Q: Did the updated guidance make changes to the trust services criteria?
No, the trust services categories and criteria used for SOC 2 reporting are unchanged. Service organizations must address the common criteria (security), which is required for all SOC 2 reports, and can choose to include additional categories, based on relevance to their operations and services:
Security. Systems and information are protected from unauthorized access.
Availability. Systems and information are available and accessible as needed.
Processing integrity. System processing is authorized, valid, complete, accurate, and timely.
Confidentiality. Confidential information is protected throughout its life cycle.
Privacy. Personal information is collected, used, retained, and disposed of to meet the entity’s objectives.
Although the trust services criteria remain unchanged, the 2022 revisions updated the underlying implementation guidance and commentary regarding how to interpret and address the criteria, shown through enhancements to the points of focus. While service organizations are not required to explicitly address each point of focus, the points of focus should be used as guidance on which control areas to consider and include within their SOC 2 report.
After the 2022 revisions, these points of focus now include more detailed technical control considerations to help service organizations reflect a more comprehensive, mature security posture to their report users. In addition to the expanded technical safeguards, the points of focus were updated to indicate which privacy criteria are likely to apply, based on whether the service organization acts as a data controller or data processor of personal information.
Q: How do we decide which of the trust services categories the SOC 2 report should include?
Because the trust services criteria are a framework rather than a prescriptive set of control requirements, each organization must determine the components and control areas to include in its report.
Of the five AICPA trust services criteria categories, only security is a required component for every SOC 2 report, which is why it often is referred to as the common criteria. Deciding which of the other four categories to include is not always a simple or obvious choice. Several important factors must be considered, including:
How in-scope services relate to the SOC 2 categories. The relevant risks and user concerns for in-scope services often change over time. For example, availability might be an essential trust services criterion for a service that is delivered via an on-premises system or locally hosted software. If that service is moved to a cloud platform, it might be possible to remove the availability category from the SOC 2 report for that service.
User expectations. Understanding what users of a SOC 2 report expect is essential, which is why direct discussions with important customers or other stakeholders should be part of the process. The discussion should be a dialogue, however, and not just a list of customer expectations. A service organization should not hesitate to offer feedback to stakeholders if it believes certain SOC 2 expectations are unnecessary or not applicable.
Cost-benefit considerations. Each additional category beyond the common criteria adds to the cost of a SOC 2 report. In addition to the direct third-party costs, the organization also must consider the time and internal resources that will be required to complete the engagement. When additional categories are necessary, the organization should search for corresponding benefits, such as additional business opportunities that might be available if the organization broadens the scope of its SOC 2 reporting.
Moreover, scoping decisions should be revisited on a regular basis to reflect changes in products or services, evolving customer expectations, and changes to the organization’s data and information systems, infrastructure, and software.
Q: How can we go about making our SOC 2 scoping decisions most effectively?
In applying the general principles outlined in the previous answer, many service organizations find it useful to organize their scoping process using a three-step approach, which corresponds to the three general groups of variables they must consider when making their SOC 2 scoping decisions:
Service offerings. Organizations are not required to scope in all products and services offered and can choose which to include in the SOC 2 report. In addition to addressing specific customer or prospect requests (for example, a SOC 2 report for Product ABC), organizations should consider the costs and benefits of including additional service offerings. If internal controls are centrally and consistently managed for all service offerings, the benefit of adding additional services to the SOC 2 report outweighs the low incremental effort. Other service-related considerations include which service offerings are currently (or positioned to be) key to the organization’s strategy, and whether services involve sensitive data and/or critical systems for customers. A dialogue with leading customers can help in determining the scope of the report.
IT systems. Once the relevant service offerings are identified, organizations should understand the flow of customer transactions and data to define the in-scope IT environment for the SOC 2 report. Typically, the focus is on the production systems that are directly used to deliver the services and house customer and end-consumer information, rather than other internal systems and tools to support company operations.
SOC 2 categories. Organizations should then select the trust services categories to include, based on the applicability and relevance for customers in the context of the in-scope services, systems, and data. While security, availability, and confidentiality are applicable to most organizations and services, processing integrity and privacy might not apply to every organization or all services. A cost-benefit analysis of the relevance, value, and additional effort that would be required to include each category should also be considered.
Once the trust services categories are selected, the final step is to identify the specific control activities that address these criteria in order to decide which should be included in the SOC 2 report.
Q: How do we determine which controls to include in the SOC 2 report?
When identifying the types of controls to include in the SOC 2 report, the specific criteria language and supporting points of focus are essential references. The points of focus provide illustrative control areas that organizations can incorporate. Process narratives, existing control frameworks in use by the organization, and interviews with key control owners also are helpful in determining which controls to include.
In addition, organizations should consider the extent and depth of controls. For a first-time SOC 2 examination, service organizations may prefer to include a narrower set of key controls that address the criteria, as their IT controls may be newly in place. In contrast, more mature organizations should seek to include a more robust set of controls in their SOC 2 report that reflects the control environment they have designed and implemented, rather than purposely limiting their SOC 2 scope to a minimum set of controls. By providing transparency into and assurance over their control environment, service organizations will demonstrate their commitment to IT controls and differentiate themselves in the market.
As report users (especially customers) become better versed in SOC reporting and in IT risks and control concepts, they are likely to scrutinize the quantity and types of included controls more closely. Some users might raise concerns if the report fails to address commonly recognized and expected controls or if it seems intentionally narrow in scope in an attempt to shortcut the examination process or have a clean SOC 2 report.
At a more fundamental level, such a minimalist approach is indicative of a compliance mindset rather than an effective, risk-focused, security-centered strategy. In addition, a minimalist approach often means the organization is missing out on opportunities to highlight some of the effective controls it already has in place, which could help contribute to a more positive overall report.
Finally, it is important to regularly refresh and enhance the SOC 2 control set as the organization enhances its control structures over time. The goal of a SOC 2 report is to demonstrate the service organization’s commitment to information security, which includes a thorough, thoughtful approach to risk management and internal controls.
