SOC 2 Trust Services Principles
Passing an audit against SOC 2 Trust Services Principles warrants that an outsourcing organization’s system can be trusted with client data and processes. It provides assurance to prospective and current clients that a service organization is operating in a controlled way.
There are five SOC 2 Trust Services Principles, with Criteria for each. Approved auditors can audit against one, many or all of those Principles. If a service organization has adequate controls for all relevant Criteria, and passes the audit, they can display an AICPA SOC 2 logo for 12 months.
This only applies for the Principles audited. Very few organizations are audited in all five Principles.
The Principles and Criteria are jointly set by the AICPA and Canadian CPAs. The Trust Services Principles are:
- Security – The system is protected against unauthorized access, use or modification, both physical and logical.
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, valid, accurate, timely and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed. Particularly applies to sensitive business information.
- Privacy – The system’s collection, use, retention, disclosure, and disposal of personal information meets commitments in any privacy notice, and the Generally Accepted Privacy Principles (GAPP). Source: AICPA Trust Services Principles & Criteria Dec 2013
These principles cross over with any good Enterprise Risk Management framework, so SOC 2 meshes well with basic risk remediation and many other IT governance frameworks.
Users of outsourced IT systems generally focus on Security, and then Availability as the most commonly audited Principles. Processing Integrity usually applies for financial or other back office support, and Software as a Service and similar. Confidentiality applies to business information only, particularly in cloud storage. Finally, Privacy relates to defined Personal Information and has particularly stringent Criteria that generally require a lot of remediation. It is the least audited Principle.
You know the Principles that are appropriate for your business – but certainly discuss it with your SOC readiness consultant or service auditor.
Type of Report
Just to complicate things, there are two types of audit you can choose:
- Type 1 – report on system description and design of controls operating at a point in time
- Type 2 – report on system description, design and operating effectiveness of controls over a period (varies, generally 12 months but can be less for a newly operating system).
No matter which audit you choose, your system of controls must be operating. Type 1 audit attests to the design of a system of operating controls at a point in time, not to a design of planned controls.
The type of audit you choose is something to discuss with your readiness provider and your auditor. Experience suggests there are multiple timeframes and pathways and you need to choose the one that suits.
SOC 3 is different
A SOC 2 report is a management-specific, detailed report designed for people with an understanding of internal control. SOC 3 reports are general use summaries of SOC 2 reports designed for marketing and non-expert readers. They exclude the completed matrix of testing and test results.
If a SOC 3 report is unqualified (all criteria have appropriate controls and have been tested), then the service organization can use the SysTrust for Service Organizations Seal or the SOC 3 Seal.
Tip for new players If as a service organization you use outsourced services, you cannot carve-out (exclude) audit of a sub-service organization’s relevant criteria/controls and still display SOC 3 logo. You can pass SOC 2 audit using the carve-out method. SOC 3 Reports require all criteria to be addressed whether in the service organization, or a sub-service organization.
How do the SOC 2 Trust Services Principles Work?
SOC reports are commissioned by service organizations, though customers may ask for them, and most definitely use them. Management of a Service Organization:
- Choose a System within the organization that meets specified business objectives – this may be an entire business or business process , or a subset. If a subset, organizations must clearly justify cutting out parts of their activities, as it can raise an eyebrow. A system is made up of:
- Choose the Principles you want to apply to your business. The mix varies from organization to organization. The Security and Availability Principles are the most commonly assessed and directly address most user needs. Note that very few organizations choose to address the Privacy Principle.
- Ensure your organization meets the Criteria under the Principles you’ve chosen.
- Write up your system description, criteria and control matrix, and management assertions about controls.
- Get audited to prove it.
The current version of Trust Services Principles is Version 2 December 2013. It must be applied to audit periods ending December 2014. For audit periods ending before that, service organizations and their auditors can apply either the 2009 version or 2013 version as early adopters.
The diagrams below set out the 2013 and 2009 general structure. For details of the criteria in both versions, see SOC 2 TSP Criteria.
Structure in 2013 Version 2
The 2009 version repeated many Security-related criteria under different Principles, and the four types of Criteria weren’t broad enough. The 2013 version deals with this by creating Common Criteria that apply to the core 4 Principles (excludes Privacy, which is based on GAPP). They are loosely based on the COSO Framework. Where specific Principles need more specific Criteria, they are listed under Additional Criteria.
The proposed structure also adds Illustrative Risks as well as Illustrative Controls to the Trust Services Principles matrix. This emphasizes the connection between Enterprise Risk Management and assurance through Service Organization Control. Note that the Risks and Controls are illustrative only, and if they don’t apply, you don’t have to use them.
Version 1 2009 Structure
Version 1 structure of SOC 2 and the Principles and Criteria that apply are set in the AICPA Trust Services Principles released in 2009. The diagram below is a summary of that structure. Download the 2009 Trust Services Principles