What is Trust Service Criteria (TSC)
The SOC 2 framework is built on five Trust Services Criteria (formerly called the Trust Services Principles), defined by the American Institute of Certified Public Accountants (AICPA).
These Trust Services Criteria are the basic elements of your cybersecurity posture. They include organization controls, risk assessment, risk mitigation, risk management, and change management.
The five Trust Services Criteria are:
- Security: Protecting information from vulnerabilities and unauthorized access
- Availability: Ensuring employees and clients can rely on your systems to do their work
- Processing integrity: Verifying that company systems operate as intended
- Confidentiality: Protecting confidential information by limiting its access, storage, and use
- Privacy: Safeguarding sensitive personal information against unauthorized users
Security is the only TSC required for every SOC 2 audit. Additional criteria are optional based on the services you provide to your customers.
Many organizations don’t have the resources to bring their information security systems and internal controls into compliance with every TSC.
It’s best to pursue the TSC that you’re closest to achieving or those that will have the most significant impact on your organization. You can always go for the others later.
Learn more about TSC (Video)
Learn more about Trust Service Criteria below, how to disable them if needed and the justification required for doing so.
How to Enable or Disable Trust Service Criteria
- To find the TSC's enabled within your instance, go to the Frameworks page and select View Details under SOC2.
- On the left you will see each framework requirement under the appropriate TSC.
- You can determine what is currently enabled/disabled by checking the status of the requirements on the right side.
- If they are enabled, they will have a status of Healthy or Unhealthy.
- If they are disabled, they will be N/A.
To learn more about Frameworks and Controls, see our full article here.
Frequently Asked Questions (FAQ)
Do we need to do all 5 for SOC 2?
- Security is the only TSC required for every SOC 2 audit. Additional criteria are optional based on the services you provide to your customers.
How do I know if I need more than just Security?
- While Security is the only required Trust Service Criterion in a SOC 2 audit, many organizations opt for additional criteria to meet specific customer demands, industry requirements, or operational needs.
- Some reasons might include customer expectations, business model, compliance requirements, competitive advantage, and or greater protection and reliability across their services.
Comments
0 comments
Please sign in to leave a comment.