Given the shifting security landscape, SOC 2 reports will only accelerate their role as a prerequisite for conducting business. As such, it's critical for organizations to understand the 5 categories of Trust Services Criteria, in order to determine which to include in their respective auditing processes.
As workforces become increasingly remote in the wake of COVID-19, opportunities for cybersecurity threats and cloud breaches will also continue to climb. Independent cybersecurity audits, like a SOC 2 report, not only indicate an organization’s commitment to security and protecting sensitive information, but they ultimately provide a competitive advantage in the market.
What are the 5 SOC 2 Trust Services Criteria?
Security (also known as Common Criteria)
Security, the first category, is required in every SOC 2 audit - regardless of the organization or industry. While the others are all optional, they do address specific sets of controls for various aspects of your organization’s information security, so more than one additional category may be needed for a comprehensive audit.
Which Criteria should I include in my program?
To determine which Trust Services Criteria you should include, the first step is to understand what your customers and partners will need from your organization over the course of a year - remember, your SOC 2 report will be valid for 12 months. There is a balance you will want to achieve, providing a report that is both relevant to your services, and robust in nature.
Here is a synopsis of each criterion, as well as a use case.
Security / Common Criteria Remember, Security is mandatory. Why? Because it speaks to an organization’s ability to protect information throughout the entire lifecycle, preventing unauthorized access and damage to criteria that affect the other Trust Services. Controls in this category are focused on mitigating risk, including network monitoring tools and endpoint protection.
Availability This category grades the system’s ability to maintain performance and uptime, including data backups, disaster recovery plans, and performance monitoring. Organizations with Service Level Agreements or general concerns about downtime should look to include this Trust Service in their SOC 2 report.
Confidentiality Confidentiality simply requires that companies are able to successfully protect sensitive and confidential information throughout collection, processing, and disposal. This information can cover anything from personal information to intellectual property and trade secrets. As such, appropriate controls for Confidentiality will include encryption and access management, and specific requirements can be mandated by industry, or even individual agreements. If your organization stores sensitive information that is bound by Non-Disclosure agreements or needs to be deleted, Confidentiality should be included in your SOC 2.
Processing Integrity This category ensures data can be processed without error, accidental or otherwise. Processing integrity is most apt for organizations whose customers conduct critical operational tasks, like data and financial processing, where the information produced must be accurate 100% of the time.
Privacy Similar to Confidentiality, Privacy addresses an organization’s ability to protect information. In this case, Personally Identifiable Information collected from customers, including their name, address, social security number, birthdays, and so on. Privacy policies and opt-ins for communication, consent, and collection of information are controls included under this category, and every organization storing PII should include it for their SOC 2 report.
It’s best to think of playing offense, not defense, when it comes to your cybersecurity. Being proactive with your approach will protect your organization, customers, and partners, and differentiate you from the competition in the process.
Interested in learning more about SOC 2, and which Trust Services Criteria are best for your organization’s audit? Get in touch with a member of our team below.