Determining which Trust Service Principles to include in your SOC 2 report can be a challenging task. We often have calls with clients and prospects to walk through their business operations and help them determine which Principles are most appropriate for their report. Ultimately it is management’s decision which Principles to attest to in their SOC 2 report, meaning even when all 5 Principles apply, it is not required to include all of them in the report. While it is not mandatory to attest to all 5 principles, the Security Principle must be included in all SOC 2 attestation reports as it is the core of the common criteria for SOC 2 reports issued by the American Institute of Certified Public Accountants (AICPA). Availability, along with Security, are the two most common Principles organizations select for SOC 2 attestations.
Organizations that process transactions may decide to include the Processing Integrity while data centers that store personal information for clients might include the Confidentiality Principle to help to ensure that every one of their clients cannot access the data of other clients. Attesting to these Principles may give your organization a competitive advantage when a vendor is evaluating business partners, as these Principles provider greater assurance and transparency on the system.
Organizations that store highly confidential data, like electronic medical records, personally identifiable information and credit card information would want to include the Privacy Principle in their SOC 2 report.
For more information or for assistance in determining which Principles should be included in your SOC 2 report, contact us today!