Contact a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
View All Industry Solutions
Learning Center
Articles
Whitepapers
Case Studies
Events & Live Webinars
On-Demand Webinars
Visit the Learning Center
Our Process
About Us
Leadership Team
Careers
Corporate Social Responsibility
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Visit the Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
Our Process
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Contact a Specialist

«  View All Posts

Choosing the Correct SOC 2 Principles Blog Feature
GREG MILLER

By: GREG MILLER

Print/Save as PDF

Choosing the Correct SOC 2 Principles

SOC | Education

I am often asked who is responsible for determining and selecting which principle(s) will be included in the scope of the SOC 2 examination, but the answer may not always be what service organizations want to hear.

Similar to the SOC 1 examination, management will always be tasked to make the determination of which Trust Services Principles (TSP) to choose. It boils down to what principles are right for your business, services, and customers. If you review the guidance, unfortunately you will not find a checklist or selection rules for the decision making path on which principles to choose. As a starting point, below is a high level description of each of the TSPs:

  • Security – The system is protected against unauthorized access, use, or modification to meet the entity’s commitments and system requirements.
  • Availability – The system is available for operation and use to meet the entity’s commitments and system requirements.
  • Processing Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s commitments and system requirements.
  • Confidentiality – Information designated as confidential is protected to meet the entity’s commitments and system requirements.
  • Privacy – Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s commitments and system requirements.

Before you decide on the principles, you must first determine what the scope of the examination is going to be by identifying the services included in the scope, any third parties that also provide those services and the overall boundaries of those services. This is an important first step as organizations will often have a much narrower view of their services and what is included in a SOC 2 system.

Organizations must carefully consider the infrastructure, software, people, procedures and data when identifying the system boundaries for a SOC 2 examination. Each of these components is further described in the SOC 2 literature and a competent examiner can easily assist management in the identification and preparation of their description for each of these components.

After the scope has been established, the next step is to determine which of the principles are applicable to the service organization’s system.

Let’s begin with the Security principle.  Security is required to be included in all SOC 2 examinations as it contains criteria that are common to all other principles.  The common  criteria relate to ensuring Security over a system to prevent or detect alteration, destruction or disclosure of information.

When a customer wants to receive reasonable assurance that their data or information is generally “safe and secure” they are most likely interested in the Security principle. This principle is also broad enough that just performing the examination on this principle alone at many times is enough for customers and other interested parties to attain an appropriate comfort level regarding the security of their data.

The second most common principle chosen for the SOC 2 examination is Availability. Since most service organizations are providing an outsourced service to their customers, contractual requirements or service level agreements (SLAs) are generally in place around these services. Due to the SLAs, Availability is also a good complementary principle for SOC 2 examinations.

Third, if the service organization is providing transaction processing for its customers, then Processing Integrity may be applicable. This principle helps to provide comfort that the data that is being processed on its behalf is complete, valid, accurate, timely and authorized.

The remaining two principles are Confidentiality and Privacy. Often times both get talked about in the same context although their underlying definitions are quite different. In addition, several service organizations believe that these two are critical for their examination.  They are similar because both principles relate to the information within the system.  However, the Privacy principle refers only to personal information.  Whereas the term “confidential information” and its meaning can vary between organizations or geographical jurisdictions and potentially cover a wide range of information security practices.

If the service organization has custodianship over the confidential data and has specific custodian commitments with its customers related to the protection of information as the data custodian, then the Confidentiality principle can be considered.

Within the context of a SOC 2 examination, Privacy relates to the protection of personally identifiable information, also called PII.  A service organization may have responsibility over one or more components of the personal information lifecycle, and therefore, the Privacy principle might be applicable.  The personal information lifecycle includes the use, collection, disclosure, retention and disposal of PII.  If a service organization has not been given the responsibility over any component of the information lifecycle, then the confidentiality principle might more suited for the organization than the Privacy principle.

Choosing principles is a very important process. A first rule is to be educated on the principles and the applicability of those principles and criteria to the organization’s system. Next, the knowledge and counsel of an experienced SOC 2 firm could pay large dividends throughout the process. A reputable firm will provide the guidance to help you navigate the process of selecting which principles are best.

About GREG MILLER

Greg Miller is a Principal at Schellman. Greg leads the HITRUST service line. Greg has more than 20 years of combined audit experience in both public accounting and private industry.

Schellman

4010 W Boy Scout Boulevard, Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S. 1.813.288.8833

Services
Industries
Resources
Company

© SchellmanPrivacy PolicyTerms

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.