SOC 2 Trust Services Criteria

Thoropass University SOC 2 for Startups

SOC 2 Trust Services Criteria

What are the SOC 2 trust services criteria, and how should you decide what applies to your business?

What are the SOC 2 trust services criteria?

To become SOC 2 compliant, your startup needs to undergo an audit and receive a clean report testifying the quality of your controls. This is determined by the Trust Services Criteria, formerly known as Trust Services Principles, and audit type. 

A SOC 2 report can test against five Trust Services Criteria: security, availability, confidentiality, privacy, and processing integrity. When you engage an auditor, you decide which of the five you’d like tested, if not all. These decisions are often influenced by what enterprise buyers request.

What are the importance of each SOC 2 trust services criteria?

Let’s break down the five components together. 

Security

Also known as the “common criteria,” security is the foundational criteria required in a SOC 2 assessment. Security focuses on the protection of information and systems against unauthorized access. It tests if your customers’ information is protected at all times (collection, creation, use, processing, transmission, and storage) along with the systems that handle it.

Security is required in any SOC audit because it not only sets overarching security standards for your company, but also overlaps with the others: setting security controls for availability, confidentiality, privacy, and processing integrity. 

Availability

Availability addresses network performance, downtime, security event handling, etc. This criterion makes sure your systems are secure and available
 for customers to use when they expect to. This is important for startups that promise customers access to their data and your services at key times.

For example, your team worked hard to get your platform’s uptime to 99.31%. By validating your uptime and other availability considerations with the availability criteria, you’re further demonstrating your reliability to your customers.

Confidentiality 

Confidentiality addresses the handling and protection of information, personal or not, that you’ve agreed to designate confidential and secure for your customers (think of proprietary information like business plans, financial or transaction details, legal documents, etc.) 

In addition to the protections outlined in the security criteria, the confidentiality criteria provide guidance for identifying, protecting, and destroying confidential information.

For example, your platform manages a customer’s documentation about their trade secrets and intellectual property. For obvious reasons, they only want people within the company (and only some of them) to have access to this sensitive information. The confidentiality criteria signal that you’re set up to protect that information and secure access as desired. It also shows that you’re set up to appropriately destroy confidential information if, say, the customer decides to stop using your platform.

Privacy

Privacy addresses the secure collecting, storing, and handling of personal information, like name, address, email, Social Security number, or other identification info, purchase history, criminal history, etc.

Similar to confidentiality, the privacy criteria test whether you effectively protect your customers’ personal information. Confidentiality, on the other hand, applies to any information you agreed to keep confidential.

Processing Integrity

Processing integrity addresses processing errors and how long it takes to detect and fix them, as well as the incident-free storage and maintenance of data. It also makes sure that any system inputs and outputs are free from unauthorized assessor manipulation. This criterion helps businesses make sure their services are delivered in an accurate, authorized, and timely manner.

For example, the processing integrity criteria demonstrate to customers that your data, processes, and system work as intended, so they don’t have to worry about inaccuracies, delays, errors and whether only authorized people can use your product.

Which trust services criteria should I include in my SOC 2 audit?

Even though the security criteria is the only necessary TSC for a SOC 2 audit, you may choose to test the other criteria that are relevant to your startup and how you serve your customers. 

In our experience, most enterprise customers want to work with startups that are SOC 2 compliant in security and confidentiality. If you’re struggling to decide which criteria to tackle in your first audit, security and confidentiality make a good starting point. Otherwise, add on the criteria your target customers want and are asking for.

How is the COSO framework different from Trust Services Criteria?

In 2013, the Committee of Sponsoring Organizations of the Treadway Commission, also known as COSO, created tighter controls that all businesses must implement in order to achieve a SOC 2 report.

While the Trust Services Criteria assess internal controls over the security, availability, processing integrity, confidentiality, and privacy of a system, the COSO framework addresses the following components: 

  1. Risk assessments: How does an organization assess all types of risk?
  2. Information and communication: How do businesses internally and externally communicate what is expected?
  3. Existing control activities: What existing controls does a business currently have in place? How effective were the controls over a period of time?
  4. Monitoring activities: How do businesses oversee the entire organization? How do they identify and fix processes that aren’t working? 
  5. Control environments: How does a business create procedures that guide the company? How do they make sure that all controls are operating effectively?

Both the TSC and COSO framework provides a way for businesses to assess internal controls. However, not all TSC’s need to be met, and organizations must meet the five COSO components and their relevant controls to achieve a SOC 2 report. 

Next Topic

SOC 2 Cost
This section will equip you with a realistic timeline of work and effort, and a breakdown of...
Read topic icon-arrow