What Are the Five Trust Services Criteria?

The Trust Services Criteria are a framework used to evaluate the design and effectiveness of a service organization’s controls. These standards are applied within System and Organization Controls (SOC) 2 examinations, which report on controls relevant to the security, availability, processing integrity, confidentiality, or privacy of a system. The criteria establish a benchmark for assessing if a company’s information security measures are operating effectively based on the commitments it makes to its customers. A SOC 2 report provides assurance to clients that their data is being handled responsibly.

The Five Trust Services Criteria

Security

The Security criterion is the mandatory foundation of any SOC 2 examination and is also referred to as the Common Criteria. It addresses the protection of system resources against unauthorized access and the protection of information from unauthorized disclosure. The controls in this category are designed to prevent system damage that could result in data loss or business disruption.

To meet the Security criterion, an organization implements technical controls like firewalls and intrusion detection systems. Access controls are another example, where multi-factor authentication is enforced for users to verify their identity before granting access to sensitive systems. Organizations also establish formal policies and procedures, such as an information security policy that outlines roles and responsibilities for protecting data.

The Security criterion includes establishing a control environment that values security, implementing risk assessment processes to identify threats, and developing control activities to mitigate them. It also involves measures for monitoring control effectiveness, managing system changes, and having procedures for incident response. Because these elements are fundamental to any secure environment, they must be included in every SOC 2 report.

Availability

The Availability criterion pertains to the accessibility of the system, products, or services as stipulated by a contract or service level agreement (SLA). It evaluates whether a company meets its stated commitments for uptime and accessibility. This criterion is relevant for businesses whose customers depend on constant access to their services, such as cloud hosting providers, data centers, and software-as-a-service (SaaS) platforms.

Controls for the Availability criterion focus on system reliability and resilience. A company might implement performance monitoring to track system uptime and resource utilization, allowing it to address potential issues before they cause an outage. Another control is a disaster recovery plan that is tested regularly to ensure the organization can restore service within the timeframe promised to its customers.

Organizations also maintain redundant processing sites and automated failover capabilities to minimize downtime. Network and infrastructure monitoring tools are used to detect operational issues in real-time. Capacity management is another control where the organization plans for future resource needs to prevent system degradation as its user base grows.

Processing Integrity

The Processing Integrity criterion addresses whether a system processes data in a complete, valid, accurate, timely, and authorized manner. The focus is on the full lifecycle of a data process to ensure it achieves its intended purpose without error or manipulation. This criterion applies to organizations that perform transaction processing or financial services, such as payment processors or e-commerce platforms.

To satisfy this criterion, an organization implements controls to verify data at both the input and output stages. For example, input validation checks ensure that data entered into a system is in the correct format and within acceptable ranges. Reconciliations of processing totals are another control where system-generated reports are compared against source documents to identify discrepancies.

System logic is also configured to detect and correct processing errors as they occur. An organization might implement sequence checks to ensure all transactions in a batch are processed. Maintaining processing logs and providing them to the correct recipients helps verify that data output is reliable and delivered intact.

Confidentiality

The Confidentiality criterion addresses the protection of information designated as confidential from unauthorized disclosure. This criterion applies to sensitive data that is not personal information but is protected by agreements with customers or business partners. Examples include intellectual property, business plans, and financial reports.

Controls for Confidentiality center on data encryption and access restrictions. Data is encrypted both in transit over networks and at rest in storage to prevent it from being read by unauthorized parties. Access controls are implemented based on the principle of least privilege, meaning employees are only given access to the confidential information required to perform their jobs.

Organizations also establish policies for identifying and handling confidential information, including procedures for data classification, labeling, and secure disposal. Non-disclosure agreements (NDAs) with employees, contractors, and business partners are a contractual control used to legally enforce confidentiality obligations. Training programs help ensure that staff understand their responsibilities for protecting sensitive information.

Privacy

The Privacy criterion is distinct from Confidentiality and focuses on the protection of personally identifiable information (PII). It addresses how an organization collects, uses, retains, discloses, and disposes of personal data in conformity with its privacy notice and established privacy principles. This criterion is relevant for any organization that handles customer or consumer data, such as those in healthcare, finance, or technology.

Controls for the Privacy criterion are designed to give individuals control over their personal information. A primary control is providing a clear and accessible privacy notice that explains what data is collected and for what purpose. Organizations must also obtain consent from individuals before collecting or using their PII and have procedures to honor data subject rights, such as requests for access or deletion of their information.

To meet this criterion, companies implement measures like data minimization, where only the PII necessary for a specific purpose is collected. Access to PII is strictly controlled and monitored, and data is disposed of securely once it is no longer needed. Employee training on privacy best practices is another control to ensure PII is handled appropriately.

Preparing for a SOC 2 Examination

Before an auditor begins an assessment, the organization must define the scope of the examination and gather evidence to demonstrate that controls are functioning correctly. This preparation streamlines the audit process and increases the likelihood of a successful outcome.

Selecting the Criteria

The first step is selecting which Trust Services Criteria to include in the SOC 2 report. While the Security criterion is always required, an organization must decide whether to add Availability, Processing Integrity, Confidentiality, or Privacy. This decision is driven by the services provided and the commitments made to customers through contracts or marketing materials.

Gathering Documentation and Evidence

Once the scope is defined, the organization must compile documentation. A system description provides an overview of the services, infrastructure, software, people, and procedures that support the system being audited. The company must also gather all relevant policies and procedures, such as its information security policy and incident response plan.

Evidence that these policies are being followed is also required. This evidence can include:

• Logs from security monitoring systems
• Records of employee background checks
• Minutes from management meetings where risk is discussed
• Reports from quarterly access reviews

The SOC 2 Examination Process

A SOC 2 examination is an engagement with an independent CPA firm to assess and report on a service organization’s controls. The process moves from initial planning to the final delivery of the SOC 2 report.

Scoping and Readiness

The engagement begins with scoping and planning, where the organization and auditors agree on the Trust Services Criteria, the systems in scope, and the timeline. Some organizations opt for a readiness assessment, which is a preliminary review where the auditor provides feedback on potential gaps in the control environment. This gives the company an opportunity to remediate issues before the official examination.

Fieldwork and Testing

The fieldwork or testing phase is where the auditor executes procedures to determine if controls are designed appropriately and operating effectively. This involves reviewing the company’s documentation, interviewing personnel to understand processes, and performing sample testing of controls. Examples of testing include inspecting system configurations or verifying that new employee access requests were properly authorized.

Reporting

Upon completion of testing, the auditor drafts the SOC 2 report. The report includes the auditor’s opinion, the company’s assertion, the system description, and the results of the control tests. A Type 1 report attests to the suitability of control design at a single point in time, while a Type 2 report also attests to the operating effectiveness of controls over a review period of six to twelve months.