What is the SOC 2 trust services criteria?
August 5, 2019
1 min read
7SOC 2 is achieved by the issuing of an attestation in a SOC 2 report (not certification) which must be completed by a Certified Public Accountant (CPA) who is a member of the American Institute of Certified Public Accountants (AICPA).
The format of the SOC 2 Report is determined by the AICPA and is structured as follows:
- Opinion letter
- Management's assertion
- Description of the system
- Description of tests of controls and results of testing
What is COSO and how does it relate to SOC 2?
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) is an initiative from five private North American organisations including the AICPA which outlines the 17 Principles of Internal Audit Control that are the basis fore the Trust Services Criteria that are audited against as part of the SOC 2 attestation assessment.
Trust Services Categories
When determining the scope of the SOC 2 attestation there are 5 trust services categories which are:
- Security
- Confidentiality
- Processing Integrity
- Availability
- Privacy
Trust Services Criteria and Expected Evidence
An organisation can select which of the categories they want to include in scope which will then determine the criteria used in the attestation assessment which are outlined in Page 10-168 of the Trust Services Criteria document published by the AICPA . If all 5 categories of trust services criteria are selected as in scope the number of criteria to be assessed is around 185. Examples of the criteria include:
Security
Confidentiality
Processing Integrity
Availability
Privacy
Sign up for our newsletter
Stay Ahead: Subscribe for the Latest Compliance Insights and Updates.
We care about the protection of your data. Read ourPrivacy Policy.