I am often asked who is responsible for determining and selecting which category(ies) will be included in the scope of the SOC 2 examination, but the answer may not always be what service organizations want to hear.
Similar to the SOC 1 examination, management will always be tasked to make the determination of which Trust Services Categories (TSCs) to choose. It boils down to what categories are right for your business, services in scope, and customers. If you review the authoritative guidance, unfortunately, you will not find a checklist or selection rules for the decision-making path on which categories to choose. As a starting point, below is a high-level description of each of the TSCs:
- Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability – Information and systems are available for operation and use to meet the entity’s objectives.
- Processing Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality – Information designated as confidential is protected to meet the entity’s objectives.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
Before you decide on the categories, you must first determine what the scope of the examination is going to be by identifying the services included in the scope, any third-parties that assist in providing those services, and the overall boundaries of those services. This is an important first step as organizations will often have a much narrower view of their services and what is included in the definition of a SOC 2 system.
Organizations must carefully consider the infrastructure, software, people, procedures, and data when identifying the system boundaries for a SOC 2 examination. Each of these components is further described in the SOC 2 authoritative guidance and literature, and a competent examiner can easily assist management in the identification and preparation of their description for each of these components.
After the scope has been established, the next step is to determine which of the categories are applicable to the service organization’s system.
Let’s begin with the Security category. Security is required to be included in all SOC 2 examinations as it contains criteria that are common to all other categories. Generally speaking, these common criteria relate to ensuring the security over the system to prevent or detect unauthorized alteration, destruction, or disclosure of system data and information.
When a customer wants to receive reasonable assurance that their data or information is generally “safe and secure” they are most likely interested in the Security category. This category is also broad enough that just performing the examination on this category alone at many times is enough for customers and other interested parties to attain an appropriate comfort level regarding the security of their data.
The second most common category chosen for the SOC 2 examination is Availability. Since most service organizations are providing an outsourced service to their customers, contractual requirements or Service Level Agreements (SLAs) are generally in place around these services. Due to the SLAs, Availability is also a complementary category for SOC 2 examinations.
The demand for and selection of the remaining three categories depends largely on the nature of the outsourced services provided. If the service organization is providing transaction processing for its customers, then Processing Integrity may be applicable. This category helps to provide comfort that the data that is being processed on its behalf is complete, valid, accurate, timely, and authorized.
The two remaining categories (Confidentiality and Privacy), are often discussed in the same context although their underlying definitions are quite different. In addition, several service organizations believe that these two are critical for their examination. They are similar because both categories relate to the data and information within the system. However, the Privacy category refers only to personal information. Whereas the term “confidential information” and its meaning can vary between organizations and potentially cover a wide range of information security practices.
If the service organization has custodianship over the confidential data (often business data) and has specific custodial commitments with its customers related to the protection of information as the data custodian, then the Confidentiality category can be considered.
Within the context of a SOC 2 examination, Privacy relates to the protection of personally identifiable information, also called PII, and its meaning can vary between organizations and geographical jurisdictions. A service organization may have responsibility over one or more components of the personal information lifecycle, and therefore, the Privacy category might be applicable. The personal information lifecycle includes the collection, use, disclosure, retention, and disposal of PII. If a service organization has not been given the responsibility over any component of the personal information lifecycle, then the confidentiality category might be better suited for the organization than the Privacy category.
Choosing categories is a very important process. A first rule is to be educated on the categories and the applicability of those categories and criteria to the organization’s system. Next, the knowledge and counsel of an experienced SOC 2 firm could pay large dividends throughout the process. A reputable firm will provide the guidance to help you navigate the process of selecting which categories are best.
About the AuthorMore Content by Greg Miller