The Security category is imperative for all SOC 2 engagements; but what if your commitments to customers and services demand including other criteria?
In one of our previous articles, we started talking about controls necessary to obtain a positive SOC 2 audit report. Hence, we already know that there are specific criteria for evaluating the design and effectiveness of these controls. These criteria have been established by the Assurance Services Executive Committee (ASEC) in the document called 2017 Trust Services Criteria (TSC) for Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security category is an integral part of each SOC 2 audit that lays the foundation for other audit criteria. Thus, including Security in the audit’s scope is often enough to assure your customers of the reliability and respectability of your services.
However, what if the organization’s commitments require evaluating more than the Security category? How should organizations understand what additional category to include in the scope of their SOC 2 audits? What criteria will auditors use to assess the design and effectiveness of these controls? To answer these and other related questions, keep reading the article.
The orienting point for determining the need for including the additional trust service category(s) is the entity’s commitments to customers and system requirements. Commitments are the service provider’s declaration to customers regarding the performance of the entity’s system(s) and processes. Such commitments are included in written contracts, service level agreements, or public statements. Hence, if your company is a SaaS provider, committed to delivering reliable software services to your clients, then you should include Availability into the scope of your SOC 2 audit.
At the same time, you should also take into consideration the system requirements. These refer to how the system should function to achieve the entity’s commitments to customers, regulations, trade, or business associations. For instance, if your systems process financial data, you are more likely to be concerned with Processing Integrity.
Confidentiality should be presented in the SOC 2 audit report if the organization offers engagement with sensitive data, such as Personally Identifiable Information (PII), or Protected Health Information (PHI). In fact, there is SOC 2 + HIPAA audit for those companies that deal with PHI, and we will cover this type of audit in future articles. The Confidentiality category addresses the organization’s commitments in regards to how clients’ sensitive information is handled. It is necessary to understand that confidentiality applies not only to personal information but is relevant to various other types of sensitive information such as trade secrets or intellectual property.
Information is confidential if the custodian is required to limit its access, use, retention, and restrict its disclosure. You may find the confidentiality requirements in laws or regulations as well as in contracts that contain commitments made to customers or others. So, the organizations should check their contractual obligations to ensure customers’ information is properly protected. Some of the confidentiality-related questions include:
If the organization provides services that are concerned with processing integrity (usually involving financial operations or e-commerce), consider Processing Integrity. The principle includes controls necessary to process and provide data in a timely and accurate manner.
The control criteria evaluate whether the entity obtains, generates, uses, and communicates information to support the appropriate use of products and services. Some of the questions auditors would ask you during the SOC 2 audit include:
The Availability category should be included in the scope of the SOC 2 audit report if services your organization provides are time-sensitive and their availability is critical. For example, it would be extremely critical for a stock trading platform or hospital health monitoring dashboard. Availability neither sets a minimum acceptable performance level nor addresses system functionality or usability. Instead, it does address whether systems include controls to support continuous operations, monitoring, and maintenance. Availability also typically applies to companies providing colocation, data center, SaaS, or hosting services to their clients.
To assess the design and effectiveness of controls related to Availability, auditors will use common criteria as well as the additional specific criteria. A set of additional criteria for Availability require implementing necessary policies and procedures regarding the system’s capacity demand planning, use of system components, environmental protection, data backup process, and recovery plans.
Some of the questions that businesses should ask themselves before the SOC 2 audit include:
To succeed in a SOC 2 audit, you should understand what set of controls is relevant for your business. You should also be aware of what criteria auditors will use to evaluate the design and effectiveness of these controls. In many SOC2 engagements, evaluating controls related to the Security category is sufficient. However, to make your SOC 2 report more robust as well as to satisfy more customers with growing expectations, it is often necessary to extend the scope of the SOC 2 audit report and include another category(s) – Confidentiality, Processing Integrity, Availability, and Privacy.
If some questions remain unanswered, do not hesitate and contact our Planet 9 team. We’ll be happy to assist!