SOC 2® can apply to most service organizations, including companies who provide analytics, business intelligence, managed IT security service providers, and software-as-a-service companies who provide websites, applications, and programs.
A service organization’s management is responsible for selecting the Trust Services Categories to be included within the scope of the SOC 2® examination based on its understanding of the needs of its customers.
There are five Trust Services Criteria options:
- Security: Systems and data stored by a company are protected against unauthorized access and unauthorized disclosure of information.
- Availability: Information and systems are available for operation.
- Confidentiality: Information designated as confidential information is protected.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized. Data remains correct throughout the course of data processing.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of in accordance with pre-stated policies.
While all organizations must meet the requirements of the criteria common to all five of the trust services categories, most service organizations will include the security category within the scope of their SOC 2®. The security category addresses whether the system is protected (both physically and logically) against unauthorized access.
To determine if other categories should be included, a service organization should consider the commitments it makes to its customers.
Some examples for when an organization may consider additional Trust Services Categories:
• A service organization that provides IT infrastructure or data center services to its customers may have certain commitments or SLAs to its customers about system availability; therefore, a SOC 2® examination that addresses the availability category is likely to meet its customer needs.
• A service organization that processes sensitive data like proprietary information, financial reports, passwords, lists of prospective customers, customer databases, or business strategies for its customers may make commitments about maintaining the confidentiality of the information processed, handled, or stored; therefore, a SOC 2® examination that addresses the confidentiality category is likely to meet its customer needs.
• A service organization that provides financial or data-related services such as analytics or wants to provide assurance to its clients that there are no errors in their process of data input, processing procedures, and data output may make commitments about maintaining processing integrity; therefore, a SOC 2® examination that addresses the processing integrity category is likely to meet its customer needs.
• A service organization that handles personnel records, payment card information, or personal health information for its customers may make commitments about maintaining the privacy of the information processed, handled, or stored; therefore, a SOC 2® examination that addresses the privacy category is likely to meet its customer needs.
Although four of the categories are optional, organizations should determine which categories are most relevant based their service commitments and customer needs.