Controls under TSCs
Overview of SOC 2 requirements
Controls show how your organization meets each of the Trust Services Criteria. SOC 2 doesn’t hand you a checklist; you build your own set of controls based on your systems, processes, and risk profile.
The key is to make sure they are relevant, reliable, and can be repeated consistently.
Let’s break it down by TSC:
Security (Mandatory)
Security is the foundational TSC. Every SOC 2 audit must include an assessment of security controls. It consists of nine common criteria (CC), five of which are essential and grounded in the COSO principles.
Examples of controls under Security include:
MFA on admin accounts: Stops unauthorized access at the door.
Annual penetration testing: Helps catch vulnerabilities before attackers do.
Employee security training: Makes sure your team isn’t the weakest link.
Availability (Optional)
Availability ensures that your system is operational and accessible when users need it. This is crucial for maintaining trust, as downtime can significantly impact customer experience and satisfaction.
Examples of controls under Availability include:
Uptime monitoring: Alerts you when systems go down.
Disaster recovery plan: Documents how you bounce back from outages.
Capacity planning: Helps avoid downtime caused by system overload.
Processing Integrity (Optional)
Processing Integrity focuses on ensuring that your system processes data accurately, completely, and in a timely manner. This is vital for businesses that rely on data processing or real-time transactions, as errors or delays can disrupt operations and damage trust.
Examples of controls under processing integrity include:
Automated validation checks: Ensures data is accurate and complete.
Logging of key transactions: Helps trace data flow end-to-end.
Change management policy: Keeps updates from breaking production.
Confidentiality (Optional)
Confidentiality is crucial for maintaining privacy and trust, especially for businesses handling proprietary or sensitive information. Examples of controls under confidentiality include:Â
Data encryption at rest and in transit: Protects data wherever it lives.
Access reviews: Regularly confirm that only the right people have access.
Data retention and disposal policies: Defines how long you store sensitive data—and when to delete it
.
Privacy (Optional)
Privacy focuses on the handling of personal data, including how it’s collected, stored, and deleted. With increasing data protection regulations like GDPR, businesses must manage personal data responsibly and transparently.Â
Examples of controls under privacy include:
Consent collection mechanisms: Ensures users know what data you collect and why.
Privacy policy enforcement: Aligns your practices with your stated policy.
Data subject rights workflow: Lets users request access, changes, or deletion of their data.
The key is to make sure they are relevant, reliable, and can be repeated consistently.
Let’s break it down by TSC:
Security (Mandatory)
Security is the foundational TSC. Every SOC 2 audit must include an assessment of security controls. It consists of nine common criteria (CC), five of which are essential and grounded in the COSO principles.
Examples of controls under Security include:
MFA on admin accounts: Stops unauthorized access at the door.
Annual penetration testing: Helps catch vulnerabilities before attackers do.
Employee security training: Makes sure your team isn’t the weakest link.
Availability (Optional)
Availability ensures that your system is operational and accessible when users need it. This is crucial for maintaining trust, as downtime can significantly impact customer experience and satisfaction.
Examples of controls under Availability include:
Uptime monitoring: Alerts you when systems go down.
Disaster recovery plan: Documents how you bounce back from outages.
Capacity planning: Helps avoid downtime caused by system overload.
Processing Integrity (Optional)
Processing Integrity focuses on ensuring that your system processes data accurately, completely, and in a timely manner. This is vital for businesses that rely on data processing or real-time transactions, as errors or delays can disrupt operations and damage trust.
Examples of controls under processing integrity include:
Automated validation checks: Ensures data is accurate and complete.
Logging of key transactions: Helps trace data flow end-to-end.
Change management policy: Keeps updates from breaking production.
Confidentiality (Optional)
Confidentiality is crucial for maintaining privacy and trust, especially for businesses handling proprietary or sensitive information. Examples of controls under confidentiality include:Â
Data encryption at rest and in transit: Protects data wherever it lives.
Access reviews: Regularly confirm that only the right people have access.
Data retention and disposal policies: Defines how long you store sensitive data—and when to delete it
.
Privacy (Optional)
Privacy focuses on the handling of personal data, including how it’s collected, stored, and deleted. With increasing data protection regulations like GDPR, businesses must manage personal data responsibly and transparently.Â
Examples of controls under privacy include:
Consent collection mechanisms: Ensures users know what data you collect and why.
Privacy policy enforcement: Aligns your practices with your stated policy.
Data subject rights workflow: Lets users request access, changes, or deletion of their data.
SOC 2 Controls Simplified: A Guide To Staying Compliant
SOC Frameworks Overview
SOC 2 Basics
SOC 2 Compliance Process
SOC 2 Compliance Process
Sprinto: Your ally for all things compliance, risk, governance
