In my first post, way back on June 1ˢᵗ, I provided a brief overview of the System and Organization Controls (SOC) 1, 2, and 3 reports. Since then the posts have mostly been from the SOC 1 perspective, although the concepts still mostly apply to SOC 2 reports. Either way, I figured it would be beneficial to go into a little more detail about SOC 2 reports.

Trust Services Principles/Criteria:

SOC 2 examinations were born out of the Trust Services Principles (TSPs) and were later renamed as Trust Services Criteria (TSC). There are 5 TSC that can be included in an SOC 2 report. Services organizations have the option to include 1 or more of these principles in the report depending on the needs of their clients.

Security / Common Criteria: The Security criteria ensures systems and information are protected against unauthorized access and disclosure. Initially, there were some security criteria that spanned all 5 TSC. As a result, those criteria were consolidated into what is now known as the Common Criteria (CC), which also include aspects of the organizations overall control environment, risk assessment processes, and monitoring activities. There are 9 overall Common Criteria (CC1 – CC9).

The Security / Common Criteria is the baseline for inclusion in all SOC 2 reports. In other words, a service organization can choose to include just the Security / Common Criteria in their examination / report or include 1 or more of the remaining criteria at their discretion.

Availability: The Availability criteria ensures systems are accessible and operational based on internal and/or contractual requirements. The criteria in this principle include performance monitoring, data backup, and testing of disaster recovery plans. There is 1 overall Availability criteria (A1).

Included in the image above are the A1: Additional Availability criteria. The service organization would document 1 or more of their controls for each of the 3 sub-criteria noted. Those controls are what the service auditor would assess.

Processing Integrity: The Processing Integrity criteria ensures system processing is complete, valid, accurate, timely, and authorized. In essence, the controls supporting this criteria ensure the systems do what they were intended to do, without errors. There is 1 overall Processing Integrity criteria (PI1).

Confidentiality: The Confidentiality criteria ensures the organization is able to identify, maintain, and protect sensitive data thought the use of encryption, access controls, and data disposal procedures. There is 1 overall Confidential criteria (C1).

Privacy: The Privacy criteria ensures Personal Identifiable Information (PII) is collected, used, retained, and disclosed in accordance with the organizations own privacy policy and generally accepted privacy principles.

The Privacy criteria is expansive and requires a lot of time to assess. As a result, including the Privacy criteria in an SOC 2 examination / report substantially increases the overall cost to complete the engagement, compared to just including the 1ˢᵗ 4 criteria, making it the least likely to be included in an SOC 2 examination / report. There are 8 overall Privacy criteria (P1 – P8).

SOC2+:

Service organizations also have the option to complete an SOC 2+ examination / report. This report would include an assessment of 1 or more of the TSC along with other criteria specified by the service organization. The other criteria can be objectives typically included in an SOC 1 report for clients that are also interested in the financial statement impact of the services provided by the service organization. Or, for example, the service organization could include requirements under the Health Insurance Portability and Accountability Act Security Rule (e.g., HIPAA) in the SOC 2+ report. I haven’t seen organizations used this option often, rather deciding to have separate SOC 1 and SOC 2 examinations completed, with either/both provided to clients based on their specific needs.