Overview#SOC 2 Reports are from the AICPA Assurance Services Executive Committee (ASEC) released the revised version (2014) of the Trust Services Principles and Criteria (TSP).
SOC 2 examinations performed under the new standards must couple the Security Principle with any non-privacy principle. For instance, a SOC 2 that includes the Availability Principle must also include the Security Principle.
The Security Principle was restructured into the following seven categories:
- Organization and management: The criteria relevant to how the organization is structured and the processes the organization has implemented to manage and support people within its operating units. This includes criteria addressing accountability, integrity, ethical values and qualifications of personnel, and the environment in which they function.
- Communications: The criteria relevant to how the Entity communicates its policies, processes, procedures, commitments, and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system.
- Risk Management and design and implementation of controls: The criteria relevant to how the entity
- (i) identifies potential risks that would affect the entity’s ability to achieve its objectives
- (ii) analyzes those risks
- (iii) develops responses to those risks including the design and implementation of Access Control and other risk mitigating actions
- (iv) conducts ongoing monitoring of risks and the Risk Management process.
- Monitoring of controls: The criteria relevant to how the entity performs Monitoring the system, including the suitability, and design and operating effectiveness of the controls, and takes action to address deficiencies identified.
- Logical and physical Access Controls: The criteria relevant to how the Entity restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement.
- System operations: The criteria relevant to how the organization manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement.
The other non-privacy principles, Availability, Processing Integrity, and Confidentiality, have also been modified to include criteria that are only applicable to the specific principle. This greatly reduces the redundancies found in the old TSPs when more than one non-privacy principle was in scope for the SOC 2 examination.