The Trust Services Principles

The efficiency of outsourcing tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities continues to increase. For those service organizations that perform these functions, SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements (AICPA, Professional Standards, Vol. 1). The Trust Principles are:

  1. Security — The system is protected against unauthorized access (both physical and logical).
  2. Availability — The system is available for operation and use as committed or agreed.
  3. Processing integrity — System processing is complete, accurate, timely and authorized.
  4. Confidentiality — Information designated as confidential is protected as committed or agreed.
  5. Privacy — Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

Which Trust Principles Should I Choose?

A service organization can select any combination or all of the trust principles in a SOC report. The selection is based on the applicability to the services offered.