The 5 SOC 2 Trust Services Categories Explained

If you’re considering a SOC 2 audit, be it due to a customer request or to strengthen your security posture, you may already understand that this examination will include an evaluation of your product or service on a more operational and security-oriented level. You may even already grasp that during a SOC 2, your scope will be evaluated against a set of trust services criteria (TSC) that provide the backbone of the assessment. 
 
But what are the trust services categories, the criteria that make up each category, and which ones will you actually need for your SOC 2 audit? At Schellman, we have over two decades of experience in SOC 2 examinations, and we want to help you navigate what can be a complex process. 
 
Read on to discover what inclusion of each category will mean for your SOC 2 examination. From there, we’ll give you some guidelines for your internal conversations when making your choice. Afterwards, you’ll be that much closer to pinning down what you need from your upcoming SOC 2 report. 

The 5 Trust Services Categories for SOC 2 Reports 

1.    Security

The Security category of SOC 2 is the foundation of the framework and focuses on protecting systems and data from unauthorized access, misuse, or changes. It ensures that only the right people have the right level of access, systems are safeguarded against threats, and activities are monitored so suspicious behavior can be detected and addressed. Security also covers processes like authentication, system updates, and incident response, making sure the organization can prevent, detect, and respond to potential risks. In short, it’s about keeping information and systems safe so that clients and stakeholders can trust the organization’s operations. 

• Examples of security controls include identity and access management, risk assessment/management, firewalls, intrusion detection, logging/monitoring, security awareness training, change management, and incident response processes. 
  
  
• Security is the one trust services category that is required for every SOC 2 audit. Therefore, Security serves as the cornerstone for all other categories, providing the baseline assurance that the environment is safeguarded. 

2.    Availability

If included, your auditor will assess if your in-scope system is available for operation and use as promised. You may have an agreement with customers to ensure some level of accessibility to the product or service you’re having evaluated (e.g., service level agreements such as up-time). If that’s the case, both parties will have agreed to a set level of availability, and your auditor will check to make sure you’re honoring your commitment. The Availability criteria helps service organizations provide assurance to their customers that they can access services when they need them without unexpected disruptions. 

• Examples of Availability controls include disaster recovery and business continuity planning, backup processes, capacity planning, performance monitoring, and incident handling related to downtime. 
  
  
• Security and Availability can be highly related criteria within the context of each organization, as the Security controls within your network can play directly into network performance facilitating availability, but they do not always go hand-in-hand.

3.    Processing Integrity

If included, your auditor will assess that your in-scope system does everything it’s supposed to (i.e., that it delivers the appropriate data the right way, at the right time, in a complete manner). The main points of emphasis related to the system are that system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. 

• Examples of Processing Integrity controls include input/output validation, data processing accuracy checks, error detection and correction, monitoring, and reconciliation processes. 
• An important distinction to note when considering this category: processing integrity does not necessarily translate to data integrity. Your examination would evaluate whether your process does what you say it should—not whether the data being input into said process is necessarily accurate or complete.  

4.    Confidentiality

If included, your auditor will assess whether the information you’ve designated as confidential is protected from unauthorized access, disclosure, or use. Further, retention and disposal are tested to ensure that confidential data is only kept for its intended purpose and securely destroyed once no longer needed, reducing the risk of unauthorized handling of data. 

Again, this may go back to the contract signed, but data is considered confidential if access to it, as well as its disclosure, is restricted to certain people or organizations. Think business plans, intellectual property, or sensitive financial information, among other things. 

• Examples of Confidentiality controls include data classification and handling procedures, access restrictions, data retention and disposal/destruction practices, encryption (at rest and in transit), and contractual confidentiality obligations. 

• Transmission of data can often cause problems with this, which makes encryption an important control for protecting confidentiality. Similar to the relationship between Security and Availability, a connection between Security and Confidentiality can also exist, depending on your internal setup, since IT security tools like firewalls and other access controls can be used to ensure confidentiality as well. 

 5.    Privacy

If included, your auditor will assess your controls for your in-scope system’s collection, use, retention, disclosure, and disposal of personal information in conformity with your privacy notice if you have one, as well as with set criteria within AICPA’s generally accepted privacy principles (GAPP). 

• Examples of Privacy controls include privacy notices, user consent mechanisms, rights to access or delete personal data, and secure handling of personal information. 

• Privacy is distinguished from Confidentiality through the data itself—Privacy protects personally identifiable information (PII), that which can identify a specific individual (e.g., name, address, Social Security number). In some situations, PII can also constitute information related to health, race, sexuality, and religion. 

How Do You Choose the Right Trust Services Categories? 

Unfortunately, there is no checklist or even guidance on how to choose the right trust services categories for your report, and it is entirely up to you to decide which to include. 

Schellman has been in this industry a long time, providing countless SOC 2 reports every year to companies of differing types and industries, so we’ve seen a lot of different directions this tailoring can go. Though your organization will still forge its own way in the end, if you need help, here’s the main thing you need to understand: 

Your eventual selection of your in-scope Trust Services Categories should be predicated entirely on your service commitments and system requirements. 

What that means is however many categories you choose to include should be solely indicative of the commitments you have regarding your data and systems. Those requirements will provide the criteria basis for your auditors to evaluate against, and so inclusion beyond those categories that are relevant wouldn’t make sense—there simply wouldn’t be enough to speak to. 

How to Determine Your SOC 2 Scope 

Next, it’s time to drill down into the rest of your commitments. Your scope is the specific part of your business—a service, system, or product—that you are auditing for reassurance. Regarding this scope, ask yourself the following questions: 

1. Did you make any specific commitments to make your in-scope system available/accessible to customers? 
2. Did you agree to ensure the integrity of, say, transactions your in-scope system is making, or any other data stream processes it is involved with? 
3. Is that data that is stored or moving through your in-scope system designated as confidential or private, per the stipulations we laid out above? 

Answering these, by reviewing your contractual agreements and terms of service, should give you a more complete picture of what trust services categories should be included in your SOC 2 report. Being evaluated against each will provide validation to your customers that you are following through on all your promises to safeguard their data. 

However, we should make clear that even though you might have commitments in each of these categories, you are not required to actually add them to your audit scope. That may seem confusing, but it’s true. 

Moreover, there seems to be particular confusion surrounding the Privacy category and whether or not it should be included for those who handle PII. For more clarity there, read our article on the pros and cons. 

What we typically see is organizations opting to only include Security (and Availability, depending) for their first-year audit. When their customers do request a SOC 2, they don’t always stipulate specific categories, which allows the organization to opt instead just to get their feet wet with the process and minimal categories involved. As time progresses and the other categories become relevant, they add more categories as relevant to their needs. 

So, to sum it all up—the promises you’ve made to your customers should serve as a guiding light for the inclusion of different categories/criteria, but there is nothing that says you are mandated to include each category related to every commitment you’ve made to your customers, especially during your first SOC 2 examination. 

Next Steps in Your SOC 2 Journey 

Now you’re in a better position when it comes to deciding exactly which of these trust services categories will serve you best. You’ll now need to look inward towards the specifics of your commitments, but even after discerning all that, you may still find you have some questions about the particulars of what SOC 2 will look like for you. 

That’s because, even aside from selecting the in-scope categories, there are a lot of other factors that will play into how your audit ultimately goes. It can be tricky to find a good marriage between validating your customers’ trust in you, honoring the commitments you need to honor, and aspects like budget and resources.  

If you’re wondering what else to think about, here are some links to get you further along in your SOC 2 decision-making and preparation: 

• Should You Get a SOC 3 or a SOC 2 Examination? Understand Your Options 
• Clearing Up The Confusion - Type 1 vs Type 2 and the Value Proposition 
• How Long Will Your SOC Examination Take? 
• Do You Need a SOC 2 with Additional Criteria? 3 Frameworks to Consider 

With all that knowledge in hand, you’ll then, more than likely, want to speak with a service auditor to get their opinion on your organizational particulars or to understand what kind of audit methodology is best for you. 

As one of your many options in this area, we at Schellman are happy to speak with you and answer any questions you may have.