SOC 2 Trust Services Principles Criteria
Each of the five SOC Trust Services Principles has a number of Criteria under it. Service Organizations must meet all the Criteria for their chosen Principles to get an unqualified audit opinion.
Security Criteria are central to four of the five Principles. Privacy relies on Criteria driven by GAPP (Generally Accepted Privacy Principles).
Note that if a Criterion does not apply to the business or system in question, a Service Organization can identify it as not applicable. Take care, however, that doing so is appropriate and consistent with your auditor’s view of your system. Simply saying that something is banned is not enough to make controls unnecessary.
These diagrams are visual summaries of the Criteria in the Version 2 2103 and Version 1 2009. They are designed to give you a snapshot of the sorts of considerations in a Service Organization Control engagement.
SOC 2 TSP Criteria under Version 2 2013
Displayed here are summary topic descriptions for each of the Common Criteria by their Criteria group. Any Principle-specific extras are held under Additional Criteria. The 2013 version has eliminated all the repetition in the previous version by combining repeats into Common Criteria that apply to any of the four Principles selected for audit.
Note that Privacy remains on its own with Criteria driven by GAPP.
SOC 2 TSP Criteria under the 2009 Version
Displayed here are summary topic descriptions for each of the Criteria under their Principle. In the 2009 version many of the Security Criteria are repeated under Availability, Processing Integrity and Confidentiality. We have left these off the diagram for clarity and only show specific Criteria for those Principles.
Privacy is on its own, with Criteria driven by GAPP (Generally Accepted Privacy Principles).