How to Choose the Right TSC for SOC 2 Audit

Security category is imperative for all SOC 2 engagements; but what if your commitments to customers and services demand, including other criteria? Learn how to choose the right TSC for the SOC 2 audit When preparing for a SOC 2 audit, organizations should understand what set of controls is relevant to their business and what criteria auditors will use to evaluate the design and effectiveness of these controls. SOC 2 audit report is based on the five Trust Services Criteria (TSC):

• Security,
• Availability,
• Processing Integrity,
• Confidentiality, and
• Privacy.

All these criteria help evaluate the design and effectiveness of internal controls related to different aspects of the organization’s information security and privacy program. The Security - SOC 2 common criteria - is the most important part of each SOC 2 audit as it lays the foundation for other audit criteria. In many cases, Security is more than enough for the SOC 2 audit report. But remember, the SOC 2 Report typically covers a time span of 12 months. Long enough for your business to expand to new operating horizons. So, the more categories you include, the more robust your SOC 2 report will be. Amd the more likely it will satisfy more customers with growing expectations. However, how should organizations understand what additional category to include in the scope of their SOC2 audits? How to choose the right TSC for SOC 2 audit? What criteria will auditors use to assess the design and effectiveness of these controls? To answer these and other related questions, keep reading the article.

How to Choose the right TSC for SOC 2 Audit Report

Choosing the right SOC 2 criteria for SOC 2 audit involves aligning the selection with your organization’s business objectives, client requirements, and the scope of services you provide.

• entity’s commitments to customers. Such commitments are included in written contracts, service-level agreements, or public statements. For example, a SaaS provider committed to delivering reliable software services to customers should include Availability in the scope of your SOC 2 audit.
• system requirements. System requirements refer to how the system should function to achieve the entity’s commitments to customers. For instance, a cloud storage provider might focus on Security, Availability, and Confidentiality, while an e-commerce platform may include Processing Integrity and Privacy.
• industry standards and regulations. Assess relevant industry frameworks and regulations. For example, GDPR compliance may necessitate the Privacy criterion, while ISO 27001 might overlap with the Security criterion.

If you are unsure about what criteria to choose, begin with the Security and add others incrementally as your organization matures or client demands grow. Let’s see the step-by-step guide to help you pick the appropriate SOC 2 Specific Criteria (also known as Trust Services Criteria or TSC):

Evaluating Controls Related to Confidentiality

Confidentiality should be presented in the SOC 2 audit report if the organization offers engagement with sensitive data, such as Personally Identifiable Information (PII), or Protected Health Information (PHI). In fact, there is a SOC 2 + HIPAA audit for those companies that deal with PHI, and we will cover this type of audit in future articles. The Confidentiality category addresses the organization’s commitments in regards to how clients’ sensitive information is handled. It is necessary to understand that confidentiality applies not only to personal information but is relevant to various other types of sensitive information such as trade secrets or intellectual property. Information is confidential if the custodian is required to limit its access, use, retention, and restrict its disclosure. You may find the confidentiality requirements in laws or regulations as well as in contracts that contain commitments made to customers or others. So, organizations should check their contractual obligations to ensure customers’ information is properly protected. Some of the confidentiality-related questions include:

• Are the procedures in place to identify and classify confidential information when it is received or created?
• What procedures do you implement to protect confidential information from unauthorized access?
• Are the procedures in place to identify confidential information requiring destruction when the end of the retention period is reached?

Evaluating Controls Related to Processing Integrity

If the organization provides services that are concerned with processing integrity (usually involving financial operations or e-commerce), consider Processing Integrity. The principle includes controls necessary to process and provide data in a timely and accurate manner. The control criteria evaluate whether the entity obtains, generates, uses, and communicates information to support the appropriate use of products and services. Some of the questions auditors would ask you during the SOC 2 audit include:

• Is data checked at the input point to ensure it meets the defined criteria before being accepted by the system?
• Are your systems configured to validate data for completeness to ensure inputs meet the outputs?
• Do you have a process documenting data input and output validation for completeness, accuracy, and timeliness?

Evaluating Controls Related to Availability

The Availability category should be included in the scope of the SOC 2 audit report if the services your organization provides are time-sensitive and their availability is critical. For example, it would be extremely critical for a stock trading platform or hospital health monitoring dashboard. Availability neither sets a minimum acceptable performance level nor addresses system functionality or usability. Instead, it does address whether systems include controls to support continuous operations, monitoring, and maintenance. Availability also typically applies to companies providing colocation, data center, SaaS, or hosting services to their clients. A set of additional criteria for Availability requires implementing necessary policies and procedures regarding the system’s capacity demand planning, use of system components, environmental protection, data backup process, and recovery plans. Some of the questions that businesses should ask themselves before the SOC 2 audit include:

• Are there procedures in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur?
• Is there a business continuity plan in place? Is it tested on a periodic basis?
• Is the use of system components measured to establish a baseline for capacity management?

Evaluating Controls Related to Privacy

The privacy category is often referred to as standing on its own. This is because it specifically addresses how customers’ personal information is collected and used. It ensures that the organization is handling personal data in accordance with any commitments in the entity’s privacy policy. The Privacy series of controls are important for businesses that work with personal information and have substantial privacy obligations. For the privacy audit, organizations need to implement controls related to individuals’ rights as well as proper protection, use, and retention of personal information.

• Are the notices provided to data subjects regarding the purpose of collection, choice, and consent, types of information collected, etc?
• Do you inform your data subjects about the choices available to them with respect to the collection, use, and disclosure of personal information?
• Do you limit the collection of personal data to the extent necessary to meet the entity’s objectives?

Choose the Right TSC for SOC 2 Audit with Planet 9

To succeed in a SOC 2 audit, you should understand what TSC are relevant for your business and ensure these controls are designed and operating effectively. Planet 9, a leading cybersecurity consulting firm in the San Francisco Bay Area, offers comprehensive SOC 2 compliance services tailored to your specific needs. Our experienced team, consisting of vCISOs and compliance managers, can help you:

• Identify Critical Controls: Determine the most relevant SOC 2 controls for your organization.
• Conduct Gap Assessment and Remediation: Pinpoint security gaps and implement effective solutions.
• Audit Preparation and Support: Prepare for and navigate the audit process with ease.
• Continuous Compliance: Maintain ongoing compliance through regular assessments and updates.
• Map the SOC 2 Controls to HIPAA Security Rule (see SOC 2 + HIPAA audit) or ISO 27001 (SOC 2 vs. ISO 27001)

Book a free consultation to achieve and maintain SOC 2 compliance now.