SOC 2 Trust Services Criteria: An Easy Guide

So you’ve finally done the research comparing SOC 2 and ISO 27001and have decided a SOC 2 attestation is the right cybersecurity compliance standard for your business. Congratulations! Now you just need to pick what Trust Services Criteria you want to meet for your audit.

“Huh?” 

Formerly known as the Trust Principles, there are five Trust Services Criteria businesses can be evaluated on during a SOC 2 audit. There’s one required Trust Services Criteria, Security, and four optional criteria: Confidentiality, Availability, Processing Integrity, and Privacy.

It’s best to think of each of these criteria as an area of focus for your business to include as part of its cybersecurity compliance program. Each criteria defines a set of compliance objectives the business must meet with its own defined controls. Besides the required Security criteria, businesses can choose which of the Trust Services Criteria they want to meet. This is very in the spirit of SOC 2’s choose-your-own-adventure take on cybersecurity compliance. 

Which Trust Services Criteria you include in your SOC 2 audit will largely depend on what kind of service your business provides and what your organization needs to enable sales. That said, we always recommend at least one criteria in addition to Security. 

We’ll cover what each of the criteria entails here and describe what kind of businesses should select each one. 

The Five SOC 2 Trust Services Criteria

Trust Services Criteria: Security

Security is the base criteria required for all SOC 2 reports. It requires many of the controls that come to mind when thinking about a cybersecurity program: personnel training, vendor risk management, and traditional technical controls like firewalls and endpoint protection (antivirus). 

Security is the largest criteria with the most requirements for a company being audited to meet. After all, companies are expected to have great cybersecurity controls in place to meet this criteria even if it is the only criteria a company has chosen to meet. 

More specifically, Security provides specific guidelines to address the control environment, communication and information, risk assessment, monitoring of controls, and control activities related to the design and implementation of controls.

Control Environment – This area relates to company management and culture. SOC 2 attested organizations are expected to be committed to integrity and ethics, hiring and retaining great talent, holding individuals accountable for mistakes, and have a clearly delineated company structure.

A security-focused culture championed by leadership goes a long way in ensuring a security program’s success.

Communication and Information – This area focuses on company communication practices. Is management communicating with the board and vice-versa? Are their clear lines of communication available to workers, clients, suppliers, and other stakeholders to reach management with relevant information?

If lines of communication are not well-defined, it is likely that important security-relevant information like new controls or vulnerabilities will go unnoticed and unaddressed. 

Risk Assessment – This area is pretty easy to understand. Does an organization properly assess and address risks? Risk assessments are critical elements of any cybersecurity program, and your SOC 2 auditor will expect to see an updated one for each audit period (usually six months to one year).

Monitoring of Controls – It’s important to develop cybersecurity controls and policies, but they won’t do any good if they are not maintained. This is why a SOC 2 Type 2 is more valuable than a SOC 2 Type 1.

An auditor will expect to see that you have policies and practices in place to monitor your cybersecurity controls, ensure they are being practiced, and adjust them as needed to maximize their effectiveness. 

Control Activities Related to the Design and Implementation of Controls – This confusingly-named topic is shortened in the AICPA’s official documentation to just “Control Activities.” This area exists to ensure that an organization is thoughtfully and strategically developing and implementing security controls, not just picking a bunch at random. 

An auditor will expect that the controls implemented address risks identified in the risk assessment, that they are tailored to your technology stack, and are suited for your company structure.

Trust Services Criteria: Availability 

Stopping bad guys might get all the glam in information security, but there is more that goes into securing data than just protecting it from bad guys! 

Enter the Availability criteria. This criteria is all about uptime, making sure that a business has a plan to maximize uptime and to rapidly restore availability after some sort of occurrence. It makes you ask these types of questions: What if you had an outage of some sort? Can you recover lost data? What if your server room spontaneously combusts?

Business Continuity, Data Recovery, and Backup plans are important pieces to meeting the Availability criteria. If your business provides a mission-critical service, you will definitely want to include this to help alleviate client concerns. 

Trust Services Criteria: Processing Integrity

The Processing Integrity criteria is all about how a company crunches the data it collects. It makes you grapple with these questions: Do your systems accurately process data in a valid and timely manner? Can system processing be tampered with in any way? Is the system prone to errors, and what happens if it throws one?

It can be challenging to meet the Processing Integrity criteria because it requires you describe in-detail exactly how data is processed within a system. It also requires careful and time-intensive analysis by the auditor. However, it can add a lot of value to your SOC 2 report, as it gives the auditors (and potential customers!) a good idea of how your system works. 

Trust Services Criteria: Confidentiality

Confidentiality refers to the controls a company uses to keep private data private, like encryption. Additionally, companies meeting the confidentiality criteria are expected to identify and protect confidential data from destruction during the specified period the data is held. For example, if you say you will hold on to a client’s data for six months, you will be expected to keep it from being deleted earlier than that. After that six months (or whatever period you specify) is over, you are expected to destroy that data.

Destroying confidential data when it’s no longer being used is a great practice to limit the amount of data that can be exposed in a leak.

In our experience, any company with a cybersecurity program worth its salt can easily comply with the Confidentiality criteria and it usually doesn’t take a huge commitment over the Security criteria. After we prepare the materials for a midsize organization, the auditor only spends about an hour on this criteria. 

Trust Services Criteria: Privacy

The Privacy criteria covers how a business keeps private data private, but Privacy refers exclusively to personal information. 

Specifically, the Privacy criteria requires that organizations have a privacy policy which is clearly communicated with end-users, that they are given the option to consent, that personal data is collected fairly and legally, that is stored securely, that third-party vendors accessing the data also have privacy practices in place, and much more. 

The big focus on personal information makes it most applicable to organizations providing B2C services as opposed to B2B services, which can usually get by entirely with Confidentiality. 

That said, the Privacy criteria is probably not even worth the time for B2C companies. While it’s somewhat aligned with GDPR – the European Union’s privacy protection laws – its requirements don’t go far enough to make a company GDPR or CCPA (California’s privacy laws) compliant. For that reason, it’s usually better to skip including Privacy in a SOC 2 and instead create a separate GDPR-compliant privacy program. You’ll get a better return for your efforts.

What SOC 2 Trust Services Criteria should I pick?

You must include in the Security criteria and should definitely include the Confidentiality criteria as well. 

If your business provides a mission-critical service, include Availability. If your business processes a lot of client data, include Processing Integrity. 

You can probably ignore Privacy for the aforementioned reasons, just be sure you have a plan to be GDPR or CCPA compliant if you have a B2C offering. This may change as the AICPA updates SOC 2 criteria in the future. 

In Conclusion

Preparing for a SOC 2 audit is a complex, lengthy, and labor-intensive process. Picking the right Trust Services Criteria for your organization to work towards will ensure you aren’t wasting time on irrelevant criteria and go a long way towards maximizing the return on your cybersecurity investment.