Selecting the correct Trust Services Categories (TSCs) for your SOC 2 report is an important step. In this video, Ryan Buckner explains what your approach may be and where you can start if this is your first or next SOC 2 engagement.
For additional details on each of the individual TSCs, you can read this article that expands further on these 5 areas.
Security, availability, and confidentiality. Which trust service category should I include in my next SOC 2 report? Well, maybe you're thinking of the exact same question and you don't have Carnac the magnificent on speed dial. Don't worry if all you need is a plain English understanding of exactly which trust service categories to you include in your next SOC 2, you've come to the right place. Let's get started.
Which trust service categories to include in scope is an important question, and many times organizations don't realize the amount of flexibility they have in this regard. The trust services categories include five different categories and organizations can select to be evaluated against one, two, three, four, or all five. There's a lot of flexibility there, and so organizations really need to consider what is going to make the most sense for not only their organization but also for the potential readers and users of the report.
Now in general, every SOC 2 examination will include at least the security category. And while in a technical sense, there are scenarios where the security category is not required to be in scope, particularly if the organization does not make any security-related service commitments or requirements, however, these are very rare and few and far between. So as a practical matter, as you plan and prepare for your SOC 2 examination, you're going to want to include the security category, and the real question becomes in addition to that category, what other categories will make sense for your organization to consider?
So to simplify things, let's take a minute to discuss the five trust services categories and the reasons why some organizations may select one or more of those categories for their next SOC 2 examination. Now, as a general guideline, the trust services categories are all predicated on the concept of service commitments and requirements. So typically, here's how this would work; many organizations tend to make some security-related service commitments and requirements. Almost always an organization is going to have the security category within scope.
So starting from there, organizations are encouraged to ask themselves:
- Do they make any additional service commitments or have any additional system requirements related to the availability of the system or services to the processing of any transactions, ensuring that outputs based on inputs are processed accurately, timely, and completely.
- If any of the information hosted or managed by the system is required to undergo or satisfy very specific confidentiality provisions or requirements.
- Or whether the system collects users, retains, or discloses personally identifiable information.
Those are all very important questions because your answers to each one of those are going to directly tie to whether or not a particular category is going to be appropriate for your organization to consider.
If, for example, you do manage regulated information, perhaps personally identifiable information, and you need to be able to communicate to the potential users of your system, how you safeguard that personally identifiable information for all of the areas of the personally identifiable information lifecycle that you are responsible for and you make such commitments, well, then the privacy category and those related criteria may be appropriate for your organization to consider, and it's a similar thought process for the confidentiality of business data, the processing of transactions and other data streams, as well as the overall availability of the system.
So the first question to ask is,
What do we commit to and what system requirements must be conformed to and be able to communicate to the interested parties of our report?
If there are no such promises or service commitments and requirements, then typically those categories should be excluded from the scope. However, even if you do make service commitments and requirements related to availability or confidentiality or processing integrity, or privacy, you are not required to be evaluated against the criteria for that related category.
So it truly comes down to a combination of things:
- What promises or service commitments and requirements you make related to those categories?
- What are the expectations of the readers or potential readers of your report?
Depending on the answers to those questions, will help your organization determine which categories are going to be most appropriate for you.
Now, here's a quick pro-tip:
You do not have to be evaluated against all categories in the initial year, and what many organizations will have to do is start with perhaps maybe the security category or the availability category only and then over time as necessary include other categories and related criteria for evaluation.
For a more detailed explanation of these trust service categories, read our article specifically addressing the SOC 2 TSCs.
About the AuthorMore Content by Ryan Buckner