Blog

What are the SOC 2 Trust Services Criteria?

The SOC 2 Trust Services Criteria (TSCs) for information technology, is a framework for designing, implementing and evaluating information system controls. The purpose of controls is to ensure your information system can meet its objectives. The TSCs address system controls according to five main categories. These categories define the five main business objectives within the scope of your information system.  

  1. Security 
  2. Availability 
  3. Processing Integrity 
  4. Confidentiality 
  5. Privacy 

The Trust Service Criteria are a framework for building the business controls necessary to meet information system objectives. TSCs are specific to five business components as seen in the table below. 

Trust Services 

Categories 

= Business Objectives = 

Trust Services 

Criteria 

= Business Controls = 

SECURITY
AVAILABILITY
PROCESSING INTEGRITY
CONFIDENTIALITY
PRIVACY

CONTROL ENVIRONMENT
RISK ASSESSMENT
CONTROL ACTIVITIES
INFORMATION AND COMMUNICATION
MONITORING ACTIVITIES

 

SOC 2 Trust Services Criteria 

Control Environment 

   TSC1.1 – Commitment to integrity and ethics  

   TSC1.2 – Oversight independence 

   TSC1.3 – Chain of command 

   TSC1.4 – Commitment to competent personnel 

Example:  

Provides Training to Maintain Competence The organization provides continuing education to develop and maintain the relevant skill sets of employees, contractors, and vendors. 

   TSC1.5 – Individual accountability 


Risk Assessment 

   TSC3.1 – Clear objectives 

   TSC3.2 – Prioritized risk assessment 

Example: 

Consider the Significance of the Risk – The organizations’ consideration of risk includes 

 determining the criticality of assets, 

 assess the impact of threats and vulnerabilities, 

 assess the likelihood of threats, and 

 determine the risk based on criticality, impact, and likelihood.  

   TSC3.3 – Consideration of potential fraud  

   TSC3.4 – Change management 


Control Activities 

   TSC5.1 – Risk mitigation 

   TSC5.2 – Technology 

   TSC5.3 – Policies 

TSC5.3 addresses organizational controls deployed through policies and procedures.  

The TSCs pertaining to policies and procedures: 

  • Logical and physical access controls TSC6.1 - 6.8 
  • System operations TSC7.1 – 7.5 
  • Change management TSC8.1  
  • Risk mitigation TSC9.1 – 9.2 

Example: 

TSC9.2 The organization manages risks associated with vendors and partners. 

Establish Requirements for Vendor and Partner Engagements – The organization establishes requirements for vendors and partners including 

  • scope of services and product specs, 
  • roles and responsibilities,  
  • compliance requirements, and 
  • service level agreements. 

Information and Communication 

   TSC2.1 – Quality, relevant information 

   TSC2.2 – Effective internal communications 

   TSC2.3 – Effective external communications 

Example: Additional Point of focus related to SOC 2 TSC engagements 

Communicate Objectives Related to Privacy – The organization communicates to all stakeholders including users, vendors, and partners objectives related to data privacy. 


Monitoring Activities 

TSC4.1 – Ongoing independent evaluations 

Example:  

Considers Different Types of Ongoing, Independent Evaluations – Management uses different types of evaluations including pen-testing, standards-based certifications e.g. ISO 27001, and internal audits.  

TSC4.2 – Corrective actions 


Additional Trust Services Criteria 

The TSCs above are sometimes known as the common criteria because they are common to all five TSC categorical objectives. In addition to the common criteria, TSCs provide additional guidance with respect to four of the five Trust Service Categories 

  1. Availability A1.1 – 1.3 
  2. Processing Integrity PI 1.1 – 1.5 
  3. Confidentiality C1.1 – 1.2 
  4. Privacy P1.0 – P 8.1  

Example:  

P4.3 – (When appropriate) The organization securely disposes of protected personal information. 

Disposes of, Destroys, and Redacts Personal Information – PI no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access. 


Why SOC 2? 

A SOC 2 program is an effective business tool meeting operations, reporting, and compliance objectives.  

 

SOC 2 Program   

= Business Value = 

Trust Services 

Categories 

= Business Objectives = 

Trust Services 

Criteria 

= Business Controls = 

 

OPERATIONS 

REPORTING 

COMPLIANCE 

 

SECURITY 

AVAILABILITY 

PROCESSING INTEGRITY 

CONFIDENTIALITY 

PRIVACY 

CONTROL ENVIRONMENT 

RISK ASSESSMENT 

CONTROL ACTIVITIES 

INFORMATION AND COMMUNICATION 

MONITORING ACTIVITIES 

 During a SOC 2 audit, the examiner reports on control design, effectiveness, and relevance to operational objectives based on TSCs. The system under audit can be an entire entity or a single business unit. It can be tightly focused on examining a specific function or tracking the flow of a specific type of information. The scope is meant to be flexible to meet your specific business requirements. 

A SOC 2 report certified by the American Institute of CPAs demonstrates to stakeholders that your organization has the controls necessary to meet its business objectives. As a sales took, the SOC 2 report quickly ends customer security questions and moves the conversation to discuss the value of your service. 

A SOC 2 REPORT EVALUATES 

information system controls for

FLEXIBLE SCOPE 
  • Suitability of Design 
  • Operating Effectiveness 

  • Entire Corporate Entity 
  • Division or Business Unit 
  • Single Processing Function 
  • Specific Type of Information

Business Benefits of SOC 2 Compliance: 

  • Competitive Advantage 
  • Customer Demand 
  • Security and Privacy Risk Management – Business Resiliency 
  • Build external stakeholder confidence in the organization's ability to meet business objectives 

SOC 2 compliance is a nationally recognized standard for assuring the confidentiality, availability, and processing integrity of an information management system. SaaS and enterprise service providers use SOC 2 reports to satisfy customers' and partners' cyber-governance requirements. For executives, SOC 2 compliance can help streamline sales, build trust in the marketplace and maintain business continuity.  

A SOC 2 report in hand, quickly satisfies customer cybersecurity requirements.  

Get Started on SOC 2 Compliance Now 

When preparing for a SOC 2 audit, the path often seems unclear and overwhelming. A trusted cybersecurity firm like Truvantis can help take the mystery out of the SOC 2 process. Download this SOC 2 Project Plan for more details. 

Truvantis provides full-service support for your SOC 2 program. We will advise on the best approach and choices, work with you and your auditor to agree on the design of your program, and manage the implementation. We will then train your staff and guide you through the audit. Let's get started. 

Contact Truvantis today 

Related Articles By Topic

SOC2 CISO vCISO Security Program

Contact Us
Contact Truvantis for SOC 2 consultation.
Schedule a call
Contact Us