There are five Trust Service Principles (TSPs) that can be included in the scope of a SOC 2 examination. At a high level these five TSPs include:
- Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, accurate, timely and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in generally accepted privacy principles (GAPP).
The only TSP that is required to be in every SOC 2 examination is the security TSP. When a client of a service organization wants reasonable assurance that their data and information is secure, they are most likely interested in the security principle. This principle is also broad enough that just including it in the scope of the examination alone will be enough for clients of a service organization to get the comfort level they need with regards to the security of their data.
The other available TSPs can be added to the examination if it is determined they should be included in the scope. Before deciding on the principles, the service organization, along with the auditor, should identify the system and its boundaries. This should include consideration of the infrastructure, software, people, procedures and data. After the scope has been established, it can then be determined which of the principles are applicable to the service organization’s system.
One of the next most commonly included TSPs is availability. Most service organizations are providing an outsourced service to their customers, and many have contractual requirements or service level agreements (SLAs) in place around these services. Because of these requirements and SLAs, availability is a TSP that is commonly included. Data centers and service organizations that provide software as a service (SAAS) commonly include this TSP.
If the service organization is providing transaction processing for its client, then processing integrity may be applicable and be included in the SOC 2 scope. This principle helps provide clients of the service organization comfort that the data being processed on their behalf is complete, accurate, timely and authorized.
If the service organization has outlined contractual commitments with its clients related to the protection of information as the data custodian, then the confidentiality principle can be considered.
Within the context of a SOC 2 examination, privacy relates to the protection of personally identifiable information (PII) and is based on the AICPA’s GAPP. These 10 generally accepted privacy principles need to be considered by an organization as part of its policies, communication and privacy statement or notice.
Choosing the correct principles to include in the scope of a SOC 2 examination is an important process. A service organization should be educated on the principles and the applicability they have on their system. Having knowledge and counsel of an experienced firm that performs SOC 2 examinations is very beneficial and will result in a more successful examination. At Linford & Company we have helped many clients determine the boundaries of their system and select the appropriate TSPs to include in their examination.