The SOC 2 audit process includes 5 categories of Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy. These categories each cover a set of internal controls related to different aspects of your information security program.
So you’ve decided to engage an auditor and produce your first SOC 2 report. It’s a smart thing to do, as more and more organizations are expecting that you’ve completed a SOC 2 as a pre-condition to doing business. Conducting an independent cybersecurity audit like a SOC 2 sends a strong signal that you take security seriously and have invested in processes and systems that will protect your customers’ and business partners’ data and sensitive information. In fact, getting your SOC 2 done can be a competitive differentiator these days.
One of the first decisions you’ll need to make regarding your SOC 2 is which of the 5 Trust Services Criteria categories you will include in your audit process. These categories each cover a set of internal controls related to different aspects of your information security program. The 5 Trust Services Criteria categories are:
- Security (or Common Criteria)
- Processing Integrity
The first category, Security, is required to be in scope for every SOC 2 audit and is therefore frequently referred to as the Common Criteria. Sorry folks, you don’t get a choice about this one. The rest of them, however, are up to you to include or not.
Which Trust Services Criteria Should I Include?
While the Security category is a must-have, you are able to define the scope of your audit to include or not include the remaining four categories. How should you decide which to include? Start by developing an understanding of what your customers and business partners are asking for – what they need.
And remember, your SOC 2 report will be valid for 12 months, which can be a long time in business. The more you include the more robust that report will be, and the more likely it is to satisfy a greater number of customers with growing expectations.
- Security (Common Criteria) – The Security Category refers to the protection of information throughout its lifecycle. Security controls are put in place to protect against unauthorized access, unauthorized disclosure, or damage to systems that could affect other criteria beyond the Security Category. Security controls are designed to include a wide array of risk-mitigating solutions, such as endpoint protection and network monitoring tools that prevent or detect unauthorized activity. Entity-level and control environment topics are also considered to provide that the necessary controls are in place to govern organization wide security.
You must always include the Security category – it’s required.
- Availability –The Availability Category considers controls that demonstrate systems maintain operational uptime and performance to meet stated business objectives and service level agreements. Availability does not set a minimum acceptable performance level, but it does address whether systems include controls to support and maintain system operation, such as performance monitoring, sufficient data backups and disaster recovery plans.
Consider including Availability if your customers have concerns about downtime, including Service Level Agreements (SLAs).
- Confidentiality – The Confidentiality Category requires companies to demonstrate the ability to protect confidential information throughout its lifecycle, including collection, processing and disposal. The specific requirements for Confidentiality related controls may be defined by laws and regulations, as well as internal management or external partner agreements. Confidential information may include personal information, as well as other information, such as trade secrets and intellectual property. Controls for Confidentiality include encryption and identity and access management.
Consider including Confidentiality if you are storing sensitive information that is protected by Non-Disclosure Agreements (NDAs), or if your customers have requirements to delete data that’s no longer needed
- Processing Integrity – The Processing Integrity Category focuses on ensuring that data is processed in a predictable manner, free of accidental or unexplained errors. In other words, the information produced or manipulated by your systems needs to be accurate and reliable. Because of the number of systems used by an entity, processing integrity is usually only addressed at the system or functional level of an entity.
Consider including Processing Integrity if your customers are executing critical operational tasks on your systems, such as financial processing or data processing.
- Privacy – The Privacy Category is similar to Confidentiality, but specifically refers to Personally Identifiable Information (PII), especially that which your organization captures from customers. The Privacy Category covers communication, consent, and collection of personal information, and verifies appropriate parties have access to that information and what can be done with it. Controls for Privacy include privacy policies and consent management mechanisms.
Consider including Privacy if your customers are storing Personally Identifiable Information (PII) such as social security numbers, birthdays, or healthcare data.
Learn More About SOC 2
Determining the appropriate Trust Services Criteria to include in your SOC 2 audit is obviously an important decision, and it’s one that a strong partner like A-LIGN can help you make. We have worked with thousands of clients, helping them scope their SOC 2, prepare for the audit, execute it efficiently, and get their final report faster. You may also find more valuable information in our SOC 2 resource library, and of course we are always happy to chat about your situation with you and see how we can help.
Get Ahead of Your SOC 2 Before it’s an Emergency
As a licensed CPA firm with more than 10 years of experience and thousands of completed SOC audits, we know better than anyone how to help make the SOC 2 audit experience efficient and pain-free. With A-LIGN’s white-glove treatment, you’ll see how audit planning and preparation can go a long way to grow your business. The compliance process doesn’t have to be daunting, and if you get ahead of the demand, your organization, and future customers, will ultimately benefit.
Don’t wait. Let us help you get started with a SOC 2 readiness assessment today.