The Trust Services Criteria (TSC) were developed by the AICPA Assurance Services Executive Committee (ASEC). The available TSCs for a SOC 2 audit include:
- Security (also known as common criteria). This is the only required TSC and is included to demonstrate that systems at a service organization are protected against unauthorized access and other risks that could impact the service organization’s ability to provide the services promised to clients.
- Availability. Included where service organizations need to demonstrate that their systems are available at all times.
- Processing integrity. Demonstrates that system processing is occurring accurately and timely.
- Confidentiality. This TSC is included to demonstrate that data classified as confidential is protected.
- Privacy. When a service organization is in possession of personal information, this TSC is included to show that this personal information is protected and handled appropriately.
The Security TSC is the only TSC that is required in a SOC 2. The other four criteria can be added at the discretion of management, and should be included if the criteria are key to the services being provided by the service organization.
What Makes up the Security/Common Criteria?
In terms of the SOC 2 Criteria, security refers to the protection of information and systems.
Protection of Information
The security TSC tests that information is secure during the collection or creation of the data, and during the use, processing, transmission and storage of the data.
Protection of Systems
Systems in the security TSC are defined as anything that uses electronic information to process, store, or transmit information relevant to the services provided by the service organization. Controls tested in the security TSC are checking that there is prevention and detection to any breakdown in the security or processing by these systems.
The security TSC is also referred to as common criteria, and is broken down into common criteria sections.
- CC1 – Control Environment
- CC2 – Communication and Information
- CC3 – Risk Assessment
- CC4 – Monitoring Activities
- CC5 – Control Activities
- CC6 – Logical and Physical Access Controls
- CC7 – System Operations
- CC8 – Change Management
- CC9 – Risk Mitigation
The AICPA guidance provides the criteria sections and then also points of focus within each of the criteria sections. Points of focus (i.e. controls) represent important characteristics of the criteria. These are provided by the AICPA to assist in designing controls supporting the criteria. Not all of the points of focus will be suitable or relevant to the service organization, so they can be customized, or different points of focus/controls can be developed to be included in the examination.
Use of all the points of focus in not required. For example, under CC4 – Monitoring Activities, one of the points of focus is “Considers Different Types of Ongoing and Separate Evaluations—Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.“
Mapping COSO into the Common Criteria
The 17 internal control principles from the COSO framework have been mapped into the Security/Common Criteria. COSO is mapped into the first five criteria as follows:
The control environment common criteria (CC1) covers COSO Principles 1-5. This criteria section covers the service organization’s commitment to integrity and ethical values, independence by the board, management and board oversight, and the hiring, maintaining and ongoing monitoring of quality employees at the service organization.
Communication and Information
The communication and information common criteria (CC2) covers COSO Principles 13-15. This criteria section includes the communication of relevant information (lines of authority, boundaries of the system, relevant changes, etc.) to internal personnel as well as clients of the service organization.
The risk assessment common criteria (CC3) covers COSO Principles 6-9. This criteria section is included to demonstrate that the service organization is assessing risks possibly impacting their operations and putting plans in place to mitigate these risks.
The monitoring activities common criteria (CC4) covers COSO Principles 16-17. This criteria covers the ongoing evaluation of the system at the service organization and the notification to relevant personnel in the event that there is a breakdown in the system.
The control activities common criteria (CC5) covers COSO Principles 10-12. This criteria section tests that the service organization has controls in place for the mitigation of risk and also that the controls in place are monitored on an ongoing basis.
On the AICPA website you can download the SOC 2 criteria that includes the mapping to COSO. See Mapping of the 2017 Trust Services Criteria to Extant 2016 Trust Services Principles and Criteria. They also offer mapping to other frameworks, including ISO 27001, NIST CSF, and COBIT5.
A SOC 2 examination includes many areas, even specific areas within the required security/common criteria. If your organization is considering a SOC examination, or you have questions about what TSCs should be included, please contact us to request a consultation. Linford & Company has extensive experience providing SOC 2 examinations. If you are interested in learning more about SOC 2 examinations or any of the services provided by Linford & Co., please click the following links: SOC 1, SOC 2, HIPAA audits, Royalty Audits, FedRAMP, Processing Integrity.