How to Choose Trust Service Criteria (TSC) for SOC 2 Compliance

Selecting Trust Service Criteria (TSC) is a crucial step in achieving SOC 2 compliance: the TSC you choose determines what your organization will be audited for, so choosing correctly means right sizing the certification process while covering all the relevant areas. 

There are several factors that organizations should consider when determining which SOC 2 Trust Services Criteria (TSC) categories are relevant for them. These factors include: 

• Industry requirements: Organizations should consider which TSC categories are most relevant to their industry and the type of data they handle. For example, financial institutions may prioritize the availability and processing integrity categories, while healthcare organizations may prioritize the confidentiality and privacy categories. 
• Customer expectations: Organizations should consider which TSC categories are most important to their customers and stakeholders. Understanding their customers’ expectations and needs can help organizations prioritize which categories to focus on and allocate resources accordingly. 
• Legal and regulatory requirements: Organizations should consider any legal or regulatory requirements that apply to them, such as HIPAA, PCI DSS or GDPR. These regulations often have specific requirements that overlap with the SOC 2 TSC categories, making it essential to evaluate and incorporate them. 
• Internal policies and procedures: Organizations should review their internal policies and procedures to identify which TSC categories align with their security and privacy objectives. This process ensures that they have appropriate controls and procedures in place to meet the relevant criteria. 

TSC include: 

Security (Common Criteria): The only non-optional TSC, security ensures that your data and systems are protected against unauthorized access and disruptive attacks. Requirements for this TSC include firewalls, security controls and device configurations.  

Who to involve:  

IT—Implement the necessary security controls for systems, assets and applications and prove control effectiveness. 

HR—Communicate security priorities with employees and facilitate security awareness training. 

Upper management—Provide buy-in and budget for new security controls, policies and procedures. 

Availability: Ensures that your information and systems are readily available to meet your objectives. Requirements for this TSC include recovery tests and documented plans for continuity and disaster recovery. This is a good TSC to choose if you’re a service organization, like a cloud storage provider or SaaS provider, for whom instant access and continuity plans are expected, or for whom they could be a differentiator. 

Who to involve: 

IT operations—Complete recovery tests and assess breach risk across systems, develop recovery plans. 

IT, HR, Legal, Operations and Finance – Develop and document business continuity and disaster recovery plans. 

Processing Integrity: Ensures that your data processing systems are valid, accurate, authorized and timely enough to meet your objectives. Requirements for this TSC include controls concerning payment transactions, the accurate processing of data and the correction of errors. Organizations that should consider this TSC include data brokers, database service providers and fintech or financial service organizations.  

Who to involve: 

Back-end product design—Provide insight into data manipulation processes. 

Database admins—Provide insight into the storage and maintenance of customer data. 

IT—Implement controls to correct errors and ensure validity of data processing. 

Quality Assurance–Test, review and validate the accuracy of data processing. 

Compliance–Ensure data processing meets regulatory requirements.  

Confidentiality: Ensures that any confidential information you store or process is protected. Requirements for this TSC include controls protecting both user information and data subjects and strong privacy protocols. If it’s important to your customers that their data will only be seen by those working within the organization, this is likely a good choice for you. Organizations this applies to include cloud storage organizations, health management system providers and financial institutions. 

Who to involve: 

IT—Implement appropriate confidentiality controls and privacy protocols. 

Legal–Review contracts and agreements with third parties to ensure they include appropriate confidentiality and data protection provisions. 

Data Management–Perform activities such as data encryption, anonymization and classification.  

Privacy: Ensures that any personal information is collected, used, stored and disposed of responsibly. Requirements for this TSC include personal information protection policies, sector privacy rules and encryption technology. Any organization, such as an insurance company or database service provider, that deals with personal information like names, addresses, phone numbers or facial images should consider choosing this TSC. 

Who to involve: 

IT—Implement encryption technology and policies for the protection of user data. 

HR–Ensure employees understand their responsibilities around data privacy and protection, host training.  

Data management–Ensure data protection, data classification and data retention. 

Legal counsel—Ensure compliance with relevant privacy laws and regulations. 

Once you understand what TSC are relevant to your organization and who you need to involve to get moving on the audit process, you can start taking steps to get certified. 

One useful step toward certification is enlisting the help of a cybersecurity risk management software solution that identifies your controls and maps them to the relevant frameworks. ProcessUnity for Cybersecurity Risk Management can help your organization collect and organize its controls across these TSC, organizing the audit process and helping you improve your services over time. It can be difficult to get started with a SOC 2 audit, but by organizing your controls using cybersecurity risk management software, you can quickly identify gaps and plan improvements.