As a technology-based service organization, undergoing a SOC 2 Type 2 audit may be required by a customer or could be helpful for demonstrating your organization’s capabilities and differentiating your business from competitors.
We explained this in our post about SOC audit report basics if you need to know the what, why, who, and how of SOC reporting.
A SOC 2 audit evaluates the controls within an organization's cyber risk management program based on its ability to meet selected Trust Services Criteria (TSC).
This article explains the TSCs and how to apply them to your business.
Selecting Relevant SOC 2 Type 2 Trust Services Criteria
The AICPA defines five different categories of Trust Services Criteria, commonly called Trust Service Principles, that an organization can be evaluated against during a SOC 2 audit. These include:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
The only criterion that must be included in a SOC 2 audit is security, and it may not be necessary for an organization to be evaluated against all the remaining criteria. In fact, depending on the type and structure of the service organization, many choose to start the process of being evaluated against only one or two of these pillars.
An organization may choose to add additional SOC 2 criteria beyond the Security TSC to an audit based on a few different factors including:
- Customer Requests: If a customer requests certain criteria in a SOC 2 report, the requested criteria should be included in the audit.
- Business Focus: An organization wishing to demonstrate competency in a certain area may choose to be audited against associated criteria.
- External Regulatory Requirements: SOC 2 TSC requirements are cross-referenced with other regulations and frameworks (HIPAA, HITRUST, PCI, etc.), enabling bilateral engagements.
- Growth and Development: Adding additional criteria during the re-attestation process demonstrates the growth and development of the company.
Based on these factors, an organization should select the set of TSCs they plan to be assessed against during a SOC 2 engagement.
Related Reading: How to Recover From a Failed PCI DSS ROC
Identifying Applicable SOC 2 Criteria
Each SOC 2 audit is as unique as the service organization itself. Therefore, different companies may choose to be assessed against different TSCs according to the following:
Security: Protecting Against Unauthorized Access
As we noted earlier, the Security Trust Services Criteria is the only required principle for a SOC 2 audit.
This category focuses on protecting systems against unauthorized physical and logical access. This covers areas such as identity and access management (IAM), administrative policies, and human resources (HR) security.
When preparing for an audit, verify that the organization’s IAM policies are meeting common standards, such as checking that password policies are following the recommendations contained within the NIST standard.
From a policy perspective, ensure that access to sensitive information is being properly controlled by ensuring company processes and procedures are followed with regard to annual policy reviews, background investigations, and non-disclosure agreements (NDAs).
Related Reading: The Importance of Identity Management and Governance for Telework Security
Availability: Fulfilling Service Level Agreements
The Availability Trust Services Criteria of a SOC audit focuses on an organization’s Service Level Agreements (SLAs) and other contractual requirements. After reviewing the applicable agreements, an auditor inspects the infrastructure that an organization has in place to ensure the fulfillment of its responsibilities.
To prepare for an audit covering availability, focus on systems that provide redundancy, customer service, etc. These could include support operations, ticketing systems, and the organization’s processes and procedures.
Processing Integrity: Completeness, Timeliness, Accuracy, and Authorization
Processing integrity audits focus on the completeness, timeliness, accuracy, and authorization of the organization’s processing operations. The focus of the Process Integrity Trust Services Criteria depends heavily on the services that an organization provides to its clients.
To prepare for an audit covering the processing integrity TSC, review the organization’s quality assurance program. For example, a call center should check call quality and customer approval ratings to ensure that customer service infrastructure and personnel are meeting expectations.
Confidentiality: Keeping Sensitive Data Secret
A SOC 2 audit against the Confidentiality Trust Services Criteria is only applicable if an organization has access to data that a customer has labeled as confidential. This could include intellectual property, price lists, contracts or agreements, and other internal data.
An audit including the confidentiality TSC focuses on an organization’s efforts to limit access to this confidential data. This includes an audit of internal policies and procedures for managing access to confidential data as well as the technical controls covered in the security category of the audit.
Privacy: Following the Privacy Policy
The Privacy Trust Services Criteria evaluates how personal information is collected, used, retained, disclosed, and disposed of to meet the organization's objectives.
For organizations being evaluated against the Privacy principle, the organization's privacy policy is of prime importance. The auditor reviews the existing policy and compares an organization’s operations against it and the criteria included in generally accepted privacy principles (GAPP).
To prepare for an assessment, review your organization’s privacy policy and the GAPPs, make any necessary updates, and verify that you can demonstrate you are fulfilling the agreements laid out in your policy.
When being evaluated for privacy, a direct connection with the data subject is important. Otherwise, it may be difficult to demonstrate that all requirements regarding data collection, usage, retention, disclosure, and disposal are being followed with regard to the wishes of the data subject.
Preparing for a SOC 2 Type 2 Audit
When preparing for a SOC 2 Type 2 audit, the most important thing to keep in mind is that the business needs to be able to demonstrate that its policies, procedures, and controls meet the desired criteria. A SOC 2 audit is much quicker and easier if the company has prepared documentation in advance for the auditor. This dramatically reduces the duration and complexity of the audit and the probability that oversight could result in an unfavorable review.
Working with a SOC 2 auditor before beginning the audit process can also help to ensure a favorable result. A SOC readiness assessment can help to identify potential issues in advance and enable your organization to fix them before being measured against SOC 2 Type 2 Trust Services Criteria, instead of having them show up as exceptions in the final report.
Are you ready to apply more rigor to your SOC audit reporting? Reach out to start the conversation.
Ben Harkleroad, Enterprise Consultant
Ben Harkleroad is an enterprise consultant with Avertium, specializing in SOC audit report services. Ben helps Avertium customers to apply more rigor in demonstrating their SOC controls.