Third Party Reporting
Decoding the Five SOC 2 Trust Services Criteria
February 15, 2021 • Jacob Nix
Given the shifting security landscape, SOC 2 reports will only accelerate their role as a prerequisite for conducting business. As such, it's critical for organizations to understand the 5 categories of Trust Services Criteria in order to determine which to include in their respective auditing processes.
As workforces become increasingly remote in the wake of COVID-19, opportunities for cybersecurity threats and cloud breaches will also continue to climb. Independent cybersecurity audits, like a SOC 2 report, not only indicate an organization’s commitment to security and protecting sensitive information, but they ultimately provide a competitive advantage in the market.
What are the 5 SOC 2 Trust Services Criteria?
- Security (also known as Common Criteria)
- Processing Integrity
Security, the first category, is required in every SOC 2 audit - regardless of the organization or industry. While the others are all optional, they do address specific sets of controls for various aspects of your organization’s information security, so more than one additional category may be needed for a comprehensive audit.
Which Criterias should I include in my program?
To determine which Trust Services Criteria you should include, the first step is to understand what your customers and partners will need from your organization over the course of a year - remember, your SOC 2 report will be valid for 12 months. There is a balance you will want to achieve, providing a report that is both relevant to your services, and robust in nature.
Here is a synopsis of each criterion, as well as a use-case.
Security / Common Criteria
Remember, Security is mandatory. Why? Because it speaks to an organization’s ability to protect information throughout the entire lifecycle, preventing unauthorized access and damage to criteria that affect the other Trust Services. Controls in this category are focused on mitigating risk, including network monitoring tools and endpoint protection.
This category grades the system’s ability to maintain performance and uptime, including data backups, disaster recovery plans, and performance monitoring. Organizations with Service Level Agreements or general concerns about downtime should look to include this Trust Service in their SOC 2 report.
Confidentiality simply requires that companies are able to successfully protect sensitive and confidential information throughout collection, processing, and disposal. This information can cover anything from personal information to intellectual property and trade secrets. As such, appropriate controls for Confidentiality will include encryption and access management, and specific requirements can be mandated by industry, or even individual agreements. If your organization stores sensitive information that is bound by Non-Disclosure agreements or needs to be deleted, Confidentiality should be included in your SOC 2.
This category ensures data can be processed without error, accidental or otherwise. Processing integrity is most apt for organizations whose customers conduct critical operational tasks, like data and financial processing, where the information produced must be accurate 100% of the time.
Similar to Confidentiality, Privacy addresses an organization’s ability to protect information. In this case, Personally Identifiable Information collected from customers, including their name, address, social security number, birthdays, and so on. Privacy policies and opt-ins for communication, consent, and collection of information are controls included under this category, and every organization storing PII should include it for their SOC 2 report.
When it comes to your SOC 2 report, it’s best to think of playing offense, not defense, when it comes to your cybersecurity. Being proactive with your approach will protect your organization, customers, and partners, and differentiate you from the competition in the process.
Interested in learning more about SOC 2, and which Trust Services Criteria are best for your organization’s audit? Get in touch with a member of our team below.