What does SOC 2 stand for?

SOC 2, also known as Service Organization Control Type 2, is a cybersecurity compliance framework created by the American Institute of Certified Public Accountants (AICPA).

To achieve this, SOC 2 sets criteria based on 5 trust service criteria (principles): security, privacy, availability, confidentiality, and processing integrity. These principles ensure high standards of data security are maintained.

In a SOC 2 audit, an independent auditor assesses a company’s security posture based on specific TSCs. These criteria have different requirements, and the company implements internal controls to meet them.

The Security TSC is mandatory in every SOC 2 audit, while the other 4 TSCs are optional. It is sometimes called the Common Criteria because it includes security criteria shared among all the Trust Services Criteria.

Now, let’s take a look at each of the TSCs briefly:

Security: This is an important principle and falls under the mandatory category. It focuses on protecting your data from hackers or any unauthorized access.  

Confidentiality: Confidentiality involves secure and confidential data, and access should only be given to a specific set of people in the organization. Also, data is considered confidential if only specific people should access it, such as source code, usernames, passwords, credit card info, or business plans. 

Privacy: Privacy refers to the use of system, collection, storage, and disposal of data. This principle promotes encryption as the main feature to mitigate information leaks.

Availability: This principle mainly focuses on the accessibility of your system. Systems should always meet availability service level agreements (SLAs). You may need to build fault-tolerant systems and invest in network monitoring and disaster recovery plans to pass this.Processing Integrity: Here, you must ensure that all systems function without delays, vulnerabilities, errors, or bugs.