What is Trust Services Criteria?
AICPA’s Trust Services Criteria are the framework used by auditors to determine which security and compliance controls they will test for in a company. The only Trust Services Criteria category required for every SOC 2 report is Security, but auditors have the option of adding Availability and Processing Integrity as well after determining the audit scope.
Trust Services Criteria Categories:
- Data and systems are protected against unauthorized access and disclosure, including potentially compromising damage to systems. Data should be protected during its collection or creation, use, processing, transmission, and storage.
- Data and systems are available for operation and use. Systems include controls to support accessibility for operation, monitoring, and maintenance.
- The organization should protect data designated as confidential (i.e. any sensitive information).
- System processing (particularly of customer data) is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Personal data is collected, used, retained, disclosed, and disposed of in accordance with relevant regulations and policies.