Get Help Now



SOC 2 Trust Services: Selecting the Right Ones at the Right Time 

Posted  May 22, 2023  | by Joseph McKelvie, Security Strategist, GreyCastle Security

System and Organization Controls (SOC) 2 is a comprehensive security framework provided by the American Institute of Certified Public Accountants (AICPA) in which independent, third-party auditors (i.e., CPA’s) assess, validate and report on the controls supporting what the AICPA refer to as the Trust Services Criteria (TSC). 

For companies that handle sensitive data, these SOC 2 reports provided by third-party auditors can help establish trust with customers and partners by demonstrating a commitment to security and data protection. Of course, selecting the right TSC categories to include in the report is critical, as not all categories may be relevant to the organization’s services or relationships. The five TSC categories to select from are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Note that the Security TSC is considered Common Criteria and is the minimum requirement for a SOC 2 report. SOC 2 TSC demonstrates the following: 

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.  
  • Availability: Information and systems are available for operation and use to meet the entity’s objectives.  
  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.  
  • Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.  
  • Privacy: Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. 

3 Aspects to Consider When Selecting the Right Trust Service Criteria

1. Consider the TSC and the resulting report from your customers’ perspective 

    • What questions are they asking? Are the questionnaires you receive focused on uptime and business continuity? Then perhaps Availability should be included. 
    • What types of data are they entrusting you with? Does your service collect personally identifiable information (PII) or manage individuals’ personal health information (ePHI)? Then you may want to consider the Privacy TSC. 
    • Does your typical customer’s industry have specific regulatory requirements? HIPAA, GDPR, CCRA, FARS, DFARS, GLBA, FERPA – the list could go on forever. Each regulation has its own focus and set of requirements. This is probably the most challenging to align with a specific TSC.  That said, Security is called the Common Criteria for a reason. Basic cybersecurity hygiene is important to all the regulatory bodies in today’s world. 

2. Consider what the TSC demonstrates from your organization’s perspective 

    • What are you trying to communicate to your customers and partners? How will the TSC you select to support your business objectives? If you are a SaaS attempting to expand your market and you need to show that your service will be up and running and capable of processing data accurately for your customers, then adding the Availability and Processing Integrity TSC can assist with that. 
    • Do you have regulatory or contractual obligations? Have you identified the regulatory or contractual requirements that apply to your business? Privacy, Confidentiality and Processing Integrity TSC could help your FinTech and Healthcare-related business meet these requirements. 
    • What risks and potential threats will implementing the selected TSC help to mitigate? Do the results of your most recent risk assessment provide insight into what TSC to implement? As an e-commerce company, you may need to implement the Security and Availability TSC to help protect against cyber threats and ensure the uptime of their website. 

3. Consider the maturity of your current information security program

    • Do you already have a formal information security program? Does your information security steering committee meet regularly to oversee and guide your program? If the answer is no, then you may want to consider starting with Security for your first TSC and initial report and growing from there. Establishing your program with a solid foundation and expanding it later as your team becomes more familiar with the SOC 2 framework can help ensure a successful SOC 2 compliance journey.  

A thoughtful and measured approach that results in selecting the right TSC categories is a critical step in creating a secure and resilient cybersecurity program with reasonable and effective security controls. This approach also results in a SOC 2 report that accurately reflects an organization’s commitment to security and data protection. By carefully considering factors such as customer needs, the type of data being handled, regulatory compliance requirements, contractual obligations, and business objectives, organizations can choose the TSC categories that are most relevant to their operations and relationships with their customers and partners.  


Let’s Discuss Your Cybersecurity Needs

Contact Us
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us