I am often asked who is responsible for determining and selecting which principle(s) will be included in the scope of the SOC 2 examination, but the answer may not always be what service organizations want to hear.
Similar to the SOC 1 examination, management will always be tasked to make the determination of which Trust Services Principles (TSP) to choose. It boils down to what principles are right for your business, services, and customers. If you review the guidance, unfortunately you will not find a checklist or selection rules for the decision making path on which principles to choose. As a starting point, below is a high level description of each of the TSPs:
- Security – The system is protected against unauthorized access, use, or modification to meet the entity’s commitments and system requirements.
- Availability – The system is available for operation and use to meet the entity’s commitments and system requirements.
- Processing Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s commitments and system requirements.
- Confidentiality – Information designated as confidential is protected to meet the entity’s commitments and system requirements.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s commitments and system requirements.
Before you decide on the principles, you must first determine what the scope of the examination is going to be by identifying the services included in the scope, any third parties that also provide those services and the overall boundaries of those services. This is an important first step as organizations will often have a much narrower view of their services and what is included in a SOC 2 system.
Organizations must carefully consider the infrastructure, software, people, procedures and data when identifying the system boundaries for a SOC 2 examination. Each of these components is further described in the SOC 2 literature and a competent examiner can easily assist management in the identification and preparation of their description for each of these components.
After the scope has been established, the next step is to determine which of the principles are applicable to the service organization’s system.
Let’s begin with the Security principle. Security is required to be included in all SOC 2 examinations as it contains criteria that are common to all other principles. The common criteria relate to ensuring Security over a system to prevent or detect alteration, destruction or disclosure of information.
When a customer wants to receive reasonable assurance that their data or information is generally “safe and secure” they are most likely interested in the Security principle. This principle is also broad enough that just performing the examination on this principle alone at many times is enough for customers and other interested parties to attain an appropriate comfort level regarding the security of their data.
The second most common principle chosen for the SOC 2 examination is Availability. Since most service organizations are providing an outsourced service to their customers, contractual requirements or service level agreements (SLAs) are generally in place around these services. Due to the SLAs, Availability is also a good complementary principle for SOC 2 examinations.
Third, if the service organization is providing transaction processing for its customers, then Processing Integrity may be applicable. This principle helps to provide comfort that the data that is being processed on its behalf is complete, valid, accurate, timely and authorized.
The remaining two principles are Confidentiality and Privacy. Often times both get talked about in the same context although their underlying definitions are quite different. In addition, several service organizations believe that these two are critical for their examination. They are similar because both principles relate to the information within the system. However, the Privacy principle refers only to personal information. Whereas the term “confidential information” and its meaning can vary between organizations or geographical jurisdictions and potentially cover a wide range of information security practices.
If the service organization has custodianship over the confidential data and has specific custodian commitments with its customers related to the protection of information as the data custodian, then the Confidentiality principle can be considered.
Within the context of a SOC 2 examination, Privacy relates to the protection of personally identifiable information, also called PII. A service organization may have responsibility over one or more components of the personal information lifecycle, and therefore, the Privacy principle might be applicable. The personal information lifecycle includes the use, collection, disclosure, retention and disposal of PII. If a service organization has not been given the responsibility over any component of the information lifecycle, then the confidentiality principle might more suited for the organization than the Privacy principle.
Choosing principles is a very important process. A first rule is to be educated on the principles and the applicability of those principles and criteria to the organization’s system. Next, the knowledge and counsel of an experienced SOC 2 firm could pay large dividends throughout the process. A reputable firm will provide the guidance to help you navigate the process of selecting which principles are best.
About the Author
Greg Miller is a Principal at Schellman. Greg leads the HITRUST service line. Greg has more than 20 years of combined audit experience in both public accounting and private industry.More Content by Greg Miller