Third Party Risk ManagementTPRM Tuesday

TPRM Tuesday #8: Breaking down SOC2 Trust Services Categories and Criteria for SOC 2 audit

It’s Tuesday and it’s time for our next TPRM Tuesday posting. Today we will be Uncovering SOC2 Trust Services and Criteria (TSC) for any SOC 2 audit.

Before diving deep, let’s break down some common definitions.

📚 Trust Services Categories: The classification schema for the Trust Services Criteria, made up of five categories (Security, Availability, Confidentiality, Processing Integrity, and Privacy).

📚 Trust Services Criteria: The criteria used to evaluate the design and operating effectiveness of controls relevant to the Trust Services Categories.

📚 Common Criteria:  The criteria that are common to all five Trust Services Categories. These include all criteria that makeup CC1.1-CC9.2 and are included in all SOC2 audits.

📚 Commitments:  Declarations made by management to the customer regarding the performance of one or more of the organization’s systems.

📚 Additional Criteria:

✅ Additional Criteria For Availability (A): These controls define additional standards for how organizations manage backups and overall system availability.

✅ Additional Criteria For Confidentiality (C): These controls address how confidential information is identified and protected from destruction.

✅ Additional Criteria For Processing Integrity (PI): These controls address how data is accurately processed and achieved.

✅ Additional Criteria For Privacy (P): These controls address how personal information is collected, retained, and secured by the organizations.

🙄❓So, which ones should service organizations include?

🔐 Security – Will be included in every SOC2 since you can’t do a SOC2 without the Common Criteria and the Common Criteria are the same criteria that make up the Trust Services Criteria for Security.

💥 🤐 Availability and Confidentiality – If a vendor makes commitments to the customers regarding system availability or confidentiality (e.g. SLAs and NDAs), then these should be included. Even if a vendor does not make specific availability or confidentiality commitments, the nature of the services they are providing may lend themselves to including these (e.g., SaaS companies).

💻 Privacy – This only applies to “personal information”, which according to the AICPA’s attestation standards is defined as “Information that is or can be about or related to an identifiable individual”. If they are collecting this type of data about individuals, then you may want to consider including Privacy. This would only include data from you and your customers. While some elements of well-known privacy regulations such as GDPR, CCPA, and HIPAA Privacy Rule might be included in the Privacy Trust Services Criteria, this inclusion will not prove compliance with these privacy laws and regulations.

✅ Processing Integrity – This addresses “whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or unintentional manipulation.” Notice that “unauthorized or unintentional manipulation” of data is one element. A common misconception is that Processing Integrity only deals with the integrity of data. It includes a much deeper understanding of the system’s functionality to ensure the system is producing information that is accurate and complete. Controls for Processing Integrity should be tailored to the organization’s business needs.

👉🏼 Always insist on including Availability and Confidentiality and only include Privacy and Processing Integrity based on the use cases of the type of business and type of data that are handled for the scoped SOC 2 product/Services. Most SOC2 audits only cover Security, Availability, and Confidentiality.

We are glad to bring you these postings. Please let us know if you have questions and how we can help you continue to have an effective and efficient third party risk management program.