In the Fall of 2022, the AICPA released the updated TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022) (2017 TSC document). This latest version does not modify the trust services criteria in the 2017 TSC document.
The objective of this update is to provide additional and revised points of focus for several criteria defined within the 2017 TSC document so as to stay abreast with changes in the business and technological environments. There has been no change in the direction in that the 2017 TSC document does not define the controls a service organization must have in place in order to meet the trust services criteria. A service organization must identify controls it has designed and placed in operation that meet the trust services criteria. The 2017 TSC document provides the trust services criteria to be met and points of focus to consider. The objective of the document’s content is to aid the service organizations in being able to attain a successful SOC 2 examination.
There have been no changes in the trust services criteria with this latest update. Any reports currently being issued should reference and be mapped to the 2017 trust services criteria found in TSP Section 100.
What Are the Five Trust Services Criteria?
As stated previously, there are five criteria that are available to be included in a SOC 2 examination. The five criteria are listed below (with links to articles on each criterion).
The Trust Services Criteria
Security Criteria: SOC 2 Common Criteria
The only criteria that is required to be in a SOC 2 examination is the security criteria, which is also known as the common criteria. The security criteria is referred to as common criteria because many of the criteria used to evaluate a system are shared among all five of the Trust Services Criteria.
For example, the criteria related to risk management apply to four of the criteria (security, processing integrity, confidentiality, and availability). The common criteria establish the criteria common to all the trust services criteria and the comprehensive set of criteria for the security criteria.
When a service organization’s client wants to know their information/data is secure and protected, they are likely interested in the security criteria. This criteria is comprehensive enough that including it in the scope of the examination alone will likely be enough for service organization’s clients to get the assurance they need with respect to the security of their information/data.
The other available criteria can be added to the examination at the discretion of management, or if it is determined that the criteria are key to the services being provided.
Prior to deciding on the criteria to include in the SOC 2 examination, the service organization, with the help of its auditor, should determine the system and its boundaries relevant to the services that are being provided. This should include contemplation of the entire environment, including software, infrastructure, procedures, data, and people. After the scope of the examination has been determined, it can then be decided which of the criteria are pertinent to the service organization’s services and system.
Which Criteria Do You Include in Your SOC 2?
Determining which of the criteria to include in the scope of a SOC 2 examination is a key step in the SOC 2 planning process. A service organization should do their homework and know a little about the available criteria and if they apply to their services and system. It is also very important to get advice from an experienced accounting firm that can help navigate through the criteria and determine which ones are relevant.
What if a Client is Asking For All Criteria to Be Included?
A number of prospects and clients have asked us what to do if a client is asking for all criteria to be included but they do not think they all apply. As a general rule, all criteria do not need to be included, but there are cases where clients ask for all because they do not know what they are asking for, and therefore asking for all covers everything. In these cases, we can be included in a conversation with the client and talk through the criteria and their relevance to the service provider. Many times this conversation helps to clear up which criteria truly are relevant to the subservice organization and should be covered in the SOC 2 examination.
Can Testing Occur in a SOC 2 Outside of the SOC 2 Criteria?
There can be flexibility in a SOC 2 examination to include mapping of controls to other certifications/regulations/frameworks. The AICPA guidance allows service organizations to complete a SOC 2 plus examination that includes a mapping to other certifications/regulations/frameworks. For example, a few of the more common SOC 2 plus examinations that we perform include HITRUST, NIST CSF, and HIPAA mapping.
How Do the 17 COSO Principles Integrate with SOC 2 Criteria?
Widely recognized, the COSO Framework is used often to evaluate the design and operating effectiveness of an entity’s internal controls. Because both COSO and the trust services criteria are used to evaluate internal control, with the last AICPA update to SOC 2 and the criteria, the criteria and the COSO framework were integrated. COSO is made up of 17 principles which are grouped into the following five categories:
- Control Environment
- Communication and Information
- Monitoring Activities
- Risk Assessment
- Control Activities
These five categories align with the first five criteria sections within the security/common criteria section.
Additional SOC 2 Criteria Outside of the COSO Principles
The 2017 Trust Services Criteria describe specific criteria in addition to the COSO principles that are mapped to evaluate the internal controls over the five trust services criteria. TSP Section 100.08 describes the additional criteria as follows:
- Logical and Physical Access: How an entity restricts access (physical and logical), adds and removes said access, and avoids unauthorized access.
- System Operations: How an entity manages the operation of the system(s) and detects and mitigates processing nonconformities, including access (physical and logical) security nonconformities.
- Change Management: How an entity recognizes the necessity for changes, executes the changes using a controlled process, and stops unauthorized changes from occurring.
- Risk Mitigation: How the entity recognizes, chooses, and advances risk mitigation activities that have occurred from business disruptions, and the monitoring and evaluation of the use of business partners and vendors.
Points of Focus in a SOC 2
Points of focus were new to SOC reporting with the 2017 trust services criteria but have been part of the COSO framework previously. For each criterion, there is a list of several associated points of focus. The points of focus deliver details as to the features that could be included in the design, implementation, and operation of the control related to the criterion. There are over 200 points of focus associated with the SOC 2 security/common criteria in the 2017 Trust Services Criteria. For all five categories (security, availability, processing integrity, confidentiality, and privacy) where the COSO principles map in, there are 61 criteria with almost 300 points of focus.
The numbers listed in the previous paragraph should not cause any alarm, because a majority of the points of focus are what SOC auditors should be reviewing already as part of the SOC 2 examination. The points of focus have not been listed with the criteria until the 2017 update. Additionally, not all points of focus are relevant to the service provider. An assessment of whether each point of focus is met by the service organization is not required according to the guidance at TSP 100.07, but rather just a guide or examples of controls that could meet the associated criteria.
New Updates to the Points of Focus
As previously stated, the points of focus are the key updates to the 2017 TSC document. The points of focus defined for each TSC serve as important areas for a service organization to consider when identifying controls that meet defined trust services criteria. Not all points of focus may be relevant for a service organization and are not required to be met in order to attain a successful SOC 2 examination. The points of focus, though, may identify areas of improvement that a service organization can make to strengthen its operations. The AICPA does not consider the identified points of focus to be exhaustive of all areas and activities that may be relevant to a service organization.
Points of Focus Additions
The AICPA has added additional points of focus in the common criteria/security criteria areas. As the common criteria/security criteria are the basis of a SOC 2 examination, the points of focus the AICPA has added to the criteria for this section are briefly defined here:
- Control Environment
- CC1.3 and CC1.5 to address newly identified privacy concerns regarding reporting lines and disciplinary actions
- Information and Communication (formerly called Communication and Information)
- CC2.1 to address concerns relating to the managing, classification, completeness and accuracy, and storage of assets
- CC2.2 to address communication concerns relating to privacy knowledge and awareness and reporting of incidents related to privacy when the privacy criteria is included in the SOC 2 examination
- CC2.3 to address communication of incidents related to privacy when the privacy criteria is included in the SOC 2 examination
- Risk Assessment
-
- CC3.2 to address the identification of vulnerability of system components and providing additional guidance on assessing the significance of risks for the subservice organization
- CC3.4 to address the assessment of changes in internal threats and external threats and vulnerabilities the service organization may encounter
- Logical and Physical Access
-
- CC6.1 to address the access and use of confidential information for identified purposes when the confidentiality criteria is included in the SOC 2 examination
- CC6.1 to address restricting access to and use of personal information when the privacy criteria is included in the SOC 2 criteria
- CC6.4 to address the recovery of physical devices
- System Operations
-
- CC7.3 to address the impact on or use or disclosure of confidential information in the case of a security event occurring when the confidentiality criteria is included in the SOC 2 examination
- CC7.4 to address the definition of and execution of breach response procedures when the privacy criteria is included in the SOC 2 examination
- Change Management
-
- CC8.1 to address the process for managing patch changes
- CC8.1 to address considerations in the design and testing phases for system resilience when the availability criteria is included in the SOC 2 examination
- CC8.1 to address privacy requirements in the design phase when the privacy criteria is included in the SOC 2 examination
- Risk Mitigation
-
- CC9.2 to address to identification and evaluation of vulnerabilities arising from vendor and business partner relationships.
Unless indicated in each bullet point above, the additional points of focus are relevant for all SOC 2 engagements.
The AICPA has also added additional points of focus within the availability, confidentiality, and privacy criteria. The service organization and service auditor should take note of the additional points of focus when performing a SOC 2 examination including these criteria.
What is the Difference Between a SOC 1 & SOC 2 Report?
The Trust Services Criteria are in a SOC 2 report only. So how is a SOC 1 different from a SOC 2 report? A SOC 1 report has a little more flexibility in what is tested and opined on by the auditor. In addition to reviewing security, a SOC 1 audit includes more of a focus on the service organization’s controls that may be or are relevant to an audit of their client’s financial statements. The service organization (with the help of the auditor) will figure out the key control objectives for the services they provide to clients, and that is what is included in the report. Control objectives in a SOC 1 always include objectives around IT general controls, but also include business processes at the service organization that impact their clients.
Additional Items
The AICPA released in 2022 the updated DC Section 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report. Updates to this document are not described in this article; but, can be found on the AICPA website.
Finally, in November 2022, the AICPA released an updated SOC 2 guidance (Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. Updates to this guide are also not described within this article; but, can also be found on the AICPA website.
Conclusion
The AICPA introduced the updated TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022) in Fall 2022. The main focus of the document was to provide additional points of focus to various criteria within the document. Other wording updates were made as well. The objective of the modifications is to address continued changes and risks within the business and technological environments. As with the existing points of focus in TSP Section 100, the new points of focus may not be applicable to all service organizations and must be considered in relation to the service organizations’ operations. In addition, some of the new points of focus are specific to certain trust services criteria.
Where To Find Additional Information On the Trust Services Criteria
The SOC 2 guide that includes the Trust Services Criteria can be purchased in the AICPA store. Additionally, a mapping document, which shows how each of the 2017 criteria and points of focus relates to the COSO principles can be downloaded from the AICPA.
Linford & Company has helped many new clients scope their needs for a SOC 2 audit, including identifying the boundaries of their system and determining the criteria needed in their examination. All clients are provided these services as part of the readiness assessment.
If you would like additional information about any of our services, please contact us or click on the following links: SOC 1, SOC 2, HIPAA audits, HITRUST, and FedRAMP Compliance Certification.
This article was originally published on 10/18/2019 and was updated on 2/1/2023.
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1 and SOC 2 audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.