SOC 2 and SOC 3 reports attest to the effectiveness of a service organization’s internal controls relevant to five “Trust Services Categories” (formerly “Trust Services Principles”) established by the American Institute of Certified Public Accountants (AICPA). The AICPA describes these points of focus as:
- The security, availability, and processing integrity of the systems the service organization uses to process users’ data, and
- The confidentiality and privacy of the information processed by these systems.
The AICPA defines the trust services principles and criteria this way:
- Security: The effectiveness of policies and procedures governing the way organizations protect themselves against unauthorized access and respond to security breaches resulting in unauthorized disclosure of information will be periodically evaluated.
- Availability: Information and systems must be available for operation and use to meet the entity’s objectives.
- Confidentiality: Information designated as confidential must be sufficiently protected from unauthorized access to meet organizational effectiveness.
- Processing Integrity: System processing should be complete, valid, accurate, timely, and authorized to meet organizational objectives.
- Privacy: Personally identifiable information must be collected, used, disclosed, and disposed of in a secure manner.
In the digital age, protecting the personal, confidential information of customers and clients from unauthorized access is a top priority, especially for service organizations processing, storing, or transmitting data that belongs to external clients.
The AICPA designed System and Organization Controls for Service Organizations 2 (SOC 2) and 3 (SOC 3) with today’s business needs in mind.
These generally accepted privacy principles are designed to help auditors analyze service organizations’ cybersecurity risk assessment and risk management policies, procedures, and practices, and identify risks in service organizations. (“Service organizations” include data centers, cloud computing service hosts, and service providers in the legal, medical, and accounting/auditing fields).
Applying these common criteria can help managers determine how best to improve their systems operations, information security and overall operating effectiveness. Reading our ultimate SOC 2 guide will help you better understand how to run a SOC 2 audit.