June 21, 2023

What Are the 5 SOC 2 Trust Services Criteria?

Devon Lane
Content writer
at Flowbase

Going through a SOC 2 compliance journey can feel like an insurmountable task on the surface. That’s why we love to break it down into manageable steps and components that are easier to understand. 

Today, we’re focusing on the five trust services criteria (TSC) for SOC 2. These are five criteria that can be applied to your SOC 2 audit, and include:

  • Security 
  • Availability
  • Confidentiality 
  • Processing integrity 
  • Privacy

The first, security, is a required criteria for any SOC 2 audit. This is why it’s also called the common criteria. The rest are optional — it’s up to you whether you want to audit those capabilities or not. 

Below, we dive into each of the five criteria with a bit of a definition and an explanation behind why you might want to audit it.

Security

The security criteria evaluate a company’s ability to protect data throughout its lifecycle — when it’s at rest, in motion, and in use. As such, the audit for this criteria will focus on controls that protect against unauthorized access, data leakage, and misuse of data. The controls in place should include a variety of risk-mitigating solutions, including endpoint protection, network monitoring, identity and access management, and more. 

To prepare for an audit of your security criteria, you’ll need to spend time reviewing all the requirements, identifying gaps, and implementing controls as needed before they’re reviewed. 

When to include it: As mentioned above, the security criteria is required for all SOC 2 audits.

Availability

The availability criteria evaluate a company’s effectiveness in terms of their technology’s uptime and performance. While the criteria don’t establish a baseline for performance, they do determine whether systems include controls and stopgaps to uphold system operation. These controls can include the likes of performance monitoring, regular data backups, and robust data recovery plans. 

When to include it: If you’re operating in a space where there are concerns around downtime or customers that rely on service level agreements (SLAs). Ultimately, including the availability criteria helps build trust with customers that want consistent performance and uptime.

Confidentiality

When it comes to confidentiality, the criteria require companies to showcase their ability to safeguard the confidential information of their internal and external users at all stages. That includes data collection, processing, and disposal. Confidential information can include personal information, trade secrets, and intellectual property. Often, confidentiality controls are defined by industry regulations and laws, as well as any contracts with customers and partners. The controls can cover things such as encryption and identity and access management. 

When to include it: If you regularly store sensitive information that’s protected under non-disclosure agreements, or if you have requirements to delete customer information when it’s no longer needed. 

Processing integrity

The processing integrity criteria assess a company’s ability to process data in a predictable manner, without any accidental or unexplained errors. They determine whether the information that’s produced or managed by your systems are both accurate and reliable. 

Ultimately, the processing integrity criteria speak to a technology’s reliability, which is an important metric in multiple industries.

When to use it: If your customers use your systems and technology to execute critical tasks such as financial or data processing. 

Privacy

Similar to the confidentiality criteria, the privacy criteria focus on storing confidential information. The difference is that they focus specifically on personally identifiable information — especially the data collected from customers. The controls under privacy include reviews of customer communication, consent gathering, and the collection of personal information. They also should help verify that the right parties have access to that information, and that there are specific guidelines around what can be done with that information. These controls can include privacy policies and consent management systems.

When to use it: If your customers use your systems to store personally identifiable information including social security numbers, financial information, birthdays, or healthcare information.

Which criteria should I include in my audit? 

It depends. 

While the security criteria is a must have for every SOC 2 audit, it’s called the common criteria for a reason, the other four are optional. Whether or not you include them will depend on the type of product or service you offer, and where you want to inspire confidence for your customers. For example, if your company provides cloud servers or storage, you might consider doing an audit of your system’s availability so as to show that you abide by best practices. This will help you stand out against your competitors. 

Need help choosing the right criteria for your SOC 2 audit? We can help. Get in touch to learn how.

We’re here to help.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt.

Get Started
LEARN MORE!
Responsive Components
Responsive Components
Responsive Components
Hey! Have any questions?

Frequently Asked
Questions

What type of compliance standard can you help with?

We help our clients based on their needs. The majority of our contracts involve SOC-2, HIPAA, and most recently GDPR. Feel free to ask us if we can help with your particular case. If we aren't able to, we can most likely recommend you to someone who can.

How long does a SOC 2 engagement usually take?

We move as fast as our clients are able to make progress. Our fastest client to date got their SOC-2 Type I four months after signing our engagement letter. That record is up for grab if you are up for it.

In our experience however, it takes 6-9 months to achieve a SOC-2 Type I,  and 3-6 additional months to obtain a SOC-2 Type II report.

Which standard do you follow for your security policies?

All of our security policies follow the ISO-27001 standard. The Confidentiality, Integrity, and Availability standards cover the range of standards we like to work with for SOC 2.

Why do we have to become SOC 2 compliant if we are relying on AWS which is already compliant?

SOC 2 stands for Service Organization Control, meaning your clients are interested in understanding your controls, not your hosting provider’s control. As part of your vendor assessment we recommend reviewing AWS’ SOC 2 report, but relying on their report is not enough to become SOC 2 compliant.

Who is behind SOC 2?

The American Institute of CPAs. The AICPA is an established and respected organization that provides two forms of audits to companies that demonstrate evidence of a secure data-protection infrastructure. A Type I is a point in time audit that addresses the company’s description of its system, the suitability of the system’s design, and the effectiveness of its internal data controls. A Type II report happens over a period of time and emphasizes design and also focuses on the validity of the company’s controls.

Are SOC 2 reports a legal obligation?

No, but most enterprise level organizations that engage with sensitive data (again, almost all of them) have an obligation to their stakeholders to prove due diligence regarding data security, which means they’ll want to vet their service providers using this tool. SOC 2 can help these prospective service providers set themselves apart from the competition. Just as important, a SOC 2 report represents a meaningful and respected signifier of trust.

What can happen to a company without a SOC 2 report?

A lack of a SOC 2 report won’t result in legal problems, but it can and will limit outside assessments of the company’s commitment to data security. When large-scale clients look for providers, or large-scale backers look for a likely return on their investment, they don’t want concerns about security to stand in the way. Trust is a chain made of links that have each been put the test and have proven their ability to withstand pressure and scrutiny. Company leaders are wise to let SOC 2 auditors apply this pressure so their clients and backers don’t have to.

When is it too late for a SOC 2 audit?

Never. Even companies that have been in business for years but have never obtained a SOC 2 report can—and should—take steps in this direction now. Being compliant with SOC 2 can open the door to a broader base of more significant clients and larger contract opportunities. That being said, startups in the threshold of the marketplace, and new business owners who hope for an eventual public offering, should obtain a SOC 2 report during the development and financing process. By the time the company approaches Series B and C fundraising rounds, a report should be in hand.

How complicated is the auditing process?

The auditing process can be easy, or complicated depending on your level of preparation.

Preparing for the audit can take some time, attention, and the guidance of reliable data security experts. Don’t leave any part of this process to chance. Approach SOC 2 compliance one step at a time, and start by contacting a consulting firm with track record of experience in your area of the marketplace.

Home
Resources
Contact
Raze™ All Rights Reserved, 2022.
Style Guide
Licence
Changelog