Trust Services Criteria for SOC 2 Type II Certification

SOC 2 Type II Certification

Trust Services Criteria

  • Security — To ensure that unauthorized access to the system is prevented (both physical and logical). Logical access to infrastructure and essential systems, such as source code repositories, are examples of SOC 2 security procedures that are frequently audited. Password parameters, firewalls, network device setups, and physical security controls that safeguard critical infrastructure are also included.
  • Availability — This ensures that the system is available for operation and usage as promised or agreed upon. A corporation must have a documented business continuity and disaster recovery strategy and processes to meet the availability standards. It also necessitates backups and recovery testing regularly.
  • Confidentiality — This ensures that information labeled as “confidential” is safeguarded by policy or agreement. However, the terms “confidentiality” and “privacy” are frequently interchanged. Most businesses are required to secure sensitive information supplied with them by other companies with whom they do business. Not all businesses work directly with data subjects or collect personal information. A SOC 2 Certification that incorporates confidentiality may be significant if a corporation agrees to regulate access to specific private information as part of a contract with another company. Data privacy may be more critical to your SOC 2 if your organization engages directly with data subjects and collects personal information.
  • The integrity of processing — This is to ensure that all system processing is complete, correct, and authorized. Processing integrity is not as typically covered in SOC 2s as availability and confidentiality. However, companies that handle transactions such as payments may be interested in processing integrity. The auditor will look for proof that the processing is thorough and accurate and that any processing problems are identified and addressed.
  • Privacy — This is to ensure that when “personal information is gathered, used, maintained, released, and disposed of to accomplish the entity’s objectives,” according to the AICPA, privacy compliance standards are addressed. It is worth noting that the privacy standards only apply to personal data. This contrasts with the confidentiality requirements that apply to other forms of sensitive data. SOC 2 Type 2 compliance reports do not always incorporate the AICPA’s privacy standards. One reason is that privacy in the United States is based on a sectoral approach, with varying privacy standards for different industries. This contrasts with GDPR in the European Union, a blanket privacy rule that all businesses must follow. If your firm works directly with data subjects and collects personal information from them, the AICPA’s privacy standards may be applicable. Data subjects must opt in and out of the service and request that all their data be supplied and erased when they opt-out.

--

--

A Gartner Leader and Microsoft Gold Partner, ZL Tech is the leader in information governance and analytics software

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ZL Tech

ZL Tech

A Gartner Leader and Microsoft Gold Partner, ZL Tech is the leader in information governance and analytics software