Achieving SOC 2 compliance requires more than just implementing basic security measures; it demands a structured approach to protecting data, systems, and customer information. The Trust Services Criteria provide a framework for organizations to demonstrate reliability, integrity, confidentiality, and privacy across key areas of operations. Here’s a look at the Trust Services Criteria and some considerations about what you should include in your SOC 2.

What is a SOC 2 report?

A SOC 2 report provides detail on the controls at a service organization relevant to the trust service principles (Security, Availability, Processing Integrity, Confidentiality and Privacy). The SOC 2 report can cover any or all of these principles although, in practice, all reports usually contain the Security principle at a minimum.  A SOC 2 report is typically given to customers to provide them with a level of comfort over the controls over the environment as they relate to the specific trust services controls being reported on. Similar to SOC 1 reporting, both Type 1 and Type 2 reports are available for a SOC 2 examination.

What is the Trust Services Criteria?

During a SOC audit, auditors take a detailed look at a company’s processes and systems to make sure they meet specific standards for data protection, security and risk management. These standards are known as the Trust Services Criteria (“TSC”) and encompass controls in 5 areas: 

1. Security- This is the only criteria that is required for all SOC 2 reports. Its purpose is to ensure that information and systems are protected from unauthorized access, disclosure and damage. To meet the security criteria, organizations must address nine security control families. These are:

• CC1: Control Environment
• CC2: Communication and Information
• CC3: Risk Assessment
• CC4: Monitoring Activities
• CC5: Control Activities
• CC6: Logical and Physical Access Controls
• CC7: System Operations
• CC8: Change Management
• CC9: Risk Mitigation

Many organizations will have multiple controls for each control family listed above to minimize the potential negative impact of the failing or ineffectiveness of a control on the overall group and, therefore, the SOC examination.

2. Availability- Can your employees and clients rely on your systems to do their work? The Availability Criteria helps ensure that data is available when needed for its intended use. To meet this criteria, you must have reliable systems so employees and customers can continue using the data and services they depend on. This also includes having a recovery plan in case of data loss or system disruption. Key controls for Availability include:

• Monitoring and adjusting system capacity to meet demand
• Implementing environmental protections, backups, and recovery infrastructure
• Regularly testing recovery procedures

Should you include availability in your SOC 2?
Include this if your organization provides data-driven services where employees or customers rely on access to data or systems. Examples include cloud storage providers, CRM platforms, and similar services.

3. Processing Integrity- The processing integrity criteria helps ensure your systems are functioning without accidental manipulations, errors, delays or omissions. It focuses on the reliability of your systems to process information so that employees and customers can trust the results. Key controls for Processing Integrity include:

• Using high-quality information for processing
• Having clear policies for how data is entered
• Making sure data is processed correctly
• Checking that outputs are accurate and delivered on time
• Keeping records of inputs, processing steps, and outputs

Should you include Processing Integrity in your SOC 2?

Does your business handle data on behalf of customers, like generating reports or running calculations? If so, this criteria is worth adding to your SOC 2 to show customers that they can rely on the accuracy of the results you provide. 

4. Confidentiality- The Confidentiality criteria is all about keeping sensitive information safe and limiting who can access, use or share it. This helps ensure that sensitive information like legal documents or intellectual property are only available to authorized users. 

Should you include Confidentiality in your SOC 2?

If your organization handles business strategies, financial reports, intellectual property, passwords, or other confidential information, adding Confidentiality to your SOC 2 is worthwhile!

5. Privacy- The Privacy criteria ensures that your customers’ personal information and data are protected. Key controls for Privacy:

• Notice & communication: Let people know how their data is handled.
• Choice & consent: Give customers options for how their data is used.
• Collection: Only gather the data you need, and get consent first.
• Use, retention & disposal: Keep data private throughout its lifecycle.
• Access: Allow customers to view and update their information.
• Disclosure & notification: Be transparent about collected data and notify users if there’s a breach.
• Quality: Maintain accurate, relevant, and up-to-date information.
• Monitoring & enforcement: Handle privacy complaints or inquiries effectively.

Should you include Privacy in your SOC 2?

If your business collects customer data (personal contact info, website cookies, etc.) and wants to show customers you have strong privacy practices in place, include Privacy in your SOC 2.