SOC 2 is more than just meeting a bunch of criteria with controls. Yes, that is an important part. But why? How does it get to that point? It is important to know the flow of information when it comes to SOC 2 because it will help you make better decisions for your SOC 2, understand how the report works, and know in greater depth the ins and outs of your report. In this infographic blog, we will show you that flow down and explain the details.
Your SOC 2 starts with understanding the promises or commitments your company makes to your customers. These commitments can be found in customer contracts, service-level agreements, master service agreements, terms and conditions, or other similar documents. From these commitments, you can determine which of the trust service categories should be in scope for your SOC 2. The trust service categories are ultimately what drives the criteria, but more on that in a bit.
The 5 trust service categories that relate to SOC 2 are:
Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the information or systems and affect a company’s ability to meet its objectives (think commitments).
Availability – Information and systems are available for the operation to meet the company’s objectives.
Confidentiality – Information designated as confidential is protected to meet the company’s objectives.
Processing Integrity – System processing is complete, valid, accurate, timely, and authorized to meet the company’s objectives.
Privacy – Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
It is very likely that you have security included somewhere in your agreement documents with language discussing the protection of data, unauthorized access, etc. That means for almost every SOC 2 security is an included category. It is also likely you have language in your agreements about the confidentiality of customer data. Confidentiality in that regard is closely tied to security, but when it comes to the trust services criteria, it has some slight differences. Read more about that in our article discussing the differences between security and confidentiality. For the availability category, think about if you are committing to uptime percentages, available hours, etc. In our experience, the Security, Availability, and Confidentiality categories are the most common for SOC 2.
With the processing integrity category, think about it if you are processing data on behalf of your customers. Are you committing to the accuracy, timeliness, completeness of those outputs? I always like to use the example of a payroll processor. They take the raw payroll data of their customers, then they are required to (and commit) to produce timely and accurate payroll reports in order for their customers to make payroll.
With privacy, you have to think about it from the perspective of if you handle and interact with the information of data subjects. Many people think confidentiality and privacy are the same, but that is not the case for SOC 2. If you do think privacy is in scope, are you providing notice, choice, consent to the data subjects? The ability to opt-in/out? Do you provide them the ability to modify their personal data? It is important that this is applicable to the service in scope for your SOC 2 not just your public website.
Once you know your categories, the criteria are easy because they are already set by the AICPA. For each category, there are prescribed criteria that your organization has to meet. In the end, you have your controls in place that satisfy those criteria, which in turn satisfy the in-scope categories, which ultimately determines if your system is meeting its commitments and system requirements. For more details on each of the criteria, see our post here.
So, if you think about it, it really all comes down to the commitments you make to your customers and what your system requirements are to meet those commitments. Determining those correctly flows down to everything in your SOC 2. It also determines what type of report opinion you’ll get by if you meet those commitments and system requirements or not.
At ByteChek, we understand SOC 2 inside and out. We know how to look for the commitments that will drive your report and the controls needed to satisfy them. Let us help you better understand SOC 2 and show you how compliance can suck less.