Updated Trust Services Principles for SOC 2 Reports

The Trust Services Principles and Criteria (TSP Section 100) has been updated for SOC 2 reports.  The last time they were updated was 2009.  The new TSP can be found here.  Unfortunately, the AICPA charges a fee.  These changes are mandatory for reports issued after December 15, 2014.  These updated TSPs were updated for the security, processing integrity, availability, and confidentiality criteria; however, they have not been updated for privacy at this time.

The primary change has to do with the introduction of the common criteria concept. In short, SOC 2 reports now all require use of the common criteria (there are 28 criteria) as a baseline.  This also happens to include the security principle and criteria. In other words, all SOC 2 reports will soon cover the security principle at a minimum.  The availability (three criteria), processing integrity (six criteria), and confidentiality (six criteria) principles are optional add-on principles, as is privacy.

A useful document that maps the old criteria to the new criteria can be found here –> Trust Services Criteria Mapping 2014 to 2009. This was created by the AICPA.  The good news is that there are very few new criteria. So service organizations that have an existing SOC 2 covering security will see fewer changes to their report.  Service auditors should start communicating changes to their clients now if they haven’t already.

Leave a Reply

Your email address will not be published. Required fields are marked *