get started.