During a SOC 2 examination, an auditor will thoroughly evaluate the risks and privacy protocols you have put in place to protect the data that flows through and is stored by your information systems. The assessor uses several measures to benchmark your system’s security and effectiveness. These are known as the Trust services criteria.
You must meet one or more of these controls that assess the opportunities and risks in your information systems to receive a passing grade on your SOC 2 report.
What Are the Common SOC 2 Criteria?
The Trust Services Framework is a theoretical infrastructure put in place by the American Institute of Certified Public Accountants (AICPA) that contains five underlying Trust Principles. Although the first criterion of security must be addressed in all SOC 2 audits, companies can judge for themselves which of the other criteria should be focused upon during the fact-finding process. This flexibility allows organizations to use SOC 2 to its ultimate advantage in assisting them toward attaining their organizational goals.
The five Trust Services Criteria include:
- Security. Also known as the SOC 2 common criteria, this refers to what you have done to protect your systems and data against unauthorized access and modification by internal users. This criterion must be satisfied by all organizations filing a SOC 2 report, explaining its designation as “common.”
- Availability. You must show that applications or systems are accessible to stakeholders and meet their objectives. To that end, you should demonstrate that data is being upgraded and backed up and that you have a disaster readiness plan in place.
- Processing integrity. This has to do with data accuracy and what you do to protect information as it moves through your systems and devices.
- Confidentiality. All sensitive data must be correctly stored and disposed of to prevent it from being exposed or stolen.
- Privacy. You must show that you are collecting, storing, and using data only as agreed upon.
Security, the criterion common to all SOC 2 reports, should be evaluated in terms of the following:
- How you protect information. Data must be shielded from corruption or theft when it is collected or created and throughout its use, transmission, processing, and storage.
- How you protect your systems. Systems are defined as anything that uses electronic technology to store, process, or transmit the information that an organization provides.
SOC 2 Common Criteria Mapping
The SOC 2 common criteria described above align seamlessly with the internal control framework designed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). For an organization’s internal controls to be considered in compliance with the SOC 2 Trust Services Criteria on which they have chosen to focus, they can perform mapping using the COSO components and sub-principles. This SOC 2 common criteria mapping includes the following areas:
- The control environment. This contains all of the information security policies, practices, and procedures the company has put in place.
- Communication and information. Facts and data must be disseminated internally and externally to specify responsibilities, share intelligence, establish boundaries and respond to crises. This includes training, incident response procedures, contracts, and disclosure of system changes.
- Risk assessment. This involves what the organization has put in place to evaluate vulnerabilities, determine their likelihood of occurrence and address them proactively. Controls include policies, a risk register, management buy-in, mitigation action plans, and vendor risk protocols.
- Monitoring activities. These look at the controls in place to determine if objectives are being attained. Where necessary, corrective measures are implemented. Controls include incident alerts, action plans for disaster response and recovery, and third-party audits.
- Control activities. These actions that stem from an organization’s policies and procedures are implemented to attain security objectives. These include technologically based monitoring and require buy-in from all levels. Controls include logical and physical access, systems operations, change management, risk mitigation, segregation of duties, access protocols, incident management, and backup procedures.
When the Trust Services Criteria are aligned with the COSO principles, they combine to form the backbone of common criteria under the Trust Services criteria for all SOC 2 reports.
Taking steps to protect the information that companies collect, store and transmit is crucial for all service organizations. However, it is equally important that they undergo third-party SOC 2 audits that provide objective proof of the strength and comprehensiveness of their controls. The SOC 2 Trust Services framework, including SOC 2 common criteria and SOC 2 common criteria mapping, provides the infrastructure that makes this possible.
Dedicating time and both human and financial resources to mounting a robust information security infrastructure whose efficacy is regularly assessed by an objective auditor provides transparency to investors, management, subcontractors, and even potential customers. This clarity can help to bolster your company’s credibility and position, placing you in a favorable position.