The world of information security and compliance can be complicated to navigate, leaving you with questions as you work to improve your organization’s security posture. In this series, Boulay’s Risk Advisory Team answers some of the most frequently asked questions (FAQs) about SOC 2 reports, ISO 27001 certifications, and other security compliance frameworks.
Which trust service categories should I include within the scope of my SOC 2 audit?
The AICPA’s System and Organization Controls (SOC) 2 reporting guidelines outline five trust service categories that may be included within the scope of a SOC 2 audit:
- Security: Focuses on protecting information systems and data from unauthorized access and disclosure. Ensures systems are safeguarded against breaches, cyberattacks and other vulnerabilities by implementing measures like firewalls, encryption and multi-factor authentication.
- Availability: Addresses the accessibility of systems and services. Ensures that your organization’s information and systems are reliable and prepared to meet operational demands, utilizing measures like disaster recovery and performance monitoring to minimize downtime and disruptions.
- Confidentiality: Ensures that sensitive information is restricted to authorized individuals or entities. Emphasizes policies and controls for data classification, access management and secure data handling, particularly for proprietary or client information.
- Processing Integrity: Focuses on ensuring data processing is complete, valid, accurate and timely. Involves controls that verify data integrity during input, processing and output to avoid errors, omissions or unauthorized modifications.
- Privacy: Relates to the handling of personal information in accordance with an organization’s privacy policies and regulations. Ensures consumer data is protected and consumers are informed about the collection, storage, use retention and disposal of their data.
Of these, Security is the only category that is required for all SOC 2 reports. The service organization has the option to increase the scope of their report with the inclusion of one or more of the optional categories.
When deciding which (if any) optional categories to include in a SOC 2 audit, primary consideration should be given to the needs of the service organization’s customers. If management is seeing specific contractual obligations or customer requests indicating one or more of the optional categories needs to be included, it’s recommended that those be added to the scope.
If there are no explicit customer demands, then it ultimately remains a judgmental call for management on whether to expand the scope. We recommend reviewing customer contracts, service level agreements (SLAs) and other legal documents to determine whether any of the four optional categories are included within the company’s service commitments. For example, if the company has an SLA indicating a 99.9% uptime requirement, then it is advisable to include the Availability category within the scope of the SOC 2 report. However, the final decision on what trust service categories to include always rests with the service organization.
Helping You Get There…
Boulay’s Risk Advisory Team is here to answer your questions about ISO 27001 certificates, SOC 2 reports and other aspects of security compliance, so you can move forward with confidence. For more information regarding Boulay’s SOC 2 services, connect with us today.