How to choose the right SOC 2 principles?
A common question is who is responsible for determining and selecting the principles to be included in a SOC 2 examination. The answer to this question is not always what a service organization wants to hear. As with a SOC 1, management is always tasked with choosing the Trust Services Principles (TSPs). This often comes down to which principles fit your business, services, and clients. Unfortunately, there is no definitive list of rules that must be followed when selecting these principles. Below is a description of these TSPs:
- Information Security: The system is protected against unauthorized access, use, or modification to meet the entity’s system requirements.
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
De scope
Before deciding on the principles, you must first determine the scope of the examination. This is done by identifying the various components that fall within the scope, including third parties offering the same services. This is an important step, as organizations often have a narrower view of their services and what should be included in a SOC 2 system. Moreover, organizations must carefully consider their infrastructure, software, personnel, procedures, and data when defining the outline of a SOC 2 examination. Each of these individual components is further described in SOC 2 literature.
Information Security
After establishing the scope, the next step is to determine which principles apply to the service organization’s system. Take, for example, the Security principle. This must be included in all SOC 2 examinations because it contains criteria related to all other principles. These common criteria include ensuring the security of a system, such as detecting and preventing unauthorized modification, destruction, or disclosure of information.
If a client wants reasonable assurance about the security of their data, they are likely most interested in the Security principle. This principle is so broad that it may suffice for the client to examine only this principle to gain a sense of security over their data.
Availability
The second most commonly chosen principle for a SOC 2 examination is Availability. Since most service organizations provide an outsourced service to their clients, the availability of this service is often contractually defined through Service Level Agreements (SLAs). Therefore, the Availability principle is a compelling one to include in a SOC 2 examination.
Processing Integrity
If the service organization processes transactions for its clients, a third interesting principle is Processing Integrity. This principle contributes to the assurance that data is processed completely, validly, accurately, and in an authorized manner. In addition to the Security principle, the Availability principle, and Processing Integrity, two other principles can be included in a SOC 2 examination.
Confidentiality and Privacy
The final two principles are Confidentiality and Privacy. These are often discussed in the same context, although the principles are distinct. Moreover, many organizations consider these two principles to be of great importance for the SOC 2 examination. The principles are similar in that they both relate to the information ‘in’ the system. The difference is that the Privacy principle only applies to personal information. However, the term ‘confidential information’ can have different meanings for different companies. If the service organization handles confidential information and specific agreements have been made about securing this data, then the Confidentiality principle is relevant.
Within the context of a SOC 2 examination, Privacy relates to the protection of personal information. If a service organization has responsibility for managing the ‘lifecycle’ of personal information (also known as PII, Personally Identifiable Information), then this principle is interesting to include in the examination. The lifecycle refers to the collection, use, disclosure, storage, and destruction of personal information.
Overall, choosing the right principles is an important process. It begins with being well-informed about which principles are best applied in a given situation. This requires a good understanding of the organization. Subsequently, the knowledge and experience of an experienced SOC 2 firm is invaluable. A reputable company will guide an organization in selecting the appropriate principles for the SOC 2 examination.