Once you and your organization choose to move forward with a SOC 2 report, you must decide which of the five Trust Services categories you want to include.
What factors should you consider when making this decision? It comes down to what categories suit your business, services and customers.
What Are the Trust Services Categories?
There are five Trust Services categories to consider for a SOC 2 report. Each category has a specific set of criteria (Trust Services Criteria or TSCs) that are evaluated by a service auditor.
This required category demonstrates how your organization protects its information and systems against unauthorized access, unauthorized disclosure of information, and damage to systems. A lack of protection could compromise the availability, integrity, confidentiality and privacy of information or systems and affect your organization’s ability to achieve its objectives.
Security refers to the protection of:
- Information during its collection, creation, use, processing transmission and storage.
- Systems that use electronic information to process, transmit or transfer, and store data to enable your organization to meet its objectives. Controls over security prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removals of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information.
This category demonstrates how information and systems are available for operation and used to meet your organization’s objectives.
Availability refers to the accessibility of information used by your organization’s systems and the products or services provided to your customers. The availability objective does not set a minimum acceptable performance level or address system functionality (the specific functions a system performs) or usability (the ability of users to apply system functions to the performance of particular tasks or problems). However, it does address whether systems include controls to support accessibility for operation, monitoring and maintenance.
3. Processing Integrity
This category demonstrates how system processing is complete, valid, accurate, timely and authorized to meet your organization’s objectives on the provision of services or the production, manufacturing or distribution of goods.
Processing integrity refers to the completeness, validity, accuracy, timeliness and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or accidental manipulation. Because of the number of systems used by an organization, processing integrity is usually only addressed at the system or functional level of an organization.
This category demonstrates how information designated as confidential is protected to meet your organization’s objectives.
Confidentiality addresses the ability to protect information designated as confidential from its collection or creation through its final disposition and removal from your organization’s control per management’s objectives. Information is confidential if the custodian (an organization that holds or stores information) of the information is required to limit its access, use and retention and restrict its disclosure to defined parties (including those who may otherwise have authorized access within its system boundaries). For example, the information may be proprietary and intended only for organization personnel. Laws, regulations, contracts or agreements may include confidentiality requirements or commitments to customers or others.
This category demonstrates how personal information is collected, used, retained, disclosed and disposed of to meet the organization’s objectives.
Privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information, which may include personal data but also other information such as trade secrets and intellectual property. The privacy criteria specifically include:
- Notice and communication of objectives. The organization provides notice to data subjects about its objectives related to privacy.
- Choice and consent. The organization communicates choices available regarding the collection, use, retention, disclosure and disposal of personal information to data subjects.
- Collection. The organization collects personal information to meet its objectives related to privacy.
- Use, retention and disposal. The organization limits the use, retention and disposal of personal information to meet its objectives related to privacy.
- Access. The organization provides data subjects with access to their personal information for review and correction (including updates) to meet its objectives related to privacy.
- Disclosure and notification. The organization discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators and others to meet its goals related to privacy.
- Quality. The organization collects and maintains accurate, up-to-date, complete and relevant personal information to meet its objectives related to privacy.
- Monitoring and enforcement. The organization monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints and disputes.
What “Drivers” Should Be Considered When Determining Which Trust Services Categories to Include?
The main driver to consider is your organization’s service commitments and system requirements. Once those have been identified, consider the following:
Security. This category is required for all SOC 2 reports and is designed to prevent and detect system failure, incorrect processing, theft or other unauthorized data removals. When customers want to understand if their data or information is “safe,” they are most likely interested in the security category. Given what this category includes, performing the examination on security alone is generally enough to provide an appropriate comfort level regarding the security of their data.
Availability. This category may be helpful if customers ask your organization about downtime service-level agreements, uptime guarantees and other accessibility requests.
Processing Integrity. If your organization provides customer transaction processing, then this category may be applicable. Including this would help your clients understand how their data is being processed in a complete, valid, accurate, timely and authorized manner.
Confidentiality. Consider including this category if your clients want data deleted when contracts end, have private or sensitive information stored in your company’s platform or require non-disclosure agreements when they do business with you or others.
Privacy. This category relates to the protection of personally identifiable information. If your organization has responsibility over one or more components of the personal information lifecycle, the privacy category might be applicable.
Trust Services Criteria Category Next Steps
Choosing TSC categories is an important, yet sometimes arduous process. We recommend you become educated on the categories and the applicability of those categories to your organization’s service commitments and system requirements.