The Trust Services Criteria
The efficiency of outsourcing tasks or entire functions to service organizations that operate, collect, process, transmit, store, organize, maintain and dispose of information for user entities continues to increase. For those service organizations that perform these functions, SOC 2 engagements use the predefined benchmarks in Trust Services Criteria. The Trust Services Criteria are:
Security — Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Availability — Information and systems are available for operation and use to meet the entity’s objectives.
Processing integrity — System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality — Information designated as confidential is protected to meet the entity’s objectives. Confidentiality is distinguished from privacy in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information.
Privacy — Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
The Evaluation of Trust Services Criteria Can Play an Important Role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
Which Trust Principles Should I Choose?
A service organization can select any combination or all of the Trust Services Criteria in a SOC report. The selection is based on the applicability to the services offered.