Government & Compliance Audits
SOC 1
SOC 2
SOC 3
Subrecipient Monitoring Services
Attestation Engagements
Employee Benefits Plans (ERISA)
HIPAA
Soc for Cybersecurity
SOC for Supply Chain 
SOC for AI
SOC for Cloud Security
Grant Compliance Consulting
Virtual CISO (vCISO)
NIST
ISO 27002
SOC
Business Strategy & Excellence
Business Intelligence & Data Analytics
TGC Reviews (SAS 145)
Application Control Testing
SOC Control Design and Effectiveness Testing
Bookkeeping
Daily Operations
Outsourced CFO & Advisory
Tax Planning
Tax Reporting
IRS & FTB Representation
Tax Strategy & Compliance
Corporate Tax Provisions ASC 740
Nonprofit & Tax-Exempt
Key Takeaways
1. The SOC 2 framework focuses on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
2. Each SOC 2 criterion addresses different aspects of data handling and system management.
3. The Pun Group’s SOC 2 audit services help you implement the controls according to the TSCs you choose to implement.
What Are SOC 2 Trust Services Criteria?
SOC 2 Trust Services Criteria are a set of standards established by the American Institute of Certified Public Accountants (AICPA) to evaluate an organization’s controls during an audit. These criteria are Security, Availability, Processing Integrity, Confidentiality and Privacy. The AICPA uses them to assess an organization’s controls during an audit.
The five trust services criteria are:
Security
Unlike the other SOC 2 trust principles, the Security TSC is mandatory for all SOC 2 reports. It aims to safeguard personal information and systems against unauthorized access, disclosure, and damage.
This involves implementing controls to prevent unauthorized access and protect against data breaches, whether online or physically. IT security tools, like multi-factor authentication and intrusion prevention systems, are essential for this protection.
To meet the security criteria, there are nine key ‘points of focus’:
- Control Environment (CC1)
- Communication and Information (CC2)
- Risk Assessment (CC3)
- Monitoring Activities (CC4)
- Control Activities (CC5)
- Logical and Physical Access Controls (CC6)
- System Operations (CC7)
- Change Management (CC8)
- Risk Mitigation (CC9)
To meet this requirement, you must implement security controls for Incident Response Planning and DDoS protection.
Availability
The Availability Criteria ensure that your systems are reliable for both employees and clients. The objective is to guarantee that systems are operational and information is accessible. To achieve this, three additional ‘points of focus’ must be met:
- Availability Management (A1)
- Performance Monitoring (A2)
- Incident Management (A3)
While the availability objective does not set a minimum performance level or address system functionality and usability, it does ensure that systems have controls to support accessibility for operation, monitoring, and maintenance.
To meet this requirement, you will need to implement controls for backups, replication, processing capacity, business continuity, and disaster recovery planning and tests.
Processing Integrity
The Processing Integrity criteria ensure that data processing is error-free and any errors are promptly detected and corrected. These common criteria also ensure that system inputs and outputs are accurate throughout processing and that data is properly stored and maintained.
To achieve the processing integrity criteria, an organization must meet five additional ‘points of focus’:
- Completeness (PI1)
- Accuracy (PI2)
- Timeliness (PI3)
- Authorization (PI4)
- Validation (PI5)
Some examples of controls to implement under this requirement include process monitoring and quality assurance.
Confidentiality
The objective of the Confidentiality TSC is to protect confidential information defined as confidential within the system. This involves identifying, protecting, and properly disposing of confidential business information. To meet the confidentiality criteria, an organization must focus on two additional points:
- Confidentiality Management (C1)
- Access Controls (C2)
Some examples of internal controls to implement under this requirement include encryption, access controls, and network or application firewalls.
Privacy
The privacy principle focuses on protecting consumers’ rights and their data. It includes criteria that safeguard the privacy of consumer data and give consumers control over how their data is collected and used. It also ensures compliance with the AICPA’s Generally Accepted Privacy Principles.
To meet the privacy criteria, an organization must address eight additional ‘points of focus’. This can be challenging due to the number of privacy points and the specific requirements within each one.
- Notice (P1)
- Choice and Consent (P2)
- Collection (P3)
- Use, Retention, and Disposal (P4)
- Access (P5)
- Disclosure to Third Parties (P6)
- Security for Privacy (P7)
- Quality (P8)
Some examples of controls to implement under this requirement include encryption, two-factor authentication, and access controls.
To Whom Does Each SOC 2 Trust Principle Apply?
Each principle targets different aspects of how organizations handle data and systems. Below, we break down the type of businesses that require SOC 2 for each principle.
| Criteria | Application |
| Security |
Security is the only mandatory Trust Services Criteria to be included in every SOC 2 audit process. For example, banks, hospitals, and tech firms that manage sensitive customer information usually need strong security measures. |
| Availability |
The availability principle in SOC 2 ensures that a company’s systems and services are accessible to customers and employees when needed. It also ensures that data is available for its intended use and includes plans for recovering data in case of an unexpected technical failure or breach. For example, e-commerce platforms, cloud service providers, and companies offering 24/7 online services typically need strong availability criteria to build trust. |
| Processing Integrity |
If your organization offers financial or e-commerce services, it’s a good idea to include processing integrity as one of the Trust Services Principles in your SOC 2 report. This is especially important if you handle transactions for your clients. Including processing integrity can help ensure that these transactions are accurate and reliable. For example, financial services firms, e-commerce businesses, and companies that handle large transactions usually need strong processing integrity criteria. |
| Confidentiality |
The objective of the Confidentiality Trust Service Criteria is to protect confidential information defined as confidential within the system. This involves identifying, protecting, and properly disposing of confidential business information. To meet the confidentiality criteria, an organization must focus on two additional points: For example, law firms, healthcare providers, and companies handling sensitive intellectual property or personal data typically need strong confidentiality criteria. |
| Privacy | The SOC 2 Privacy Principle applies to service organizations that handle consumer data while delivering their services. This includes companies in tech, healthcare, and finance that store, process, or transmit customer information. It ensures that these organizations manage consumer data responsibly and in accordance with privacy expectations. |
Ready to learn how The Pun Group can help you simplify the path to security and compliance? Contact us today!
How To Choose the Right Trust Service Principle?
Selecting AICPA SOC 2 trust services criteria depends on the nature of your business and the specific needs of your clients. Here’s a simple approach to choosing which principles to focus on:
- Look at Your Business Needs. Think about the services you offer and the data you handle. For instance, if you manage financial transactions, processing integrity is key. If you handle sensitive data, focus on privacy and confidentiality.
- Identify the Nature of the Data Being Handled. Consider what your clients are concerned about. The nature of your organization’s data will determine which security controls and approaches you will need.
- Industry Norms. See what’s common in your industry. Aligning with industry standards can guide your choice.
- Review Your Goals. Match the principles with your compliance objectives. Choose the ones that showcase your strengths.
- Employ the Help of an Auditor. Consult with SOC 2 professionals like The Pun Group for tailored guidance.
Empower Your Business Growth Through SOC 2 Compliance
A SOC 2 report is one of the most thorough assessments out there, and completing one shows that your business takes security seriously. While the core principles of availability, confidentiality, processing integrity, and privacy are optional, they can be valuable additions depending on your business needs or customer requirements.
These five Trust Services Criteria offer a structured approach to navigating SOC 2 compliance and ensuring you implement the right protocols for your business. We can’t stress enough how crucial it is to have a well-defined strategy!
But having a strategy is just the start. How do you turn your SOC 2 goals into reality? That’s where The Pun Group steps in. Our SOC 2 audit services help you showcase your commitment to data security, integrity, and privacy.
Maintaining SOC 2 services in-house can be costly and complex, with expenses for hiring, training, and specialized tools. Our experts provide the guidance you need to go through the SOC 2 process in the best possible way.
FAQs
What Is Generally Accepted Privacy Principle?
How Rigorous Is a SOC 2 Audit?
A SOC 2 audit is quite rigorous. It involves a thorough examination of your organization’s controls and processes related to security, availability, processing integrity, confidentiality, and privacy. Auditors look into how you manage and protect data, ensure organization’s system reliability, and handle privacy concerns.
