Step 2
Based upon the above findings, Risk Crew shall then recommend the specific TSC to be validated in the audit and confirm this with you. At a minimum, SOC 2 reports must include the Security or Common Criteria — any other TSCs selected depend upon your business requirements.
The Trust Services Criteria are selected from the following:
- Security: The system is protected against unauthorised access (both physical and logical). The system is protected from unauthorised access — both physical and logical. Examples of commonly examined SOC 2 security controls are logical access to infrastructure and vital systems such as source code repositories. Additionally, this could include password parameters, network devices configurations, firewalls and physical security controls that protect key infrastructure.
- Availability: The system is accessible for operation and use as intended and agreed. The accessibility criteria require that the organisation have documented business continuity and disaster recovery plan and procedures. Additionally, it requires periodic backups and recovery tests.
- Confidentiality: Information, which is designated as ‘Confidential’ is protected according to policy or agreement. Confidentiality criteria are often mistaken with privacy criteria. Most organisations have a requirement to protect Confidential information that is shared with them by other companies they do business with such as the protection of intellectual property.
- Processing Integrity: System processing is complete, accurate, and authorised. Processing integrity is not involved within SOC 2 as often as the availability and confidentiality TSCs. Processing integrity is usually addressed in systems that process transaction such as payments.
- Privacy: The privacy criteria should be considered when ‘personal information’ is processed, stored or transmitted by the system. It is imperative to note that the privacy criteria applies to personal information. This differs from the confidentiality criteria, which applies to other types of sensitive information.
Step 5
Upon completion of the first four steps, Risk Crew shall conduct a workshop with your business’ stakeholders to ensure their understanding of the findings and SOC 2 compliance requirements. The workshop seeks to guide attendees through the steps required to obtain a favourable Type 1, SOC 2 Report.