A SOC 2 audit is like a report card that shows clients you’ve got your act together when it comes to handling their sensitive information. It’s proof that your systems and processes have been thoroughly checked and approved by objective, third-party experts.
What’s unique about a SOC 2 report is that you get to define the scope. Every service organization gets evaluated on security, but choosing the other security and privacy considerations that get audited—known as the Trust Services Criteria—is up to you.
Which Trust Services Criteria Should You Choose?
The Trust Services Criteria are a set of five IT security principles developed by the American Institute of Certified Public Accountants (AICPA) to help organizations safeguard their sensitive information and assets.
In this article, we’ll outline each Trust Services Criteria category and provide guidance on whether you should consider including it in your SOC 2 scope.
Security
The security category focuses on protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. This includes protecting systems both physically (on location) and from remote threats like hacking, viruses, and other cyber attacks.
Important security-related controls and processes include the use of passwords, authentication systems, segregation of duties, encryption, and firewalls.
Security is required for all SOC 2 reports and, therefore, is sometimes referred to as the “common criteria.”
Availability
Availability means ensuring information and systems are accessible to authorized users when needed. This includes minimizing downtime and maintaining system performance. Relevant controls may include redundant servers, backup and recovery systems, load balancing, and disaster recovery plans.
If you answer “yes” to any of these questions, consider including availability in your audit scope:
- Do you have service level agreements (SLAs) related to system uptime or performance?
- Would system downtime significantly impact your customers’ operations?
Processing Integrity
When looking at processing integrity, auditors want to know your systems are handling information accurately and reliably, without experiencing errors, omissions, incorrect processing, or unauthorized or accidental manipulation.
If you answer “yes” to any of these questions, consider including processing integrity in your audit scope:
- Do your customers rely on your systems to perform critical operational tasks like financial or data processing?
- Would inaccurate or unreliable data produced by your systems negatively impact customers?
- Do you transform, manipulate, or analyze customer data in your systems?
Confidentiality
Here, auditors are looking at how you protect information designated as confidential. This may include trade secrets, intellectual property, or client financials. Confidentiality controls may include data classification rules that govern who can access certain information.
Examiners may also ask about audit trail capabilities, meaning your ability to monitor who accessed sensitive information and what actions they took (e.g., copying, deleting, or editing data).
If you answer “yes” to any of these questions, consider including confidentiality in your audit scope:
- Do you handle sensitive data protected by NDAs or regulations?
- Do you collect and store intellectual property, trade secrets, or client financials?
- Do your contracts with customers require you to delete their data when no longer needed?
Privacy
Privacy specifically focuses on controls to protect personally identifiable information (PII). Auditors will be looking to see if you operate in accordance with client agreements, as well as any applicable laws or regulations.
Privacy controls often include issues of notification, choice, and consent. This means you’ve let people know how you collect, use, and retain their information so they can make an informed decision about whether to share it with you.
Privacy criteria may also deal with issues of access, such as giving customers a way to view the information you’ve collected so they can ask you to correct it. In addition, auditors will be looking at your disclosure and notification policies, such as defining how you’ll detect data breaches and notify customers if a breach occurs.
If you answer “yes” to any of these questions, consider including privacy in your audit scope:
- Do you collect PII from customers such as Social Security numbers, birthdays, or healthcare data?
- Do you need consent management tools to collect customer PII?
- Are you subject to data privacy regulations such as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA)?
- Do you run an e-commerce platform?
Can’t decide between privacy and confidentiality (or both)? See our related article Understanding the Privacy and Confidentiality Criteria in a SOC 2 Examination.
Choose the Trust Services Criteria Your Customers Expect
Evaluating your customers’ key concerns will help determine which Trust Services Criteria to include in your SOC 2 audit. A more comprehensive audit can demonstrate a stronger commitment to security and satisfy a greater number of potential customers.
Our goal is to make your SOC 2 audit as straightforward as possible, with a practical approach that addresses your concerns in a cost-effective manner. For more information and help defining your SOC 2 audit scope, get in touch with our team.