For organizations beginning their SOC 2 journey, figuring out which of the five Trust Services Criteria (TSC) to include in their scope can seem like a mystery. Do all five need to be included in the SOC 2 report? (Nope! Just the ones that are relevant - read on!) For organizations that already have a SOC2 for Security, when is it appropriate to add another TSC?
What to Consider When Including a TSC
What exactly are the Trust Services Criteria? What should you consider when determining whether to include one in your SOC 2 report? The five TSCs are Security, Availability, Processing Integrity, Confidentiality, and Privacy.
If you are on a budget or have other business priorities, only include the TSCs that are contractually required by your customer base. Also, consider whether including any of the TSCs will give you a competitive advantage. Including additional TSCs will increase the base cost of your audit (and internal compliance costs), so consider whether adding a TSC will be a valuable return on investment.
What do the Trust Services Criteria Apply to?
Before diving into the five TSCs, it is important to note what the criteria will apply to. The following system components will be described regardless of the TSC in scope: Infrastructure, Software, People, Data, and Procedures. These system components will also be described in your System Description or Section 3 of your SOC 2 report and we have tips on writing a System Description in this blog post.
Security (aka The Common Criteria)
Security is mandatory. It is the foundation of a SOC 2 report and that is also why it is called the Common Criteria - it is common to any SOC 2 regardless of which other TSCs are in scope. For this TSC, you will not only share your IT security controls but you will also be required to share more operational or governance types of controls. This TSC is a substantial effort and will involve not only your IT development and IT infrastructure folks but also HR, Upper Management, Operations, and Sales (to name a few).
Does the service you are offering require 24/7 uptime, are you contractually required to adhere to an uptime metric like four 9’s, for example? This TSC is not too tricky to achieve and your IT Infrastructure team will be the primary internal resource to provide the controls and evidence. If you don't have any specific contractual requirement, then determine whether the following would differentiate you from your competitors:
- You have capacity management controls in place that assist in maintaining, monitoring, and evaluating your system
- You have solid processes in place to monitor your system performance and uptime, and to handle exceptions
- You test your recovery plan annually
Do you manipulate data in such a way that your customer relies on you for an accurate and complete data output? Examples here include payroll services, billing services, and tax processing. You will tackle this TSC if you manipulate data on behalf of your customer, and they expect the end result will be consistent, accurate, and timely. This TSC is a bit trickier for some organizations and will likely involve folks from a back-end product design team, database admins, and the IT team. At a high level, you will need to demonstrate the controls you have in place for how data or database elements are collected (the inputs), manipulated (or processed), and delivered (the outputs). This TSC will also cover how the relevant data is stored and maintained.
Can your customers and users expect to have exclusive access to the data that you hold? A good example is photo storage services: users can expect that the photos stored in the service will not be seen by anyone else. Another example is a corporate document storage service: company files should only be accessed by individuals in the company (or by those who have been granted special permission). Your IT Team can expect to play a key role in attaining this TSC. If segregation of data will be a selling point for your organization, then you should tackle this TSC.
You should include this TSC if you handle, store, or transmit any personal data. Personal data includes any data that can be used alone or in combination to identify a specific person. You may have heard of the concept of Personally Identifiable Information or PII - this TSC covers all of that information. Think: name, home address, personal or work email, phone number, image (photo of face - yes this counts!), social security number, or other government ID number. There are more examples, so make sure you understand all of the data you are storing or working with before you tackle this one.
You may also want to tackle the Privacy TSC if you have plans to take your product out of the USA. Other countries have very specific privacy laws and regulations and treat PII much more stringently than in the USA. Getting this TSC under your belt will help you prepare to expand internationally. This TSC is extensive and will take time to both prepare for and operationalize. Expect to include your IT team, customer support teams, and legal counsel in this effort.
How Strike Graph Can Help
The Strike Graph solution covers all five Trust Services Criteria allowing you to efficiently expand the scope of your SOC 2 without adding new complexities to your cyber security practice. The Strike Graph solution also comes with an audit-proven library of controls that cover all five TSCs and can be used or tailored for your audit. You can also use our control list for inspiration or add controls specific to your system or solution. We've got your back! Get started on your journey today.