The SOC 2 criteria are comprised of 5 categories (formerly the SOC 2 principles), security, availability, confidentiality, processing integrity, and privacy, with the common criteria also encompassing security.
Each category has a specific set of criteria to meet with corresponding points of focus:
- Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability. Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
- Privacy. Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
Depending on which category or categories are included in scope for the examination, which, is typically determined in consultation with Clients and your auditor, based on factors like service level or regulatory requirements, a Company must include in their report:
- The criteria common to all five of the trust service categories (common criteria) and
- one or many of the specific criteria related to the availability, processing integrity, confidentiality, and / or privacy categories.
There may be specific criteria which are not applicable to the system under review, however, these must be justified appropriately with your auditor and within the report, as of the latest updates.