There are five Trust Service Criteria (TSC) or Trust Service Principles (TSP) within the SOC 2 framework. All organizations, independent of size, industry, or customer needs pursuing a SOC 2 have to include the Security Criteria. The others are optional and guided by the business and customer requirements.
The five Trust Services Criteria (or Trust Service Principles) are:
- Security – Organizations are assessed on their ability to protect against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality of customer data.
- Availability – Information and systems are available for operation and use to meet the demands of its customers. If your organization is responsible for hosting the data that your customers need as a part of utilizing your services, you may consider including this criterion.
- Processing Integrity – Consider this criterion if you are in a transaction-based business. This principle verifies that system processing is complete, valid, accurate, timely, and authorized to meet the objectives.
- Confidentiality – Information designated as confidential is protected to meet the entity’s objectives. To achieve organizational success, sensitive information must be appropriately safeguarded from unwanted access.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives. If you collect the personal information of customers to provide services, this may be a consideration.