Blog

What is the SOC 2 Criteria?

In the cybersecurity space, industry leaders set compliance guidelines, criteria, and certifications to establish best practices for companies across a number of industries. The SOC 2 report is an attestation of your organization’s controls against “The Trust Services Criteria” (TSC) set forth by the American Institute of CPAs (AICPA).

Service Organization Control 2 (SOC 2) helps service and product companies showcase the work they’re doing to adhere to the three key principles of security: data integrity, confidentiality, and availability. This is a go-to standard for American software providers who are handling large amounts of customer data and information.

There are specific criteria (security, availability, processing integrity, confidentiality, and privacy) to achieve SOC 2 compliance, with each report targeting one of those five criteria for verification. In general, security is considered a must-have in any SOC 2 report. While these reports are not a regulatory requirement, they are the industry standard.

Adhering to the SOC 2 Framework

SOC 2 has two main compliance types—Type I and Type II. Type I involves an organization’s systems and processes at a specific point in time, examining if the controls are properly designed. Type II compliance reviews these same controls over a set period, typically twelve months, assessing if they’re effective in practice.

Both reports are flexible enough to adapt to different industries and organizational needs. Still, it’s up to the company to define its internal controls in a System Description that works as a written narrative of the company’s service commitments and how the internal controls operate to meet those commitments, consistent with the Trust Services Criteria. This is unlike most other frameworks which have a more rigid model and explicitly define the controls a company should have rather than conforming the report to the controls you’ve already defined. This allows the auditor to assess the controls you’ve defined and assess the applicability of those controls in meeting the TSC.

The SOC 2 Trust Services Criteria are organized into five categories: consists of five “Trust Services Criteria,” each essential for effective data security. The details of each criterion are not hard and fast due to the flexibility in their application in each report.

1. Security: Protecting systems and data from unauthorized access. Organizations should implement security measures like access controls for provisioning and revoking access to key systems, implementing strong authentication methods such as multi-factor authentication, and routine user access reviews. It’s also important to have firewalls in place as well as intrusion detection and recovery processes. These help organizations proactively identify and respond to security threats. The end goal here is to protect against unauthorized access, unauthorized disclosure, and damage against systems that could compromise each of the below criteria.

2. Availability: Ensuring Information and systems are available for operation and use to meet the entity’s objectives. Meeting availability standards requires building systems that can withstand high traffic and recover quickly from any disruptions. Implementing network monitoring and disaster recovery plans (also a key element of the security category) ensures that services remain up and running when users need them. If your company is monitoring uptime and ensuring you have the right capacity to serve your customers, you’re likely doing everything they need to do to meet the criteria called out in this category.

3. Processing Integrity: Verifying system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. To meet the criteria in this category, the company would need to have a lot of various data validation checks in place to demonstrate they have a strong handle on the completeness & accuracy of their data. This could be valuable for companies who are trying to provide services around data aggregation across disparate data sources and want to give assurances to their customers that their calculations are reasonably accurate.

4. Confidentiality: Protecting sensitive information designated as confidential is protected to meet the entity’s objectives. Organizations need to implement encryption protocols to protect this type of data, ensuring it stays secure both when it’s not being accessed and when it is. Access controls need to adhere to the principle of least privilege—providing the minimal access necessary for employees to complete their tasks.

5. Privacy: Handling personally identifiable information (PII), such as names, addresses, and credit card details, with care. The information should be collected, used, retained, disclosed, and disposed of to meet the entity’s objectives. Although confidentiality applies to various types of sensitive information, privacy applies only to personal information.

The best way to address this criterion is to start with the service commitments your company is trying to make and work backward to scope the controls to meet the criteria specifically. For example, if you’re looking to be GDPR compliant, Decrypt Compliance would work with you to scope in those controls to demonstrate how you are compliant and test those controls to check for applicability against GDPR as well as this privacy category.

In addition to the above TSC, there is also a set of “common criteria” that are not associated with any one category. These criteria are:

  • The Control Environment
  • Information and Communication
  • Risk Assessment
  • Controls Monitoring

Should My Organization Undergo a SOC 2 Audit?

If you find yourself asking this question, then the odds are that the answer is yes. A SOC 2 audit allows you to get a better understanding of the gaps in your organization’s data security protocols and gets your team up to speed on how to overcome those deficiencies with better internal practices.

Such an audit also allows you to focus on the principles above that have yet to be met at the appropriate standard while strengthening those that you’ve already successfully implemented as a team. Efficiency is important for modern companies, especially those with an eye toward growth. Through a SOC 2 audit, you can meet the industry standard and become growth-minded in a way that inherently increases your chances of long-term expansion and success.

More importantly, a SOC 2 audit also creates opportunities for added revenue as your organization takes on larger, more enterprise-level customers. These customers demand greater assurances over the security of their customer data; the SOC 2 report issued by firms like Decrypt, shared by the company to their customers, provides some of those assurances.

Are You Up to Speed on the SOC 2 Framework? At Decrypt Compliance, we specialize in helping companies successfully implement and audit the SOC 2 framework. As a GRC consultancy, we provide guidance that aligns with your organization’s needs, creating a strong foundation for data protection—allowing you to drive increased revenue and avoid getting boxed out from opportunities where such compliance is necessary. Customer trust is an integral part of business growth and success today. Contact us today to learn more about SOC 2 and other frameworks that can benefit your business.

Get In Touch

Have a question? Fill out the form below and we’ll be in touch soon.