By: Sara McLane, Senior Auditor at A-LIGN
In February of 2014, the AICPA released the new Trust Services Principles and Criteria (TSP) for Security, Availability, Processing Integrity, Confidentiality, and Privacy. The updated TSP will have a positive effect on our clients and other organizations obtaining a SOC 2 report by increasing the clarity for readers and users of the report. The updated TSP also reduces the appearance of redundancy.
The TSP is now broken into two key components. The first major component is the common criteria. These criterions are applicable to Security, Availability, Processing Integrity, and Confidentiality. The Privacy criterions are set forth by the Generally Accepted Privacy Principles (GAPP) and are currently under revision to be released separately. The common criteria are now comprised of seven categories whereas the prior version of the TSP had four categories: policies, communications, procedures, and monitoring.
The new categories are:
- Organization and management
- Risk management and design and implementation of controls
- Monitoring of controls
- Logical and physical access controls
- System operations
- Change management
The second component is that each subsequent principle adds specific criteria to the common criteria. For example, an examination on the Security principle will document the common criteria. If a client chooses to have Security and Availability examined, then the common criteria will be documented, as well as additional criteria for Availability.
In addition to the introduction of the common criteria, the format of the report will change. A risk assessment should be performed on an annual basis and now can be used to correlate those risks with the criterion being examined. Those risks will be documented within the SOC 2 final report in order to show the control is specifically mitigating the risk identified. The result is a clearer report for both readers and users of the SOC 2 report.
A-LIGN’s Center of Excellence (CoE) has put together a whitepaper with more details on the AICPA’s update to the SOC 2 Trust Services Principles: SOC 2 Criteria and Guidance Updates.