SOC 2 Trust Services Principles Criteria

Each of the five SOC Trust Services Principles has a number of Criteria under it. Service Organizations must meet all the Criteria for their chosen Principles to get an unqualified audit opinion.

Security Criteria are central to four of the five Principles. Privacy relies on Criteria driven by GAPP (Generally Accepted Privacy Principles).

Note that if a Criterion does not apply to the business or system in question, a Service Organization can identify it as not applicable. Take care, however, that doing so is appropriate and consistent with your auditor’s view of your system. Simply saying that something is banned is not enough to make controls unnecessary.

These diagrams are visual summaries of the Criteria in the Version 2 2103 and Version 1 2009. They are designed to give you a snapshot of the sorts of considerations in a Service Organization Control engagement.

SOC 2 TSP Criteria under Version 2 2013

Displayed here are summary topic descriptions for each of the Common Criteria by their Criteria group. Any Principle-specific extras are held under Additional Criteria. The 2013 version has eliminated all the repetition in the previous version by combining repeats into Common Criteria that apply to any of the four Principles selected for audit.

Note that Privacy remains on its own with Criteria driven by GAPP.

You can buy the 2013 Trust Services Principles and Criteria here, or download the similar 2013 Exposure Draft.


SOC 2 Trust Services Principles Criteria Diagram v2 Dec 2013

SOC 2 TSP Criteria under the 2009 Version

Displayed here are summary topic descriptions for each of the Criteria under their Principle. In the 2009 version many of the Security Criteria are repeated under Availability, Processing Integrity and Confidentiality. We have left these off the diagram for clarity and only show specific Criteria for those Principles.

Privacy is on its own, with Criteria driven by GAPP (Generally Accepted Privacy Principles).

Download the 2009 Trust Services Principles and Criteria

 

SOC 2 TSP Criteria 2009 Version