SOC 2 Trust Service Principles – Detailed Guide

Payal Wadhwa

Payal Wadhwa

Oct 16, 2024
A Beginner’s Guide to the SOC 2 Trust Principles

One of the first decisions you would make after deciding to get SOC 2 compliant is selecting the SOC 2 Trust Service Principles for your audit.

The SOC 2 Principles, also called the SOC 2 Trust Services Criteria, form the foundation on which the entire scope, process, and audit of the framework is built. It is, therefore, vital that you have a ringside view of what these five principles are and how they can influence your SOC 2 compliance journey.

In this article, we will give you just that. We will also explore how you can pick the SOC 2 principles relevant to your business. Read on.

TL;DR

The SOC 2 Trust Services Criteria (TSC) are the five principles of Security, Availability, Confidentiality, Processing Integrity, and Privacy. They form the foundation of the SOC 2 framework and the respective controls.  

Out of the 5 SOC 2 trust principles, only 1 is mandatory: Security. The other criterias can be adhered to depending on the services provided by the organization. 


SOC 2 supplemental criteria are controls that govern logical and physical access, systems and operational controls, controls for change management, and risk mitigation controls.

What are SOC2 Trust Principles?

The five SOC 2 Trust Principles are security, availability, processing integrity, confidentiality, and privacy. These principles are crucial to handling sensitive customer data and SOC 2 evaludates controls that pertain to each of these principles.

Do not forget that not all five trust principles are required for every SOC 2 report. The security principle is the only one that’s mandatory for every organization seeking SOC 2 compliance. The other four principles—availability, processing integrity, confidentiality, and privacy—only need to be included if they apply to your specific business operations.

Also called SOC 2 Trust Services Criteria (TSC), they ensure secure processing of data. In a session on navigating SOC 2 compliance, Devika Anil, ISC 2-certified compliance expert and ISO 27001 lead auditor at Sprinto, mentioned, “SOC 2 Trust Service Criteria are high-level guidelines on how you can keep your organization and its information safe and secure.”


Each of these criteria focuses on a separate area for your infosec program to become compliant; each element describes a group of compliance objectives your business must adhere to with your specific controls. The five SOC 2 principles are elaborated in detail below.

Five SOC 2 Trust Principles

There are five SOC 2 Trust Principles, or Trust Services Criteria (TSC), that a business is going to be evaluated for when auditing for SOC 2 – Security, Availability, Confidentiality, Processing Integrity and Privacy. Each of these criteria focuses on a separate area for your infosec program to become compliant; each element describes a group of compliance objectives your business must adhere to with your specific controls.

Here is the list of SOC 2 Trust Services Criteria:

  1. Security
  2. Availability
  3. Confidentiality
  4. Processing Integrity
  5. Privacy

1. Security

It is the most critical and, therefore, mandatory criteria for every audit and is referred to as the common SOC 2 trust service criteria. It includes the security of information during its entire life cycle from creation, use, processing, and transmission to storage. The controls in the security criteria are designed to help deter or detect malicious attacks (penetration testing), unauthorized access/removal of data, alteration/destruction/misuse of software (the code repos) and unapproved disclosure of confidential information, to name a few.

Go beyond Continuous Threat Identification & Remediation

Deploying, testing and remediating these controls would call for participation from your IT Development, IT Infrastructure, HR, senior management, and operations teams.

SOC 2 Controls for Security

There are nine common criteria (CC) for security. Of these, five are essential and based on the COSO framework. Here’s how they stack up:

SOC 2 Trust Principles

Some examples of security controls are:

  • Access Controls
  • Intrusion Detection Systems
  • Anti-virus/malware
  • Firewalls

Embrace the future of compliance with Sprinto

2. Availability

To make sure that your systems adhere to operational uptime and performance standards, the controls in the Availability criterion are concentrated on these two areas. Network performance monitoring and disaster recovery procedures are among the controls included here. It also covers how your business handles security incidents. Your policies on backup, data recovery, and business continuity are also useful controls to meet this SOC 2 trust service criteria.

If your clients are worried about downtime, select availability.

Due to the natural features of the cloud, it is simple for businesses like yours to meet the criteria, making this TSC a suitable fit.

It consists of three criteria:

soc 2 criteria availability

Some examples of security controls are:

3. Confidentiality

Confidentiality helps showcase how you safeguard confidential information throughout its lifecycle. The TSC encourages organizations to protect confidential information such as intellectual property, financial data, and other business-sensitive details specific to your contractual commitments with your customers. You can do this by establishing access control and proper privileges such that data can be viewed/used only by the authorized set of people or organizations.

You must include this TSC in your SOC 2 scope if your company maintains sensitive data that is covered by non-disclosure agreements (NDAs) or if your clients have particular confidentiality needs. If you have promised your clients that their data will be erased upon service completion or contract termination, Confidentiality makes for a desirable addition to your SOC 2 scope.

Its consists of two criteria:

SOC 2 trust service principles

Some examples of security controls are:

  • Encryption
  • Access Controls
  • Network/Application Firewalls

4. Processing Integrity

This principle is evaluated if your cloud data is processed accurately, reliably and on time. It also reviews if your systems achieve their purpose. You can use quality assurance procedures and SOC tools to monitor data processing.

Include Processing Integrity if you execute critical customer operations such as financial processing.

The Processing Integrity category includes five criteria, which are:

soc 2 trust services principles

Some examples of security controls are:

  • Process Monitoring
  • Quality Assurance

5. Privacy

This TSC checks if you protect Personally Identifiable Information (PII) from breaches and unauthorized access. It does so by implementing rigorous access controls, two-factor authentication, and encryption.

The measures listed here assist in preserving information privacy by doing everything from notifying pertinent parties of privacy practices to updating and immediately disclosing any changes in how personal information is used. Privacy is, however, different from Confidentiality in that it applies to only personal information, whereas Confidentiality applies to various types of sensitive information.

Include Privacy if your customers store PII such as healthcare data, birthdays, and social security numbers.

The Privacy criteria details the following eight categories in its requirements:

soc 2 trust service principles criteria

With Sprinto, you can map your security controls to the requirements of SOC 2 in adherence to its trust principles. For instance, you can see the status of controls in the following image and take action to address the gaps and prepare your system for the SOC 2 audit. 

Save 80% of man hours spent on SOC 2

What are SOC 2 supplemental criteria?

SOC 2 supplemental criteria are additional requirements that enhance the effectiveness of internal controls. These are relevant to trust service engagements and include logical and physical controls, system and operations control, change management and risk mitigation controls.

Controls over Logical and Physical access in SOC 2

You must demonstrate through these controls that you are taking both physical and virtual steps to protect the confidentiality, integrity, and privacy of your data. Restrictions on access to sensitive information, devices, or networks (based on roles and responsibilities), safeguards for monitors, and providing credentials are a few examples. It also entails limiting authorised personnel’s physical access to premises, workstations, and assets containing protected information.

Making sure there is no unauthorised access to your data is possible with the aid of a comprehensive Identity and Access Management (IAM) programme.

Systems and Operational Controls for SOC 2

The effectiveness of your infrastructure is at the heart of the Systems and Operational Controls. The controls in place test how quickly operations can return to normal after deviations or disturbances. Threat detection, incident response, root cause analysis, and compliance are a few of the internal controls that may be used in this situation.

A Managed Detection and Response (MDR) can help here.

SOC 2 Controls for Change Management

Change management controls are the policies and procedures that organizations must follow while updating their processes, software, data, or infrastructure. The use of a scalable patch management technology is advised in this situation. These tools keep up with changes in software development while safeguarding your systems from security threats.

SOC 2 Risk Mitigation Controls

The risks connected to growth, location, or security best practices can be identified with the aid of risk mitigation controls. Apart from risk assessment of your vendors and business partners, you must also perform a risk assessment and mitigation exercise for contingencies such as leadership changes, unfavourable regulatory interventions, changes in the physical and economic environment, and even technical developments.

You must organise the identified risks, give each one a likelihood and impact, and then implement an appropriate internal control to minimise it as part of the risk assessment activity.

Get SOC2 Ready Within Weeks with Sprinto

Having a SOC 2 report is a valuable asset for demonstrating the credibility of your data protection process to your customers and stakeholders. Hence understanding the SOC 2 trust principles can help you proactively address gaps and mitigate risks. But obtaining a SOC 2 report can be a time-consuming process, unless you choose the easier route – Sprinto!

Sprinto implements an efficient framework of SOC 2 controls and automated checks at a granular level. Any compliance drift can be easily monitored and evidence is collected automatically in an audit-friendly manner. The compliance program runs end-to-end and does all the heavy lifting to get you 100% compliant without compromising on your bandwidth.

Get SOC 2 ready in weeks


So, if you are ready to begin your SOC 2 journey and need help translating the framework requirements into actionable ToDos, talk to us today.

FAQs

What is SOC2 Criteria?

SOC 2 criteria is a set of five requirements set by AICPA to evaluate the controls of an organization undergoing an audit: security, availability, confidentiality, processing integrity and privacy.

What are SOC2 Type 2 trust criteria?

The SOC2 Type 2 criteria are security, availability, confidentiality, processing integrity and privacy. These criteria are defined by the AICPA for evaluating an organization’s security for compliance with SOC2.

Are all Trust Service Principles in SOC 2 Mandatory?

No, all the Trust Service Principles aren’t mandatory for a SOC 2 audit and attestation. You don’t need to address all of them, but you do need to select the TSCs that are relevant to the service you provide to your customers and what they want. As mentioned earlier, security is mandatory. 

Which trust principle is not covered under SOC2?

According to SOC2 all five trust principles (security, availability, confidentiality, processing integrity and privacy) are covered. Hence there is no trust principle that is not covered. However, you don’t need to address all of them, but need to select the ones that are relevant to your product/services.

Payal Wadhwa
Payal Wadhwa
Payal is your friendly neighborhood compliance whiz who is also ISC2 certified! She turns perplexing compliance lingo into actionable advice about keeping your digital business safe and savvy. When she isn’t saving virtual worlds, she’s penning down poetic musings or lighting up local open mics. Cyber savvy by day, poet by night!

How useful was this post?

0/5 - (0 votes)

Found this interesting?
Share it with your friends
Get a wingman for
your next audit.
Schedule a personalized demo and scale business
Here’s what to read next….
Here’s what to read next….
Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.