Choosing the Right Criteria for your SOC 2 Audit
July 3, 2023
By Greg Marks and Cameron Hodson
SOC Audits are becoming even more important in today’s interconnected world. Many vendors are implementing requirements that their business partners have a valid SOC audit. But, choosing which of the trust criteria you want in your SOC report can be difficult when you don’t know what they are. That’s why we’ve created this guide to help you understand your options and how we can tailor your SOC Audit to fit the needs of your business.
Each SOC audit contains at least one of the five Trust Criteria. These criteria are (from AICPA) Security, Availability, Processing Integrity, Confidentiality, and Privacy. While all of these criteria can be added to your SOC report, Security is always included. The criteria for Security are known as the Common Criteria and are the main items included in the audit. After security, it’s your choice whether you want to add any of the rest. You should think about time and budgetary needs as well as your commitments to customers made in your service level agreements (SLAs).
Availability is mostly applicable when you’ve made commitments to your customers to have information and systems available within certain parameters. That being said, availability doesn’t require any type of specific acceptable performance level. In other words, don’t worry that the auditor is going to shut you down if you have up time that’s not the greatest. You set the criteria in your customer contracts, which means you get to decide the best way to test your availability needs.
Processing integrity, as defined by the AICPA means that, “system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.” While this may seem a bit nebulous, it basically means that the processes that you have in your business are working well to turn inputs into outputs. We usually recommend this trust criteria for businesses who input customer information and ouput a result, like payment providers; and that have made commitments to customers about the quality of the output. It’s also useful for those who create a physical product, as the trust criteria apply there as well.
The confidentiality criteria of a SOC 2 audit are designed to ensure that an organization's confidential information is protected from unauthorized access, use, disclosure, modification, or destruction. In other words, any business that has made commitments to its customers about how it handles sensitive or confidential information should consider using the confidentiality trust criteria in their SOC 2 audit. We would recommend adding Confidentiality to your report for organizations that work in healthcare, finance, law, or any other industry where confidentiality is important to your clients.
The final trust criteria are focused on Privacy. While similar to confidentiality in plain English, in SOC language, they differ just a bit. The main difference is that the privacy criteria apply only to personal information, while confidentiality applies to any information that is expected to remain confidential. Privacy criteria are designed specifically to ensure that an organization’s privacy practices protect personal information from unauthorized collection, use, retention, disclosure, and disposal. If your company has made commitments to customers about how it handles any type of personal information, whether internal or external data, you should consider using these criteria.
It's easy to say that you should just use all of the criteria, but businesses have budgets and adding criteria can often push the boundaries of those budgets. That’s why it’s important to know which criteria are most aligned with the core competencies of your business and the commitments you have made to customers in your SLAs. For example, imagine that you’re a tech startup that focuses on managing client relationships for doctors. In order to secure a certain deal, you need a SOC 2 report. You should probably stick with just the criteria that they require. However, picture the same startup a few years down the road. Now you’re in the customer acquisition phase and trying to make your product stand out. A SOC 2 would look much better with privacy and confidentiality so that you can assure potential customers and vendors that you really do care about their data.
It's not always easy to evaluate this. Let us help! Reach out to us today to schedule a free 2-hour SOC readiness assessment.