For most companies preparing for SOC 2 examinations, deciding which Trust Services Categories (TSCs) should be in scope is a difficult and sometimes confusing decision. Two of the categories that present a little confusion are the security and confidentiality categories since these terms are used interchangeably in the information security industry. However, in a SOC 2 examination, the differences between these two categories are clear and should be understood before making a decision on which should be included in your SOC 2 report. In this post, we will describe the differences between Security and Confidentiality, and also explain a few key reasons why it is important to understand those differences.
What is the difference between Security and Confidentiality in a SOC 2 examination?
In a SOC 2 examination, the Trust Services Categories (TSC) assessed should be based on your organization’s commitments and system requirements. Most, if not all, SOC 2 examinations include the Security TSC, so think of Security as the default category for a SOC 2 examination. This category addresses common information security concepts such as risk assessment, logical access, monitoring, HR procedures, data encryption, and more. While some of these concepts address general confidentiality principles, the SOC 2 Confidentiality TSC specifically addresses how your organization maintains and disposes of confidential data.
Going back to your commitments, a major aspect of the Confidentiality TSC is focused on the commitments you make to your customers regarding the deletion or removal of their data when they leave your service. If you commit to your Master Services Agreement (MSA) to deleting all customer data within 30 days after they leave the service or only upon request, the Confidentiality TSC is probably right for your organization. Another main component is around the maintenance of your sensitive data which is often addressed through controls covered in the common criteria or Security TSC. There are additional concepts covered in the Confidentiality Trust Service Criteria but the most important one to think about when deciding whether to include Confidentiality in scope is based on the data maintenance and disposal commitments made to your customers.
Why is it Important to Understand the Difference?
If you’re pursuing a SOC 2 examination, your customers will expect to see the Security TSC. Adding additional TSCs shows an additional level of maturity and could differentiate your company from its competitors. It is important to understand what the Confidentiality TSC is communicating to your customers prior to including it in scope. If you do not make any commitments regarding the disposal of customer data when they leave your service or request deletion, then the Confidentiality TSC may not be suitable for your company.
Adding an additional TSC requires additional effort from both your team and your third-party auditing team. This additional level of effort results in increased auditor fees due to additional reporting requirements and unnecessary overhead at status quo compliance firms. This additional TSC also results in a few additional evidence requests, more on that in this overview of the Confidentiality Trust Service Criteria. While the additional evidence and level of effort are proportionately less than the Security TSC, you want to be sure of the applicability of each additional TSC (Availability, Confidentiality, Processing Integrity, or Privacy) prior to including them in your SOC 2 examination.
At Bytechek, it is important to us that your SOC 2 examination provides value to the readers of your report and does not include criteria that are not relevant or include a plethora of not applicable statements.