Organizations that provide software and other services to businesses and individuals must ensure that all data entrusted to them by customers is secure. To that effect, the American Institute of Certified Public Accountants (AICPA) has developed its System and Organization Controls (SOC) audits to measure a company’s trustworthiness, per the Trust Services Criteria (TSC). Read on to learn the AICPA trust services criteria for SOC compliance.
What Are the AICPA Trust Services Principles for SOC Audits?
The TSC comprises criteria for measuring the effectiveness of controls related to cybersecurity, along with their active implementation. They are based upon five trust services principles (TSP), also referred to as categories. The AICPA TSP 100 principles and criteria are organized under:
- Security, which ensures all systems and information are shielded from improper uses
- Availability, which ensures that all client-facing systems and data are readily accessible
- Confidentiality, which covers protections for all information defined as critical or sensitive
- Processing Integrity, which ensures that all processing procedures are valid and secure
- Privacy, which covers protections for all personal or personally identifiable information
Note that this order reflects the categories’ sequencing in the criteria section of the TSC document; elsewhere, like in the full title, the positions of processing integrity and confidentiality are flipped.
Security: AICPA Trust Services Criteria Common to All Categories
The Security principle is primarily concerned with minimizing all possibilities for unauthorized access, disclosure, or use of information or systems. In particular, it safeguards against these threats to the extent that they could compromise the organization’s objectives, along with the stated objectives across all other TSC principles (availability, processing integrity, etc.).
The first category of criteria in the TSC framework is unique in that its corresponding criteria apply to all other categories. Conversely, it is the only category to which only these Security criteria apply. They are labeled common criteria (CC Series), and there are nine of them. The nine CC Series criteria then break down into several sub-criteria, detailed below.
The other unique factor about Security or CC criteria is that they correspond to principles from the primary source text for the TSC framework: the COSO framework. This guide, published in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission, comprises 17 Principles that inform all TSC Security criteria. The first five CC series correspond directly to COSO principles, whereas the last four build upon one principle in particular.
AICPA Common Criteria Corresponding Directly to the COSO Principles
The first five CC series are directly derived from COSO principles, with slight changes in order; the first series, CC1, governs top-level managerial oversight of the entire Control Environment:
- CC1.1 – Requiring a commitment to integrity and ethical values, demonstration thereof, conduct standards, evaluations, and adjustments, corresponding to COSO Principle 1.
- CC1.2 – Requiring the board of directors to remain separate from management and exercise oversight on control implementation, corresponding to COSO Principle 2.
- CC1.3 – Requiring management to establish infrastructure in pursuit of its objectives, such as reporting lines, roles, and authorities, corresponding to COSO Principle 3.
- CC1.4 – Requiring a commitment to recruit and safely onboard quality staff through development and training, then retain them, corresponding to COSO Principle 4.
- CC1.5 – Requiring organizations to all personnel accountable for internal control responsibilities related to all TSC principles, corresponding to COSO Principle 5.
The CC2 series governs controls pertaining to Communications and Information security:
- CC2.1 – Requiring organizations to support all internal control functions with relevant, current information from reputable sources, corresponding to COSO Principle 13.
- CC2.2 – Requiring thorough and clear communication of objectives and responsibilities needed for the proper execution of security controls, corresponding to COSO Principle 14.
- CC2.3 – Requiring organizations to communicate with all third parties impacted by or impacting matters related to internal controls, corresponding to COSO Principle 15.
The CC3 series governs controls pertaining to regular and special case Risk Assessment:
- CC3.1 – Requiring organizations to clearly specify objectives for identifying, analyzing, and responding to risks related to all objectives, corresponding to COSO Principle 6.
- CC3.2 – Requiring organizations to identify and analyze all detected risks to determine how they ought to be addressed and mitigated, corresponding to COSO Principle 7.
- CC3.3 – Requiring a consideration for the possibility of fraud, including likelihood and potential impact, in all risk assessment functions, corresponding to COSO Principle 8.
- CC3.4 – Requiring organizations to monitor for, detect, identify, analyze, and address any changes that could impact risk objectives, corresponding to COSO Principle 9.
The CC4 series governs controls pertaining to broader, system-wide Monitoring Activities:
- CC4.1 – Requiring the selection or development and performance of evaluations to ensure that internal controls meet all objectives, corresponding to COSO Principle 16.
- CC4.2 – Requiring accurate, timely communication of all inadequacies identified through monitoring to the parties who can correct them, corresponding to COSO Principle 17.
The CC5 series governs controls pertaining to generalized Control Activities and procedures:
- CC5.1 – Requiring organizations to develop and implement control activities to address and mitigate threats and risks related to objectives, corresponding to COSO Principle 10.
- CC5.2 – Requiring organizations to develop and implement control activities pertaining to all IT and security technology and systems, corresponding to COSO Principle 11.
- CC5.3 – Requiring organizations to deploy all activities (5.1 and 5.2) through explicit policies that establish roles and expectations, corresponding to COSO Principle 12.
Collectively, these common criteria cover all elements of the COSO framework, with targeted points of focus designed to bridge beyond baseline COSO principles into updated protections.
AICPA Common Criteria—Expanding the Scope of COSO Principle 12
The final four common criteria expand on COSO principle 12, adding in security assurances deemed critical for service organizations, such as CC6’s Logical and Physical Access Controls:
- CC6.1 – Requiring implementation of logical access controls to prevent security events.
- CC6.2 – Requiring identity verifications for users granted access to systems, along with immediate removal of authenticating factors if a user’s access is no longer authorized.
- CC6.3 – Requiring access to be based on roles, least privilege, and duty segregation.
- CC6.4 – Requiring implementation of physical barriers to all access of sensitive data.
- CC6.5 – Requiring discontinuation of physical or logical controls only when assets can no longer be acted upon in ways that would compromise security objectives.
- CC6.6 – Requiring implementation of controls to protect against outside threat actors.
- CC6.7 – Requiring restrictions on unauthorized internal or external uses of information.
- CC6.8 – Requiring detection and mitigation of unauthorized software and malware.
The CC7 series governs controls pertaining to overall System Operations management:
- CC7.1 – Requiring ongoing monitoring for all new vulnerabilities and susceptibilities.
- CC7.2 – Requiring ongoing monitoring for all irregular activity indicative of incidents.
- CC7.3 – Requiring monitoring of security events to determine their impact on objectives.
- CC7.4 – Requiring programmatic responses to identified incidents to understand, contain, and remediate them, then communicating relevant information to stakeholders.
- CC7.5 – Requiring identifying and implementing activities to recover from incidents.
The CC8 series governs controls pertaining to Change Management and monitoring systems:
- CC8.1 – Requiring strategic authorization, design or acquisition, configuration, testing, documentation, and approval of changes implemented, according to relevant objectives.
The CC9 series governs controls pertaining to Risk Mitigation and holistic risk management:
- CC9.1 – Requiring development of strategies to mitigate all risks of business disruption.
- CC9.2 – Requiring ongoing management of risks related to third-party strategic partners.
Taken together, the nine CC series criteria cover all security-relevant concerns pertinent to (and accounting for) all other TSC principles. Thus, it is the most robust, critical set of AICPA TSC criteria.
Availability: Supplemental AICPA Trust Services Criteria
The Availability principle is primarily concerned with uptime, ensuring that all systems and information are readily accessible to stakeholders per defined objectives. Its criteria include:
- A1.1 – Requiring analysis and visibility regarding current functions’ capacity, along with active oversight of initiatives to remain below capacity and expand capacity, if needed.
- A1.2 – Requiring authorization and development of backup and recovery infrastructure.
- A1.3 – Requiring ongoing testing of recovery plans to ensure they meet all objectives.
These criteria are closely linked to the PI series, or Processing Integrity criteria (see below). And, as noted above, all CC series criteria also apply to Availability criteria and controls.
Confidentiality: Supplemental AICPA Trust Services Criteria
The Confidentiality principle is primarily concerned with controls for protecting information formally classified as confidential or carrying another similarly protected status. Its criteria include:
- C1.1 – Requiring identification and maintenance of all confidential information, per the specific rules and requirements governing it and all organizationally defined objectives.
- C1.2 – Requiring safe disposal of confidential information when it is no longer needed, again as per all specific regulatory rules and all organizationally defined objectives.
These criteria are closely linked to the P series, or Privacy criteria (see below). When personal information is classified, both C and P series criteria may apply to controls that protect the data.
Processing Integrity: Supplemental AICPA Trust Services Criteria
The Processing Integrity principle is primarily concerned with delivering functions and services to the fullest capacity, specifically meeting or exceeding defined objectives. Its criteria include:
- PI1.1 – Requiring communication of information regarding data processing objectives.
- PI1.2 – Requiring controls to safeguard all inputs involved in data processing activities.
- P11.3 – Requiring controls to safeguard activities involved across all data processing.
- PI1.4 – Requiring controls to safeguard all outputs involved in data processing activities.
- PI1.5 – Requiring safe storage of all data related to inputs, outputs, or process activities.
These criteria may be seen as a continuation of the A series, as services need to be available and functioning at full capacity. Therefore, companies may assess A and PI series criteria simultaneously.
Privacy: Supplemental AICPA Trust Services Criteria
Finally, the Privacy principle is exclusively concerned with protecting personal or personally identifiable information, irrespective of any applicable protected status. Its criteria include:
- P1 Series – Requiring communication of privacy objectives, per one sub-criterion.
- P2 Series – Requiring controls over user choice and consent, per one sub-criterion.
- P3 Series – Requiring restrictions on collection of personal data, per two sub-criteria.
- P4 Series – Requiring controls regarding personal data use, retention, and disposal, per three sub-criteria.
- P5 Series – Requiring management of access to personal data, per two sub-criteria.
- P6 Series – Requiring restrictions and notifications for disclosure, per seven sub-criteria.
- P7 Series – Requiring maintenance of data integrity and quality, per one sub-criterion.
- P8 Series – Requiring ongoing monitoring and enforcement, per one sub-criterion.
Again, these criteria may be applied alongside those in the C series for any information that is both personal (or personally identifiable) and covered by a classified or other protected status.
Implementing the AICPA Trust Principles For SOC 2 Compliance
Companies seeking out SOC compliance will need to do more than implement the AICPA trust services principles and criteria detailed above. They also need to audit all controls, either as a snapshot view for Type 1 audits or over a longer duration for Type 2 audits. The former can prove that the overall design of controls is sound, whereas the latter confirms their consistent execution. Type 1 audits can also be used as a preparatory effort for Type 2.
There are also considerations to be made about what kind of SOC audit to do, whether SOC 1, SOC 2, or SOC 3. The first is for financial service providers exclusively, while SOC 2 and SOC 3 are for all other service organizations. SOC 2 reports offer much deeper insights into security and are intended for technical audiences such as other auditors. SOC 3 reports are made for a general audience, such as potential customers.
Many organizations audit for both SOC 2 and SOC 3.
Consult with the SOC Experts
The experts at RSI Security will help your company rethink its SOC compliance process. We’ll help you select the right SOC kind for you, directly assist or guide control implementation per AICPA trust services criteria, and walk through all stages of the audit and report process regardless of which Type your organization chooses.