Articles & Blogs

SOC2 Trust Services Criteria (TSC) – A Comprehensive Guide

June 12, 2023 | By Accorian
SOC2 Trust Services Criteria (TSC) A Comprehensive Guide

Written By Om Hazela & Sarthak Makkar ll  

Information security is a major concern for organizations, especially those that rely on third-party vendors such as cloud service providers and SaaS providers. The potential risk of these providers mishandling data might leave firms vulnerable to attacks and data breaches. According to cybersecurity statistics, the average cost of a data breach in the US is $9.44 million, emphasizing the need to prioritize data security and adhere to regulatory standards such as SOC2 compliance. SOC2 is a valuable business tool, enabling operational efficiency, robust reporting capabilities, and compliance with regulatory requirements. The initial step in pursuing SOC2 compliance is selecting the SOC2 Trust Services Criteria (TSC) framework. During a SOC2 audit, the auditor evaluates an organization’s internal controls against the five TSCs to ensure alignment with industry standards.

What are SOC2 Trust Services Criteria (TSC)?

SOC2 reports play a vital role in demonstrating an organization’s compliance with the Trust Services Criteria (TSC) established by the American Institute of Certified Public Accountants (AICPA). These reports provide assurance to clients and stakeholders that the organization has implemented adequate controls to safeguard the Security, Availability, Processing Integrity, Confidentiality, and Privacy of their systems and data. Hence serving as an important tool to showcase the organization’s commitment to protecting sensitive information and meeting regulatory requirements.

The SOC2 Trust Services Criteria (TSC) for information technology provide a comprehensive framework for developing, implementing, and evaluating information system controls. These controls are essential to ensure that your information system can effectively achieve its objectives.

SOC2 Trust Services Criteria (TSC)

THE FIVE TRUST SERVICES CRITERIA (TSC)

1. SECURITY

Security is the fundamental and essential TSC for SOC2, encompassing several vital components of an organization’s control environment. Since many evaluation criteria are applicable across all five Trust Services Criteria (TSCs), the security TSC is also referred to as the “common criteria.” The primary objective of the security TSC is to ensure that the organization effectively protects its systems against intrusion and other risks that could compromise the delivery of services to clients.

Below are the common criteria for Security:

  • Control Environment

This refers to the overall structure and framework of an organization’s control activities. It involves establishing a robust control environment to ensure that management sets clear expectations regarding security and implements appropriate policies and procedures.

  • Communication and Information

This ensures establishing effective communication channels within the organization to facilitate sharing of relevant information about security controls and concerns. It involves implementing mechanisms that enables employees to report security incidents or vulnerabilities.

  • Risk Assessment:

This emphasizes the importance of organizations identifying and assessing risks and vulnerabilities associated with their systems and data. It involves conducting regular risk assessments to stay updated on emerging threats and potential impacts.

  • Monitoring Activities

This highlights the importance of regularly monitoring systems and controls to identify and address any security issues promptly. It involves implementing processes to monitor the effectiveness of security controls and identify any security incidents or breaches.

  • Control Activities

This focuses on implementing a comprehensive set of control activities to mitigate identified risks and safeguard systems and data. It includes implementing logical and physical access controls, encryption mechanisms, intrusion detection systems, and incident response procedures.

  • Logical and Physical Access Control

This emphasizes the need for organizations to implement controls that restrict logical and physical access to their systems and data. It involves employing mechanisms such as authentication, authorization, and physical security measures.

  • System Operation

This focuses on the importance of implementing controls necessary for the ongoing operation of systems to ensure their security. It includes maintaining comprehensive system logs and conducting regular reviews to detect and address any anomalies or suspicious activities.

  • Change Management

This highlights the significance of implementing effective change management processes to manage and control the introduction of new systems and applications or changes to existing ones. It ensures that authorized individuals securely authorize, test, and implement changes.

  • Risk Mitigation

This emphasizes the importance of organizations implementing controls to mitigate identified risks effectively. It includes developing and implementing security measures to reduce the likelihood and impact of potential threats.

2. AVAILABILITY

The Availability TSC in SOC2 emphasizes the importance of demonstrating that a service organization’s systems are consistently readily accessible. This TSC focuses on ensuring that the organization’s systems are available and accessible to users. It includes components such as system uptime, monitoring, and maintenance to minimize downtime and ensure continuous service availability.

3. PROCESSING INTEGRITY

The Processing Integrity TSC focuses on ensuring that systems process data entirely, accurately, and precisely, aiming to demonstrate the trustworthiness of an organization’s data processing techniques. By including the Processing Integrity TSC in SOC2 reports, organizations showcase their commitment to processing data thoroughly, quickly, and reliably.

4. CONFIDENTIALITY

The Confidentiality TSC focuses on demonstrating that sensitive data is effectively protected and prevented from unauthorized access, disclosure, or use. Its purpose is to showcase the organization’s dedication to safeguarding the privacy of client and user information. Omitting this TSC may indicate that the organization does not prioritize protecting sensitive data which is a significant aspect of its services.

5. PRIVACY

The Privacy TSC is included in SOC2 reports to demonstrate that personally identifiable information (PII) is protected and managed responsibly by the organizations that collect, use, retain, release, and dispose of such information. Including the Privacy TSC in SOC2 reports signify the organization’s commitment to protecting individual privacy and ensuring compliance with relevant privacy laws and regulations. It showcases assurance to clients that the organization handles PII responsibly and respects the individual’s right to privacy and data protection.

Tailoring TSC in SOC2 Assessments

Generally including all the TSC’s in a SOC2 attestation is not mandatory for every organization. The specific TSCs applicable to an organization’s operations depend on the nature of its services and the requirements of its clients. However, there are instances where clients request all TSCs due to uncertainty or lack of understanding about their specific needs. In such a scenario, it is beneficial to clarify the purpose and relevance of each TSC with the client. One can also assess their requirements and concerns regarding their data’s Security, Availability, Process Integrity, and Privacy.

Applicability of TSC for Your Business

The Security TSC is the only mandatory criteria in the SOC2 attestation, providing customers with the assurance they need regarding protecting their information and systems. It encompasses a wide range of security checks, including data usage, creation, utilization, processing, transfer, and preservation. Systems involved in the Security TSC encompass anything that electronically processes, stores, or transmits information relevant to the services provided by the organization. Rigorous controls are tested to prevent and detect security or processing issues. The security criteria, also known as the Common Criteria, are closely aligned with the 17 internal control principles of the COSO framework.

Considerations for Selecting TSC in SOC2

In order to determine the applicable Trust Service Criteria (TSCs) for an organization, it is crucial to assess various aspects, including the business itself, service boundaries, infrastructure, procedures, data, software, and personnel involved. This evaluation plays a key role in defining the scope of the assessment and identifying the trust service criteria that are relevant to the organization’s services. Subsequently, the auditor will evaluate the organization based on these specific requirements. It is important to exclude criteria that are not applicable, as including them would not provide any benefits. Seeking guidance from an experienced firm can be highly advantageous in navigating and selecting the appropriate SOC2 compliance requirements.

It is important to evaluate whether the inclusion of a specific TSC will provide a worthwhile return on investment. Businesses should take into consideration the potential competitive advantages that certain TSCs may offer, as well as the contractual requirements imposed by their clients. By assessing the value proposition of each TSC, organizations can make informed decisions about which criteria to prioritize and include in their SOC2 attestation.

Navigating the SOC2 Trust Services Criteria (TSC) Selection Process

The following considerations can guide you in the TSC selection process:

  • The Confidentiality TSC is a crucial component of the SOC2 audit if the organization handles sensitive or confidential data, such as medical records, financial data, or personal information, or if it is subject to regulatory or contractual obligations regarding the protection of confidential information.
  • The Privacy TSC differs from the Confidentiality TSC with respect to the type of data it protects. Privacy focuses on protecting personally identifiable information (PII) such as an individual’s name, address, contact information, gender, race, etc. If your organization includes this TSC, then the controls must be in accordance with the generally accepted privacy principles (GAPP) of AICPA.
  • The Confidentiality TSC may not be necessary to include in the SOC2 audit if an organization offers a service that doesn’t include managing sensitive or private data, such as a general-purpose online marketplace.
  • Similarly, the Privacy TSC may not apply to the organization’s SOC2 audit if it does not handle sensitive or personal data or provide any services requiring privacy protection. Besides, if the organization already has a privacy program subject to another audit or certification, such as GDPR or HIPAA, the Privacy TSC need not be considered in the SOC2 assessment.
  • Security and Availability have a direct relationship within an organization. If your organization has an agreement with customers to ensure a certain level of accessibility to a product or service being evaluated. In that case, both parties will have agreed to a set level of availability, and your auditor will verify that you are honouring your commitment.
  • The Availability TSC may not be relevant to include in the audit if the organization’s service or products do not require high availability.
  • The Processing Integrity TSC can be avoided if an organization provides a product or service that does not entail the processing of sensitive or critical data or if data processing is not a critical component of the product or service.

Get SOC2 Ready with Accorian

Accorian is a leading cybersecurity firm specializing in providing comprehensive services to help companies achieve and maintain SOC2 compliance. Our team of auditors with extensive technical backgrounds and expertise in data security possess the capability to conduct thorough assessments of your organization’s system and controls.

Our audit professionals are skilled in preparing Type 1 and Type 2 reports for SOC2 audits. This includes conducting gap assessments, identifying necessary controls, and implementing them on behalf of your service business.

We can help enhance your marketplace value with effective privacy and security measures, giving you a competitive edge.

Recent Blog

Ready to Start?

Ready to Start?​


Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide