Last Updated on February 23, 2024
As more stakeholders ask, “How are you protecting our sensitive data?”, the demand for independently audited cybersecurity compliance frameworks has soared. Among the most requested in the US is the System and Organization Controls 2 (SOC 2) report developed by the American Institute of Certified Public Accountants (AICPA).
A critical question for any firm preparing for a SOC 2 audit is which of the five Trust Services Criteria (TSCs) to include. This post shares expert insights and research results to help you choose which criteria you want in your SOC 2 report.
What are the SOC 2 TSCs?
A SOC 2 report can include one or more of five TSCs:
- Security—Ensure data and systems are protected from unauthorized access, disclosure, and damage. There are 9 security “points of focus” that organizations must meet to comply with the Security criteria.
- Availability—Ensure that data and systems are available and accessible. Availability includes 3 points of focus.
- Processing Integrity—Ensure that data processing is valid, accurate, complete, timely, and approved. Processing integrity has 5 points of focus.
- Confidentiality—Ensure that all data types defined as confidential or sensitive are protected (e.g., intellectual property, proprietary data, personal data). Confidentiality has 2 points of focus.
- Privacy—Ensure that personally identifiable information (PII) is handled in accordance with regulations across its lifecycle. Privacy has 18 points of focus.
What are the common drivers for including a TSC?
Most entities include a SOC 2 criteria for one or both of these reasons:
- Customers are specifically requesting it, or
- There is a clear business need for the organization to comply with a TSC’s processes or procedures.
Including more TSCs in your SOC 2 scope can be an excellent way to build stakeholder trust and add business value to your SOC 2 investment—as long as the ROI is evident. Depending on the combination of TSCs involved, including additional criteria can significantly increase the number of controls you need to implement. This adds to the time and cost required to prepare for your SOC 2 audit and maintain your SOC 2 environment.
A best practice is to include the rationale and justification for your TSC scope in Section 5 of your SOC 2 report, “Other Information Provided That Is Not Covered by the Service Auditor’s Report.”
An AICPA FAQ published in November 2020 clarifies that the Security TSC, like the other four TSCs, is optional and not required for all organizations, as is widely believed. In practice, Security is in scope for almost 100% of SOC 2 reports.
What is the 2023 SOC Benchmark Study?
For businesses looking to optimize their SOC investments, the 2023 SOC Benchmark Study offers insights gleaned from over 150 SOC 1 and SOC 2 reports across companies of all sizes in a wide range of verticals.
The study can help you:
- Compare your current SOC program and compliance efforts to industry norms
- Identify ways to improve your SOC program results
- Streamline SOC compliance efforts
- Reduce or eliminate exceptions in your SOC 2 report
Which SOC 2 TSC combinations are most popular?
On par with real-world experience, Security was included in 100% of SOC 2 reports the study examined. This seems logical because any or all of the other TSC controls could be compromised if security controls were inadequate.
Security is also arguably the most important of the TSC capabilities in the marketplace for customers, regulators, investors, and management.
Following security, the next most commonly included TSCs are:
- Availability—included in 71% of SOC 2 reports in the study
- Confidentiality— included in 34% of reports in the study
- Processing Integrity— included in 16% of reports in the study
- Privacy— included in 5% of reports in the study
Only about 15% of the SOC 2 reports in the study included the Security TSC alone. The most popular pairing of TSCs includes Availability alongside Security. This combination reflects how many of today’s cyber threats, such as ransomware and distributed denial of service (DDoS) attacks, target data availability. Combining Security and Availability can add significant value to your SOC 2 report for comparatively little additional “lift.”
Stakeholders often make a generic request for a SOC 2 report without specifying which SOC 2 TSCs they require. Therefore, it is a best practice to discuss the benefits of including other criteria and the potential effort to achieve them with your service auditor or other experts.
Why do so few SOC 2 reports include Privacy?
The low percentage of reports including Privacy (5% in the study) reflects the difficulty of achieving compliance with this TSC. This is due to the number of points of focus (18) plus the demanding control requirements to implement them.
The Privacy TSC spans the full PII lifecycle, from collection to usage to retention to disposal, plus disclosure per applicable regulations. Implementing many of these controls also requires legal expertise.
Achieving compliance with the Privacy TSC would strongly underscore your company’s ability to protect personal data and other sensitive data. But doing so would likely make sense only if your business handles PII and/or has stringent privacy compliance requirements, such as GDPR for many entities operating in Europe.
Experience shows that implementing the Privacy TSC is about as much work as implementing the other 4 TSCs combined. Similarly, attaining the Privacy requirements effectively meets many of the requirements for other TSCs, especially Processing Integrity. This may explain the study finding that Processing Integrity or Confidentiality were rarely in scope where Privacy was not.
What is the difference between the Confidentiality and Privacy TSCs?
In the SOC 2 benchmark study, almost seven times as many organizations included the Confidentiality TSC versus the Privacy TSC in their SOC 2 scope.
Confidentiality defines a more generic capability that relates to protecting any form of sensitive data, including not just personal data but also intellectual property, financial records, customer records, etc.
The Privacy TSC relates specifically to protecting personal data throughout its lifecycle, including meeting privacy rights requirements.
What’s next?
For more guidance on this topic, listen to Episode 132 of The Virtual CISO Podcast with guest Scott Woznicki, National SOC Practice Leader at CBIZ MHM.