What is the SOC 2 trust services criteria?

SOC 2 is achieved by the issuing of an attestation in a SOC 2 report (not certification) which must be completed by a Certified Public Accountant (CPA) who is a member of the American Institute of Certified Public Accountants (AICPA).

The format of the SOC 2 Report is determined by the AICPA and is structured as follows:

• Opinion letter
• Management's assertion
• Description of the system
• Description of tests of controls and results of testing

What is COSO and how does it relate to SOC 2?

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) is an initiative from five private North American organisations including the AICPA which outlines the 17 Principles of Internal Audit Control that are the basis fore the Trust Services Criteria that are audited against as part of the SOC 2 attestation assessment.

Trust Services Categories

When determining the scope of the SOC 2 attestation there are 5 trust services categories which are:

• Security
• Confidentiality
• Processing Integrity
• Availability
• Privacy

Trust Services Criteria and Expected Evidence

An organisation can select which of the categories they want to include in scope which will then determine the criteria used in the attestation assessment which are outlined in Page 10-168 of the Trust Services Criteria document published by the AICPA . If all 5 categories of trust services criteria are selected as in scope the number of criteria to be assessed is around 185. Examples of the criteria include:

Security

Confidentiality

Processing Integrity

Availability

Privacy