Understanding Trust Service Principles
If your company is considering undergoing a SOC (Service Organization Controls) 2 audit, you may be wondering what goes into such an audit. A SOC 2 Report ensures that your company’s controls address the five Trust Service Principles of Security, Availability, Processing Integrity, Confidentiality and Privacy.
In order to help understand a SOC 2 report, you must first understand these changes and revisions. Recently, the American Institute of Certified Public Accountants (AICPA) restructured the criteria for Security, Availability, Processing Integrity and Confidentiality into “Common Criteria” to eliminate redundancy, and to update the criteria based on the latest technologies and the ever-changing business environment.
The advantage of having a set criteria of Trust Service Principles is that the criteria that your business must meet is predefined. Having predetermined principles makes it easier for you to know what compliance needs are required before I.S. Partners is even involved with your company. Knowing what we are looking for beforehand, facilitates the audit and eases your anxiety. Your ability to understand these principles allows for educated communication with your clients who requested it.
What are the Trust Service Principles?
- Security: The system is protected against unauthorized access, use, or modification
- Availability: The system is available for operation and use as committed or agreed
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized
- Confidentiality: Information designated as confidential is protected as committed or agreed
- Privacy: The system’s collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service organization’s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA
As mentioned above, changes were made to these Trust Service Principles. The prior control categories for each principle were Policies, Communication, Procedures and Monitoring. The new control categories within common criteria include Organization & Management, Communication, Risk Management & Design & Implementation of Controls, Logical & Physical Access, Monitoring of Controls, Systems Operations and Change Management. These changes were made by the AICPA in order to remove redundancy and create specificity to the principles. The new categories within common criteria allow I.S. Partners to create a better report for you.
It is important to us that you understand the new criteria. Here is an explanation of each of the new categories given by the AICPA.
- Organization and management: The criteria relevant to how the organization is structured and the processes the organization has implemented to manage and support people within its operating units. This includes criteria addressing accountability, integrity, ethical values and qualifications of personnel, and the environment in which they function.
- Communications: The criteria relevant to how the organization communicates its policies, processes, procedures, commitments, and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system.
- Risk management and design and implementation of controls: The criteria relevant to how the entity (i) identifies potential risks that would affect the entity’s ability to achieve its objectives, (ii) analyzes those risks, (iii) develops responses to those risks including the design and implementation of controls and other risk mitigating actions, and (iv) conducts ongoing monitoring of risks and the risk management process.
- Monitoring of controls: The criteria relevant to how the entity monitors the system, including the suitability, and design and operating effectiveness of the controls, and takes action to address deficiencies identified.
- Logical and physical access controls: The criteria relevant to how the organization restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement.
- System operations: The criteria relevant to how the organization manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement.
- Change management: The criteria relevant to how the organization identifies the need for changes to the system, makes the changes following a controlled change management process, and prevents unauthorized changes from being made to meet the criteria for the principle(s) addressed in the engagement
You may be wondering, how does this affect me? Your business is not required to address all the principles. Our review can be limited to include only those principles that are deemed relevant to the services you perform. If your company falls under the category of SaaS providers, Data Centers, Document Production and/or Data Analytics provides feel free to give us a call at 866-642-2230 or fill out our contact form, and we will let you know how we can help provide an Audit Without Anxiety.