AICPA Trust Services Criteria define five criteria for evaluating an organization’s security controls for SOC 2 compliance: security, availability, processing integrity, confidentiality, and privacy.
While organizations may pick and choose which SOC 2 Trust Services Criteria they want to include in the scope of their audit, every SOC 2 report must include the Security Criteria, and the criteria used to test it are known as the Common Criteria.
What is the SOC 2 Common Criteria List?
The Security TSC is all about protecting information and systems.
Is data secure during its collection or creation? Is it secure during its use, processing, transmission, and/or storage? How does a company prevent and monitor any vulnerabilities in its systems?
The SOC 2 Common Criteria list, also known as the CC-series, includes nine subcategories:
- CC1 — Control environment
Does the organization value integrity and security?
- CC2 — Communication and Information
Are policies and procedures in place to ensure security? Are they communicated well to both internal and external partners?
- CC3 — Risk Assessment
Does the organization analyze risk and monitor how changes impact that risk?
- CC4 — Monitoring Controls
Does the organization monitor, evaluate, and communicate the effectiveness of its controls?
- CC5 — Control Activities
Are the proper controls, processes, and technologies in place to reduce risk?
- CC6 – Logical and Physical Access Controls
Does the organization encrypt data? Does it control who can access data and restrict physical access to servers?
- CC7 – System Operations
Are systems monitored to ensure they function properly? Are incident response and disaster recovery plans in place?
- CC8 – Change Management
Are material changes to systems properly tested and approved beforehand?
- CC9 – Risk Mitigation
Does the organization mitigate risk through proper business processes and vendor management?
SOC 2 Common Criteria Mapping
Many organizations choose to pursue compliance with multiple security standards. The AICPA helps map the Common Criteria onto requirements for other frameworks, including ISO 27001, GDPR, and more.
Mapping SOC 2 Common Criteria to ISO 27001
ISO 27001 specifies requirements for establishing, implementing, maintaining, and improving an information security management system (ISMS). It includes 114 controls across 14 groups, the majority of which map to SOC 2 Trust Services Criteria.
The AICPA ISO 27001 mapping spreadsheet breaks down the overlap with the Trust Services Criteria.
Mapping SOC 2 Common Criteria to GDPR
The European Union’s General Data Protection Regulation is designed to protect EU citizens’ personal data rights. It applies to any company that comes in contact with these protected individuals’ data. It includes 99 articles across 11 chapters.
Nearly all of Chapters 2 and 3 and most of Chapter 4 of GDPR map onto SOC 2’s Trust Services Criteria.
The AICPA also provides an EU GDPR mapping spreadsheet to help cross-reference criteria and controls.