Login

REQUEST PRICING
TRY IT FREE

SOC 2 Trust Services Criteria: What the 5 Principles Mean

Table of Contents

In recent years, the AICPA has made updates to what’s involved in a SOC 2 examination. Previously called Trust Services Principles, or Trust Services Principles and Criteria, the AICPA has dropped “Principles” and now calls them Trust Services Criteria (TSC).

The updated trust services criteria are necessary on any report issued on or after December 15, 2018. For 2020, any reports should be reference and map to the 2017 trust services criteria.

In this article, we outline the trust services criteria and provide a clear explanation for exactly what each one means.

Key Takeaways

  • Terminology Update: The AICPA now refers to these as Trust Services Criteria (TSC) rather than Trust Services Principles.
  • The Five Pillars: SOC 2 is built on Security, Availability, Confidentiality, Privacy, and Processing Integrity.
  • Compliance Standard: Current reports must map to the 2017 Trust Services Criteria.
  • Privacy vs. Confidentiality: Privacy focuses on personal data (PII), while Confidentiality focuses on sensitive business data.

Trust services framework

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five TSCs. They are as follows:

  • Security
  • Availability
  • Confidentiality
  • Privacy
  • Processing Integrity

Now let’s take a look at each one.

1. Security

Official Definition:

“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.”

Explanation:

The security principle refers to the protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of any software, and improper alteration or disclosure of information.

2. Availability

Official Definition:

“Information and systems are available for operation and use to meet the entity’s objectives. Availability refers to the accessibility of information used by the entity’s systems as well as the products or services provided to its customers.”

Explanation:

Availability is a commonly included TSC since providing evidence that systems are available for operation is key to many clients of service organizations. What it boils down to is the reliability of your systems.

Most MSPs will have contractual requirements or service level agreements (SLAs) in place around the services being provided. So, it’s a commonly include TSC in any SOC 2 audit.

3. Confidentiality

Official Definition:

“Information designated as confidential is protected to meet the entity’s objectives.”

Explanation:

Data is considered confidential if its access and disclosure are restricted to a specified set of persons or organizations. In practice, this means:

  • Locking and securing paper documents
  • Using only approved business software for storing and processing confidential information
  • Shredding paper documents when no longer needed
  • Enforcing a clean desk and clean screen policy

4. Privacy

Official Definition:

“Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.”

Explanation:

It’s common to struggle with the difference between privacy and confidentiality. The difference between the two is that privacy controls protect personal information (name, social security number, address, etc.), and confidentiality protects non-personal information and data that is still classified as “confidential.

5. Processing integrity

Official Definition:

System processing must meet the following five attributes to ensure integrity:

  • Complete: All transactions are processed.
  • Valid: Only authorized transactions are processed.
  • Accurate: Data is free from error.
  • Timely: Processing occurs within the required timeframe.
  • Authorized: Access and actions are approved.

Explanation:

Is information processed appropriately by your systems? In other words, the processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time).

Frequently asked questions

Is the Security Trust Services Criterion mandatory for every SOC 2 audit?

Yes. The Security criterion (often called the “Common Criteria”) is required in every SOC 2 audit. The other four criteria (Availability, Processing Integrity, Confidentiality, and Privacy) are optional and should be included only if they fit the services you offer.

Who sets the Trust Services Criteria?

The Trust Services Criteria are issued and maintained by the American Institute of Certified Public Accountants (AICPA). Auditors rely on these criteria to evaluate your controls over security, availability, processing integrity, confidentiality, and privacy.

Which version of the Trust Services Criteria do today’s SOC 2 reports use?

SOC 2 reports issued now must align with the 2017 Trust Services Criteria (TSC). The AICPA refreshed the TSC’s points of focus in 2022, but the 2017 criteria remain the active standard.

Organizations like MSPs that provide tech services and systems to third parties will have heard about SOC 2.

The overall framework and end goal are simple: it’s designed to ensure that you process information securely.

If you’re required to pass a SOC 2 audit to partner with or provide services to other companies, you’re going to want to understand the SOC 2 TSCs in more detail. We hope this provides a solid jumping-off point.

Author
Gavin Garbutt
Co-Founder & Chairman of Augmentt

FAQ

Using our GDAP tool & Magic Link, setting up is easy! You can integrate with your CSP partner portal in minutes
Augmentt uses a combination of Microsoft Secure Score best practices as well as industry standards such as NIST & CIS. You can use the out of box templates to get started right away and even build your own custom templates to match your client requirements.
Out of box, Augmentt comes pre-configured to not be noisy. Very few Microsoft alerts are critical in nature so you will be receiving tickets for account breaches and not minor user log related events. That said, everything is customizable and you can turn alerts on & off to match your clients’ needs.
No. You can choose to schedule alerts to any stakeholder you want and at the frequency you want or manually download reports when you need them.
Regardless of how MFA is managed across your tenants, we have you covered. Augmentt supports Conditional Access Policies, Security Defaults, Entra ID per user (Legacy) MFA as well as 3rd party MFA services like DUO.
No. You can use Augmentt to monitor and manage all clients regardless of their licensing. For environments with no premium licensing you can still provide alerts and monitoring for account breaches and configure security best practices. For environments with premium licensing, you can leverage Microsoft’s premium alerts and premium security configurations such as Conditional Access Policies.
Augmentt is one of the few vendors SOC 2 Type II, and GDPR compliant.
Site licenses to make sure you can deliver standardized service across all clients very affordably.

SUBSCRIBE for more resources

Related Content

Policy Sprawl Is Killing MSP Efficiency
Policy sprawl is quietly draining your margins, creating security gaps, and eroding client trust. The good news? Standardization is the cure.
Read More
Does Microsoft Secure Score Tell the Whole Story?
Do you have a complete understanding of your security? See why MSPs need to understand the role licensing plays in Secure Score results.
Read More
Top 10 M365 Security Best Practices for MSPs
Here are the top M365 security best practices to help you enhance protection, ensure compliance, and stay ahead of emerging threats.
Read More