The Trust Services Criteria (TSC) is the security framework used for audits resulting in a SOC 2 or SOC 3 Report. All SOC reports are overseen by AICPA, the American Institute of Certified Public Accountants, to build trust between service organizations and their clientele. Processing Integrity is one of five categories, or principles, that shape the overall SOC 2 controls list.
SOC 2 Processing Integrity Controls and Criteria for Reports
There are two categories of TSC criteria that apply to the principle of Processing Integrity:
- The supplemental PI Series criteria, which apply only to Processing Integrity
- The common criteria (CC Series) for security, which apply to all TSC principles
The following sections will dive into both categories of applicable criteria, detailing requirements for all controls and systems to which Processing Integrity applies for a successful SOC 2 audit.
Supplemental Criteria Applicable to Processing Integrity
The SOC 2 controls that apply most directly to the Processing Integrity principle are defined by the supplemental criteria that apply exclusively to it. These make up the five P Series criteria.
Within each PI Series criteria, the AICPA names points of focus, each describing the specific requirements for controls related to Processing Integrity. For the first PI criterion, one additional point of focus applies exclusively to service organizations that produce products intended for end-users. All other points of focus apply unilaterally across all controls and systems, irrespective of their purposes.
Request a Free Consultation
PI1.1: Communication of All Processing Integrity Objectives
Service organizations need to ensure Processing Integrity by generating or otherwise obtaining relevant, quality information regarding integrity objectives—and communicating it. This includes definitions of all data processed and specifications of relevant products and services.
The following primary characteristics for this criterion inform its points of focus for all systems:
- Identify information specifications needed to support the use of products or services.
- Define and ensure completeness of all specific data categories necessary for support.
There is one more point of focus identified for only systems producing or distributing products:
- Define necessary information to communicate to end users to support product use.
These definitional criteria collectively inform the other, prescriptive criteria within the PI series.
PI1.2: Policies and Procedures Pertinent to System Inputs
Service organizations need to design and implement policies and procedures that account for and secure all system inputs related to Processing Integrity, per all defined security objectives.
The following primary characteristics for this criterion inform its points of focus for all systems:
- Define all input characteristics necessary for maintaining the integrity of processing.
- Evaluate all processing inputs to determine compliance with the defined necessities.
- Maintain records for all processing inputs, ensuring their completeness and accuracy.
There are no additional points of focus for any specific systems to which this criterion applies.
PI1.3: Policies and Procedures Pertinent to System Processing
Service organizations need to design and implement policies and procedures that account for and secure all the processes related to Processing Integrity, per all defined security objectives.
The following primary characteristics for this criterion inform its points of focus for all systems:
- Define processing specifications necessary for maintaining the integrity of processing.
- Define processing activities necessary for maintaining the integrity of processing.
- Detect and address errors to processing specifications and activities, per definitions.
- Record processing activities accurately and in a timely manner; secure all records.
- Process inputs completely, accurately, in a timely manner, and with authorization.
There are no additional points of focus for any specific systems to which this criterion applies.
PI1.4: Policies and Procedures Pertinent to System Outputs
Service organizations need to design and implement policies and procedures that account for and secure all system outputs related to Processing Integrity, per all defined security objectives.
The following primary characteristics for this criterion inform its points of focus for all systems:
- Protect processing outputs upon delivery or storage, preventing theft or damage threats.
- Distribute outputs to the proper parties that are authorized and intended to receive them.
- Distribute outputs completely and accurately, meeting all defined integrity objectives.
- Record output activities and maintain the security of all records related to outputs.
There are no additional points of focus for any specific systems to which this criterion applies.
PI1.5: Policies and Procedures Pertinent to System Storage
Finally, service organizations need to implement controls for safe storage and the retention of all components in the processing environment, including inputs, processing proper, and outputs.
The following primary characteristics for this criterion inform its points of focus for all systems:
- Protect all stored inputs and outputs related to processing and Processing Integrity.
- Archive and protect all records pertaining to inputs, outputs, and overall processes.
- Store data completely and accurately, implementing procedures to ensure its security.
- Maintain records about the storage of all records related to Processing Integrity.
There are no additional points of focus for any specific systems to which this criterion applies.
Common Criteria Also Applicable to Processing Integrity
Beyond the PI series criteria, all Security-relevant controls in the common criteria (CC Series) also apply to Processing Integrity.
The CC Series comprises the most criteria of any series, including such complexity that there are multiple CC Series (CC 1, CC 2, etc.). All of these CC sub-series and their sub-criteria individually and distinctly apply to the other TSC principles.
Critically, this is a one-way relationship. CC Series criteria apply to all other principles, but the supplemental criteria only apply to their specific principle. So, for example, none of the SOC 2 Privacy controls detailed in the P Series criteria apply to Processing Integrity, nor do they apply to Security—the same can be said for A Series and C Series criteria.
However, all CC Series criteria apply evenly to Privacy, Availability, and Confidentiality, along with Processing Integrity.
Breakdown of CC Series’ Applicability to Processing Integrity
The nine C Series criteria apply to all Processing Integrity assessments in the following ways:
- CC 1 Series – The five CC 1 sub-criteria involve measures for the Control Environment at a service organization; executive or managerial oversight ensures Processing Integrity.
- CC 2 Series – The three CC 2 sub-criteria involve measures for Communications and Information security; this applies to Processing Integrity across network communications.
- CC 3 Series – The four CC 3 sub-criteria involve measures for Risk Assessment; this includes testing for threats and vulnerabilities that could compromise process integrity.
- CC 4 Series – The two CC 4 sub-criteria involve measures for Monitoring Activities; this includes deeper analysis of the general integrity of all systems and processing.
- CC 5 Series – The three CC 5 sub-criteria involve measures for Control Activities, which include specific controls designed to address threats that could impact process integrity.
- CC 6 Series – The eight CC 6 sub-criteria involve measures for Logical and Physical Access Controls; this impacts Processing Integrity through user identity management.
- CC 7 Series – The five CC 7 sub-criteria involve measures for System Operations, which impact Processing Integrity through intensive monitoring for all irregularities.
- CC 8 Series – The one CC 8 sub-criterion involves measures for Change Management; this includes ensuring all changes that impact Processing Integrity are accounted for.
- CC 9 Series – The two CC 9 sub-criteria involve measures for Risk Mitigation, including specific risks to Processing Integrity from both internal and external (third-party) sources.
How to Implement the Entire TSC SOC 2 Controls List
Ultimately, companies will need to assess their security controls using all the CC and PI Series criteria above, along with respective series for Availability, Confidentiality, and Privacy. Another consideration for companies seeking SOC 2 compliance is which Type of SOC 2 report to get.
A Type 1 audit is shorter and more straightforward, but it only verifies the design of security controls—not their execution. On the other hand, a SOC 2 Type 2 report is an extended evaluation of how effective security controls are in real-time over a prolonged duration. These reports are far more costly, but the insights generated offer optimal ROI in terms of security and customer assurance.
Luckily, the SOC 2 controls list is the same, regardless of Type—the SOC 2 Type 2 controls list matches the SOC 2 Type 1 controls list.
To begin implementing and assessing all your controls, per AICPA’s defined standards, contact RSI Security today!