As organizations prioritize data security and privacy and regulatory requirements become more prevalent, companies need measures to report upon and provide assurance to stakeholders over their data security posture. SOC 2 is a widely recognized standard to provide that security assurance. However, scoping a SOC 2 can be intimidating without a baseline understanding of how to approach it.
An organization can include five categories within the Trust Service Criteria in a SOC 2 report: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
During the planning phase of a SOC 2 examination, it is critical to scope in the appropriate category or categories within your SOC 2 report to maximize its value. To scope the appropriate categories in your examination, you should focus on the commitments made to the broad base of your customers (known as the Principal Service Commitments) and the type of service(s) your organization provides to your customers.
Let’s review the 5 Trust Service Criteria categories and how they may apply to your organization while planning a SOC 2 examination:
The Security category, also known as the Common Criteria, is the foundational category of SOC 2. Regardless of whether your organization provides services or hosts an application in the cloud, generally, every issued SOC 2 report includes the Security category.
In this category, the auditor will test controls related to the governance of your security program, your risk assessment and mitigation process, your monitoring activities, logical and physical access controls over pertinent systems and data, vulnerability identification and management, event and incident management processes, change management, and vendor management.
The Availability category focuses on performance and capacity management, monitoring your systems or platform, business continuity, disaster recovery plans and infrastructure, and testing your resiliency and recovery protocols.
Typically, the Availability Category is scoped into the SOC 2 report if you are making commitments to your users regarding system or platform uptime, meeting service level agreements (SLAs), etc.
If your users are worried about service availability, we recommend that the Availability category be in-scope for your SOC 2 report.
The Processing Integrity category will include controls that help ensure your customers’ data or transactions are processed in a complete, accurate, and timely manner, in accordance with any such commitments you have made.
Processing Integrity evaluates the inputs, processing activities, and outputs to achieve your processing requirements. Payroll companies, transaction processors, claims processors, etc., are examples of companies that may include the Processing Integrity category.
The Confidentiality category requires your organization to demonstrate how it identifies, handles, and classifies confidential information throughout its lifecycle. This includes the collection, storage, and disposal of confidential information.
The Confidentiality category should be in-scope in your SOC 2 report if you are making commitments around handling confidential data, such as the disposal or deletion of customer data within a given timeframe after the customer leaves the service, upon contract termination, or predefined retention policies.
The Privacy category includes controls around how your organization collects, handles, updates, communicates, and provides rights to data subjects over personally identifiable information (PII). If your organization has commitments around collecting or processing PII, then the Privacy category may be a consideration.
The Privacy category contains a set of generally accepted privacy principles that your organization should consider and implement controls around. If your organization is a personal data processor but does not deal directly with data subjects, then aspects of the Privacy criteria may not be applicable. However, adding the Category to convey details about your privacy program to your users can still be beneficial.
Choosing the SOC 2 categories that best fit your organization’s products, services, and customer commitments is crucial. It helps organizations mature their processes while assuring customers that their trust is well-placed. Each category defines the scope of the SOC 2 examination and should include the relevant controls the company has put into operation.
Organizations should work with their SOC 2 auditor to define the appropriate categories and ensure a comprehensive examination to maximize the effectiveness of their SOC 2 program.
Contact us today to get started.
Written by: Ryan Whitehead