There are five trust service principles in SOC 2, and an audit can address one or more of these principles and associated criteria. This article should help you get started.
If your company is considering a Service Organization Controls (SOC) 2 audit, you may have heard the phrase “trust service principles.” Knowing where to start and which principles you need to have evaluated and reported on by a CPA firm can be overwhelming. This article should help you get started.
There are five trust service principles in SOC 2, and an audit can address one or more of these principles and associated criteria. The business should undergo evaluation of only the principles deemed relevant to the services the business performs based upon their commitments to their customers or users of the report.
Security: Information and the system is protected against unauthorized access, unauthorized disclosure of information, and damage to system that could compromise the availability, integrity, confidentiality, and privacy of information or the system and affect the entity’s ability to meet its objectives. In SOC 2 engagement, Security is the only principle that must be included.
Availability: Information and the system is available for operation and use to meet the entity’s objectives. Think: Organizations that provide data center, colocation, hosting services or disaster recovery.
Processing Integrity: System inputs, processing and outputs are complete, valid, accurate, timely and authorized to meet the entity’s objectives. Think: Organizations whose services include financial services, e-commerce or those that require transactional accuracy.
Confidentiality: Information designated as confidential or nonpublic is protected to meet the entity’s objectives. Think: Organizations that handle highly sensitive data, general consumer information or proprietary information that is subject to nondisclosure but not specifically protected by privacy regulations.
Privacy: Personal information is collected, used, retained, disclosed and disposed to meet the entity’s objectives. Think: Organizations that deal with Protected Health Information (PHI), Personally Identifiable Information (PII), etc.
In order to prepare for a SOC 2 audit engagement, you’ll need to first determine which principles you will include. Evaluate the services you offer and what agreements you are making with your customers. What are your commitments to your client base and what do your customers expect of your organization? If you are new to the SOC process, you may consider having a Readiness Assessment performed to help you make these decisions and adequately prepare for a successful SOC audit. BlumShapiro Consulting provides both SOC Readiness Assessments and full SOC audits.