Posted in:

5 SOC 2 Trust Service Principles

© by

Understanding SOC 2

SOC 2 stands for System and Organization Controls. It is a comprehensive and detailed reporting framework created by the American Institute Of Certified Public Accounts (AICPA) for service provider organizations.

SOC 2 started accreditation in the year 2013. In its early days, it was developed for the domestic American market, but now it is being implemented globally. The key target customer segment for SOCs are organizations that offer cloud storage services and technology companies who offer Software As A Service (SaaS).

To understand SOC 2 scope and process you need to get familiar with Trust Service Principles (TSP). The TSP are a string of principles used to assess the opportunities and risk associated with the information technology security of the service provider organization.

The five criteria were created by AICPA and cover the below categories:

  • Availability
  • Security
  • Processing Integrity
  • Privacy
  • Confidentiality

SOC 2 is guided as per AICPA’s Trust Services Principles or Criteria.

The Aim of the SOC 2 Audit

SOC 2 audit reports are meant to fulfil the needs of a wide range of end users. These users require detailed assurances and information about the checks and balances at service provider organizations  in relation to the above five criteria laid by AICPA.

SOC 2 audit reports play a critical role with regards to vendor management, organization oversight, corporate governance, oversight of regulatory compliances, risk management processes and more.

SOC 2 Trust Service Principles

The Trust Service Principles are control parameters for attestation or engagements to assess and report on checks and balances over information services and systems:

(a) over the entire entity;

(b) at a division, subsidiary or at the operating level;

(c) within the function related to the organizations or entity reporting, operational or compliance goals;

or (d) for a specific information used by the organization or entity.

The Trust Service Principles are classified into five following classes:

  • Security – Information services and systems are shielded from unauthorized disclosure of data or information, unauthorized access, and damage or breakdown to the systems which could compromise the integrity, availability, confidentiality, and privacy or information services or systems and impact the organization’s capability to meet its goal. This generally includes implementation of intrusion detection, firewalls and spruced up validation measures for users.
  • Availability – Information service and systems are accessible for use and operations to achieve the organization’s objectives. In other words, are all the services available as per the SLA (Service Level Agreement)? From SOC 2 perspective, availability means whether the network is active, reliable and how soon can problems be sorted out. For example, availability need of network for data center customers is 24×7. If a data center has SOC 2 compliance then it means it meets all the stringent availability criteria.
  • Processing Integrity – System processes are valid, complete, timely, accurate, and authorized to meet the organization’s goals. This certifies that the organization’s systems do not have errors in processing. In the event errors are identified they are quickly corrected. The parameter also measures if the data is presented in agreed format and in timely fashion. For example, financial institution require high processing integrity as they are expected to provide timely, accurate and consistent data to their customers.
  • Confidentiality – Any information which is identified as confidential is safe guarded to meet the organization’s goal. Under this, the data access is limited only to authorized personnel. Confidentiality is assured by leveraging robust encryption, advanced security passwords, limited access, classification and disposal. Also, SOPs (Standard Operating Protocols) need to be in place as a preventive measure to data breaches.
  • Privacy – Personal data is used, collected, disclosed, retained and disposed to meet the organization’s goal. There are subtle differences between privacy and confidentiality criteria . As per TCP confidentiality assures customers that their information / data is protected. Privacy on the other hand ensures how the organization stores, uses and retains the information.

The Key Is The Implementation of SOC 2

The five Trust Services Principles provide a systemic and clear set of parameters to help navigate SOC 2 compliance. It also ensures that you implement appropriate protocols.

Given that more and more companies are relying heavily on cloud based applications, it is imperative to ensure SOC are in place for service provider organization. The amount of confidential data being stored in the cloud is growing multifold. Hence, data in the cloud is always a target for hackers and cybercriminals.


SOC 2 compliance is not mandated by regulatory authorities nor is it a legal requirement for companies or organizations. However, it is something that is important for customers and organizations which provide cloud services or SaaS. From the customer’s perspective it is imperative to choose vendors who ensure SOC 2 compliance so confidential data stored in the cloud is safe and secure. This is of the utmost importance in today’s digital world where cyber fraud is rampant in most spheres of life.