Often times, service organizations ask:
"Why it is that the Privacy Trust Services Principle (TSP) for a SOC 2 examination takes so much more time and resources to attest against compared to other TSPs?"
In addition, one of the most obvious answers as to why the Privacy TSP takes so much more time and resources is that the Privacy TSP includes a total of 73 criteria, in which the auditor must attest against. The Privacy TSP contains nearly twice as many criteria as the other four TSPs combined:
- Security – 28 criteria
- Availability – 3 criteria
- Processing integrity – 6 criteria
- Confidentiality – 6 criteria
- Privacy – 73 criteria
Something that service organizations should be aware and beginning planning for is the change to the criteria within the Privacy Principle. The changes are effective December 15, 2016. Updating the Privacy criteria not only reduces the total number of Privacy TSP criteria from 73 down to 20, but also emphasizes the privacy commitments and communication of those commitments. It is not expected that the upcoming changes to the Privacy TSP will significantly reduce the amount of time and resources it will take to attest against because these changes require the inclusion of the Security Principle. Therefore, the entire Privacy criteria will be comprised of the common criteria found in the Security Principle along with the unique Privacy criteria.