I am often asked who is responsible for determining and selecting which principle(s) will be included in the scope of the SOC 2 examination, but the answer may not always be what service organizations want to hear.
Similar to the SOC 1 examination, management will always be tasked to make the determination of which Trust Services Principles (TSP) to choose.
The next question I typically receive is what principles are right for my business, services, and customers. If you review the guidance, unfortunately you will not find a checklist or selection rules for the decision making path on which principles to choose. As a starting point, below is a high level description of each of the TSPs:
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, accurate, timely and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in generally accepted privacy principles (GAPP).
Before you decide on the principles, you must first determine what the scope of the examination is going to be by identifying the system and its boundaries. This is an important first step as organizations will often times have a much narrower view of their IT system than the broader definition incorporated into the SOC 2 methodology.
Organizations must carefully consider the infrastructure, software, people, procedures and data when identifying the system boundaries for a SOC 2 examination. Each of these components is further described in the SOC 2 literature and a competent examiner can easily assist management in the identification and preparation of their description for each of these components.
After the scope has been established, the next step is to determine which of the principles are applicable to the service organization’s system.
Let’s begin with the most common principle chosen: security. By definition and nature security is generally included in most SOC 2 examinations. The principle and corresponding criteria relate to ensuring authorized access to the system.
When a customer wants to receive reasonable assurance that their data or information is generally “safe and secure” they are most likely interested in the security principle. This principle is also broad enough that just performing the examination on this principle alone at many times is enough for customers and other interested parties to attain an appropriate comfort level regarding the security of their data.
The second most common principle chosen for the SOC 2 examination is availability. Since most service organizations are providing an outsourced service to their customers, contractual requirements or service level agreements (SLAs) are generally in place around these services. Due to the SLAs, availability is also a good complementary principle for SOC 2 examinations.
Third, if the service organization is providing transaction processing for its customers, then Processing Integrity may be applicable. This principle helps to provide the service organization’s users comfort that the data that is being processed on its behalf is complete, accurate, timely and authorized.
The remaining two principles are Confidentiality and Privacy. Often times both get talked about in the same context although their underlying definitions are quite different. In addition, several service organizations believe that these two are critical for their examination.
Most of the time, customers are asking if their data is private and confidential. Therefore, automatically service organizations may think they need to add these principles. It is helpful to remember, the term “confidential information” and its meaning can vary between organizations or geographical jurisdictions and potentially cover a wide range of information security practices. If the service organization has outlined contractual commitments with its customers related to the protection of information as the data custodian, then the Confidentiality principle can be considered.
Within the context of a SOC 2 examination, Privacy relates to the protection of personally identifiable information, also called PII, and is based on the AICPA’s GAPP. These 10 generally accepted privacy principles need to be considered by an organization as part of its policies, communication and privacy statement or notice.
Privacy principles consider domestic and international laws and regulations at the business level. Before undertaking the Privacy principle, service organizations need to ensure that their system is mature and includes the 10 GAPP principles in their processes and procedures around the collection, use, retention, disposal, or disclosure of personal information.
Choosing principles is a very important process. A first rule is to be educated on the principles and the applicability of those principles and criteria to the organization’s system. Next, the knowledge and counsel of an experienced SOC 2 firm could pay large dividends throughout the process. A reputable firm will provide the guidance to help you navigate the process of selecting which principles are best.