So your customers have been asking you for your SOC 2 report and you’re not very sure how to achieve this compliance certification? Well, we gotchu! No, really — this blog will guide you through the process of obtaining your SOC 2 certification, so that you can assure your prospective customers that the data they share with you will not be compromised at any cost!
Now, to understand the SOC 2 compliance framework, you need to understand the five categories of the Trust Services Criteria (TSC). You need to pick and choose which criteria actually apply to your product or company and if necessary customize your policies and controls accordingly.
Here’s how you can start — by asking questions that come to mind when you look at the TSC from your customers’ point of view.
- What kind of data are they entrusting to you? Is it personally identifiable, confidential or private?
- Are they concerned about availability and uptime?
- Are privacy and confidentiality a focus?
- Or do they seem to be more concerned about data security?
The Security category at a minimum must be included in your SOC 2 report because it serves as a basis for the other four categories. The remaining four categories — availability, confidentiality, privacy and processing integrity — define additional responsibilities.
Typically, businesses will focus on security for their first SOC 2 audit and then add more TSC categories in later rounds, especially availability and confidentiality.
An Overview of the Five Trust Services Criteria
The Trust Services Criteria (TSC) can be subdivided into five categories:
- Processing integrity
Here’s a brief description of the categories:
Each category is broken down into multiple criteria that have to be met by the controls that your organization puts into practice.
Explaining the Categories in Detail …
The term “security” refers to the safeguarding of systems that process, transmit or transfer, and store information during its collection, creation, use, processing, transmission, and/or storage.
System failure, erroneous processing, theft, and other illegal data removal are all things that security controls are generally designed to prevent and detect.
Is it necessary for me to incorporate Security in my report?
Yes! All SOC 2 reports must include a Security category.
Customers can access your products and services if they are available. Availability controls frequently involve system uptime, monitoring, and maintenance.
Is it necessary to include Availability in my report?
You may wish to include Availability if your customers frequently ask for the following:
- A status page
- Service Level Agreements (SLAs)
- Uptime assurance
Confidentiality refers to your company’s capacity to safeguard information that has been classified as confidential from the time it is collected until it is destroyed.
If you’re obligated to limit access, use, and retention of information, or if you’re only allowed to share it with specific people, it’s “confidential.” This is distinct from “personal information,” which solely refers to identifying data.
Is it necessary for me to incorporate Confidentiality in my report?
It’s a good idea to add it if your clients:
- Frequently ask you to sign non-disclosure agreements (NDAs)
- Request that data be deleted after contracts expire
Processing integrity refers to whether or not your systems keep data safe. This indicates that there will be few to no errors, delays, omissions, and/or unauthorized or unintentional data modification.
Is it necessary for me to include Processing Integrity in my report?
This is not a common customer requirement. It’s a good idea to add it if parts of your clients’ businesses rely on your data processing (e.g. you offer a payment processing service or a data pipeline tool to them).
Personal information, such as a person’s complete name or social security number, is protected by privacy laws.
The Privacy criterion looks at your company’s policies and procedures with respect to the following:
- If you provide privacy disclosures to users, customers, and anybody else whose data you gather, and communicate your goals
- If you convey your preferences for personal information collection, use, retention, disclosure, and disposal
- If you work to establish guidelines for the use, storage, and disposal of personal data
- If your company allow users, customers, or anyone else whose data you gather access to their personal information so they may review, amend, and update it
- If your company discloses personal information only with the consent of the user customer, or individual whose data you are collecting, and alert everyone involved in case of a security breach
- If you collect and retain accurate, up-to-date, full, and relevant personal data
- If you ensure that privacy rules are followed, including procedures for dealing with privacy-related questions, complaints, and disputes
Is it necessary for me to incorporate Privacy in my report?
It’s a good idea to add Privacy compliance if your product stores sensitive, private client information that can identify individuals, such as social security numbers, health information, or contact details.
Note: GDPR compliance may serve as a sufficient substitute for the Privacy criterion.
How to Select the Criteria Best for You?
Ultimately, it’s up to you to decide which categories to include. Let’s look at a few examples to see how others have made their choices:
HR: A tiny business creates a recruiting tool that has access to its recruitment prospects’ email accounts and resumes and therefore decides to implement Confidentiality compliance. The Confidentiality aspect of compliance, included in a SOC 2 report, demonstrates that the company is serious about preventing unauthorized access to clients’ confidential information.
DevOps: Availability is included in the audit of a company that provides a DevOps CI/CD solution for building and deploying code for its clients. Customers may be unable to construct and deploy modifications to their services if the firm’s service is unavailable.
Financial Services: Processing Integrity checks (a type of “control”) are added by the company behind a finance app that transfers money on behalf of its customers. Customers can rest assured that the company’s transaction processing systems are up to date and have maintained data integrity — in other words, ensuring that there are no errors in processing and that, if there are, they are promptly detected and corrected.
We hope this helps you understand SOC 2’s TSC categories, but if you’re still confused, don’t worry — Akitra will be ever-present by your side, to assist you in defining the scope of your report by choosing the appropriate TSC categories.
We’ve worked with our fair share of businesses and understand how these obligations change depending on the company’s goals and the nature of the business. We can save your team time and ensure that your SOC 2 report aids in the development of crucial, trusted relationships with your clients.
Choose Akitra for your compliance needs today!
Check back in with us soon and follow the rest of this educational series about SOC 2, from Akitra, a leader in compliance automation platforms.
To book your FREE DEMO, contact us right here.