A SOC 2 report has 5 Trust Services Criteria, which have previously been commonly called Trust Services Principles. These Trust Service Criteria are the basic elements of security. This includes security on organizational controls, access controls, basic risk assessment, as well as the ability to demonstrate change management. Here are the 5 categories which you can demonstrate compliance to during a SOC 2 audit:
Most companies will choose to do just the first section, Security, during their first audit.
This criteria is fairly straight-forward but critical and also known as the “common criteria”. Security is the baseline criteria that apply to all SOC 2 reports and it’s the “must-have” that fuels the other Trust Services Criteria. It shows that your data and systems are protected against unauthorized access, use or modification, both physically and logically. For your data, it applies to all phases, including collection or creation, ongoing usage and processing, transmission, and storage. For the systems, this includes any systems that use electronic data.
You must demonstrate that your application is available for use and meets the entity's objectives. Your system must maintain, monitor and evaluate current capacity. You should be maintaining backups of data to ensure availability and annual testing to ensure completeness of backup information. You also need to have a plan for disaster recovery. This is why many companies host their service in a data center or cloud environment because they provide protection from flood damage, hurricane, and other risks. They also often include SLAs (Service Level Agreements) included in the data center contract.
Processing integrity is focused on data accuracy and the completeness of your end-to-end process of ensuring that applications can’t go awry and accidentally manipulate data or create false information. For example, if an emergency room system that deals with patient blood types have to make sure that information entered stays accurate as it moves across systems and is displayed on various devices. It’s easy to understand how important it is to make sure your software is processing and storing this data properly. From a process perspective, you're ensuring that your software development lifecycle, the way that you build code, and the way that you manage things is done in a way that not only ensures data integrity but data security as well. Although it is an optional criterion, it should be considered if your organization is performing transactions or completing processing on behalf of clients.
Then there's confidentiality, which is focused on making sure all types of sensitive data are stored correctly. Encryption and making sure that consumer personal data is stored and managed in such a way to prevent it from being exposed is covered. This applies to Personally Identifiable Information (PII) as well as Protected Health Information (PHI). This is achieved by using data encryption - both encryption at rest and encryption in transit. The confidentiality principle also includes considerations for data disposal. Depending on your industry and types of data collected, you will have to document your process for erasing data as well. This principle should include how to handle a breach and when a customer is notified of a breach of their information.
Privacy is focused on making sure you're collecting and using the information the way that you've agreed to use it. You have privacy agreements in place with your customers and have to make sure that you are able to track and manage the data you have collected, who can access it, what disclosure requirements and consent forms are you providing, etc. There's also an element of encryption that comes into privacy as well. Many of the elements of the Privacy principle are covered in the Security principle, however, Privacy is especially needed if you directly hold customer personal information.
Where Do You Start
If you can’t address all five of the Trust Services Principles in your SOC 2 audit report immediately, you should be intelligent about how you prioritize them. Most people start by focusing on security, but after that, consider the nuances of your business that may make one or more of the other principles most important.