A SOC 2 report is based on the Trust Services Criteria (TSC), developed by the AICPA. These criteria form the framework against which the controls of a service organisation are assessed. There are five categories, of which Security (also known as the Common Criteria) is always mandatory. The other four are optional and are chosen based on the nature of the services provided.
Security (Common Criteria) is the foundation of every SOC 2 report. This category covers the protection of information and systems against unauthorised access, both physical and logical. Controls in this category concern access control, network and application security, change management, risk assessment and monitoring. Almost every SOC 2 audit includes this category exclusively.
Availability focuses on the availability of the system in line with the agreements made with customers. This includes controls for capacity planning, disaster recovery, backup and restore, incident management and performance monitoring. This category is relevant for organisations that offer availability SLAs, such as hosting providers and SaaS companies with uptime guarantees.
Processing Integrity concerns the completeness, accuracy, timeliness and authorisation of system processing. Controls in this category ensure that transactions are processed correctly, that validations are performed on input and output, and that processing errors are detected and corrected. This category is particularly relevant for organisations that process financial transactions or business-critical data.
Confidentiality concerns the protection of confidential information. This goes beyond personal data: it also includes trade secrets, intellectual property, financial data and other information that has been designated as confidential. Controls include data classification, encryption, access restrictions and the secure destruction of data.
Privacy focuses specifically on the processing of personal data. This category is based on the Generally Accepted Privacy Principles (GAPP) and includes controls for the collection, use, retention, disclosure and destruction of personal data. For European organisations there is overlap with the GDPR, but the Privacy criteria apply their own framework.
The choice of which criteria are in scope depends on the services provided and the expectations of customers. A SaaS platform that processes financial data will typically include Security, Availability and Confidentiality. A payment processor adds Processing Integrity. Security alone is the minimum and most common scope.
Secure Audit helps organisations determine the right scope for their SOC 2 journey and performs the audit in accordance with the AICPA standards. Contact us for a scoping assessment.
About the author
Partner | IT Auditor