SOC 2 Trust Services Criteria
Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. Used for SOC 2 attestation engagements.
Controls: 122
Total Mappings: 955
Publisher: AICPA
Version: 2017
AC (8) AT (3) AU (7) CA (5) CM (8) CP (8) IA (5) IR (4) MA (1) MP (3) PE (17) PL (3) PS (8) PT (6) RA (4) SA (8) SC (8) SI (8) SR (8)
AC Access Control
| Control | Name | SOC 2 TSC References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC6.1 +9 more |
| AC-02 | Account Management | CC6.1CC6.6CC6.6-POF2PI1.2-POF1PI1.2-POF2PI1.2-POF3 |
| AC-03 | Access Enforcement | CC6.1CC6.6CC6.6-POF2PI1.2-POF1PI1.2-POF2PI1.2-POF3 |
| AC-04 | Information Flow Enforcement | CC6.1CC6.1-POF6CC6.6CC6.6-POF1 |
| AC-05 | Separation Of Duties | CC5.1CC5.1-POF6CC6.6CC6.6-POF2PI1.2-POF1PI1.2-POF2PI1.2-POF3 |
| AC-06 | Least Privilege | CC5.2-POF3CC6.1CC6.1-POF12CC6.1-POF13CC6.1-POF7 |
| AC-17 | Remote Access | CC6.6CC6.6-POF3 |
| AC-20 | Use Of External Information Systems | CC6.7 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | SOC 2 TSC References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC7.2 +2 more |
| AU-02 | Auditable Events | CC6.1-POF7CC6.7-POF1CC7.1CC7.1-POF1CC7.2CC7.2-POF1CC7.2-POF4CC7.3 +4 more |
| AU-03 | Content Of Audit Records | PI1.4 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | CC7.2CC7.2-POF1CC7.3 |
| AU-07 | Audit Reduction And Report Generation | CC7.2CC7.3 |
| AU-09 | Protection Of Audit Information | PI1.4PI1.5 |
| AU-11 | Audit Record Retention | C1.2 |
CA Security Assessment and Authorization
| Control | Name | SOC 2 TSC References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC4.1CC4.1-POF8CC5.3CC5.3-POF1 +5 more |
| CA-02 | Security Assessments | CC1.1-POF3CC3.1CC4.1CC4.1-POF8CC5.2CC6.1-POF2CC7.2-POF4 |
| CA-05 | Plan Of Action And Milestones | CC4.2CC4.2-POF3 |
| CA-06 | Security Accreditation | CC6.1-POF9 |
| CA-07 | Continuous Monitoring | CC1.1CC1.1-POF3CC2.2CC2.3CC4.2-POF1CC4.2-POF2CC4.2-POF3 |
CM Configuration Management
| Control | Name | SOC 2 TSC References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC7.1 +5 more |
| CM-02 | Baseline Configuration | CC6.1-POF7CC6.7-POF1CC7.1CC7.1-POF1CC8.1CC8.1-POF12CC8.1-POF6 |
| CM-03 | Configuration Change Control | CC2.2-POF13CC3.4CC3.4-POF4CC6.8-POF3CC8.1CC8.1-POF1CC8.1-POF10CC8.1-POF11 +11 more |
| CM-04 | Monitoring Configuration Changes | CC3.4CC3.4-POF4CC8.1-POF10CC8.1-POF3 |
| CM-05 | Access Restrictions For Change | CC8.1-POF2CC8.1-POF9 |
| CM-06 | Configuration Settings | CC6.1-POF7CC6.7-POF1CC7.1CC7.1-POF1CC8.1CC8.1-POF12CC8.1-POF6 |
| CM-07 | Least Functionality | CC5.2-POF3CC6.1-POF7CC6.7-POF1 |
| CM-08 | Information System Component Inventory | CC2.1-POF6CC2.1-POF9CC6.1-POF1 |
CP Contingency Planning
| Control | Name | SOC 2 TSC References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | A1.2A1.2-POF1A1.2-POF10A1.2-POF11A1.2-POF2A1.2-POF3A1.2-POF4A1.2-POF5 +20 more |
| CP-02 | Contingency Plan | A1.2A1.2-POF1A1.2-POF10A1.2-POF11A1.2-POF2A1.2-POF3A1.2-POF4A1.2-POF5 +11 more |
| CP-04 | Contingency Plan Testing And Exercises | A1.3A1.3-POF1A1.3-POF2CC7.4-POF10CC7.5CC7.5-POF3CC7.5-POF6 |
| CP-06 | Alternate Storage Site | A1.2A1.2-POF9 |
| CP-07 | Alternate Processing Site | A1.2A1.2-POF10 |
| CP-08 | Telecommunications Services | A1.2 |
| CP-09 | Information System Backup | A1.2A1.2-POF7A1.2-POF8CC7.5 |
| CP-10 | Information System Recovery And Reconstitution | A1.2A1.2-POF1A1.2-POF10A1.2-POF11A1.2-POF2A1.2-POF3A1.2-POF4A1.2-POF5 +11 more |
IA Identification and Authentication
| Control | Name | SOC 2 TSC References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC6.1 +9 more |
| IA-02 | User Identification And Authentication | CC6.1CC6.1-POF3CC6.1-POF4CC6.1-POF8 |
| IA-03 | Device Identification And Authentication | CC6.1CC6.1-POF3CC6.1-POF8 |
| IA-04 | Identifier Management | CC6.1CC6.1-POF3CC6.1-POF4CC6.6CC6.6-POF2CC6.6-POF3 |
| IA-05 | Authenticator Management | CC6.1 |
IR Incident Response
| Control | Name | SOC 2 TSC References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | A1.2-POF5CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF10CC2.2-POF3CC2.2-POF7CC5.3 +20 more |
| IR-04 | Incident Handling | A1.2-POF5CC2.2-POF10CC2.2-POF3CC2.2-POF6CC2.3-POF8CC7.3CC7.3-POF1CC7.3-POF3 +18 more |
| IR-05 | Incident Monitoring | CC2.2-POF6CC2.3-POF8CC7.3-POF2CC7.4CC7.4-POF6CC7.4-POF9 |
| IR-06 | Incident Reporting | CC2.2-POF4CC2.2-POF6CC2.3CC2.3-POF1CC2.3-POF8CC3.1-POF10CC7.3-POF2CC7.4 +6 more |
MA Maintenance
| Control | Name | SOC 2 TSC References |
|---|---|---|
| MA-01 | System Maintenance Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC7.2-POF1 +1 more |
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | SOC 2 TSC References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | A1.2A1.2-POF1A1.2-POF2A1.2-POF3A1.2-POF4A1.2-POF5A1.2-POF6A1.2-POF7 +13 more |
| PE-02 | Physical Access Authorizations | CC6.4CC6.4-POF1CC6.4-POF2 |
| PE-03 | Physical Access Control | CC6.4CC6.4-POF1CC6.4-POF2 |
| PE-05 | Access Control For Display Medium | PI1.4 |
| PE-06 | Monitoring Physical Access | CC6.4-POF4 |
| PE-08 | Access Records | CC6.4-POF4 |
| PE-09 | Power Equipment And Power Cabling | A1.2 |
| PE-10 | Emergency Shutoff | A1.2 |
| PE-11 | Emergency Power | A1.2 |
| PE-12 | Emergency Lighting | A1.2 |
| PE-13 | Fire Protection | A1.2 |
| PE-14 | Temperature And Humidity Controls | A1.2A1.2-POF2A1.2-POF4 |
| PE-15 | Water Damage Protection | A1.2 |
| PE-16 | Delivery And Removal | A1.2 |
| PE-17 | Alternate Work Site | A1.2 |
| PE-18 | Location Of Information System Components | A1.2 |
| PE-19 | Information Leakage | A1.2 |
PL Planning
PS Personnel Security
| Control | Name | SOC 2 TSC References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | CC1.1CC1.1-POF1CC1.1-POF3CC1.2-POF1CC1.2-POF2CC1.2-POF3CC1.2-POF4CC1.3-POF6 +22 more |
| PS-02 | Position Categorization | CC1.2CC1.2-POF1CC1.2-POF2CC1.2-POF3CC1.2-POF4CC1.3CC1.4-POF2CC1.4-POF6 +3 more |
| PS-03 | Personnel Screening | CC1.4-POF5 |
| PS-04 | Personnel Termination | CC1.5CC6.2-POF3 |
| PS-05 | Personnel Transfer | CC1.5CC6.2-POF3 |
| PS-06 | Access Agreements | CC1.5 |
| PS-07 | Third-Party Personnel Security | CC5.3 |
| PS-08 | Personnel Sanctions | CC1.1-POF4CC1.5CC1.5-POF5CC1.5-POF6CC7.4-POF14 |
PT Personally Identifiable Information Processing and Transparency
| Control | Name | SOC 2 TSC References |
|---|---|---|
| PT-01 | Policy and Procedures | CC1.2-POF1CC1.3-POF6CC1.4-POF1CC2.2CC2.2-POF1CC2.2-POF7CC2.3-POF7CC3.2 +12 more |
| PT-02 | Authority to Process Personally Identifiable Information | CC6.1-POF13CC8.1-POF18P3.0P3.1P3.1-POF1P3.1-POF2P3.1-POF3P3.1-POF4 +4 more |
| PT-03 | Personally Identifiable Information Processing Purposes | CC6.1-POF13P1.1-POF1P1.1-POF2P1.1-POF3P1.1-POF4P4.1P6.7-POF1 |
| PT-04 | Consent | P2.0P2.1P2.1-POF1P2.1-POF2P2.1-POF3P2.1-POF5P2.1-POF6P3.2 +1 more |
| PT-05 | Privacy Notice | CC2.3-POF7P1.1P1.1-POF1P1.1-POF2P1.1-POF3P1.1-POF4P1.1-POF5P1.1-POF7 |
| PT-07 | Specific Categories of Personally Identifiable Information | P4.0P4.1P4.1-POF1 |
RA Risk Assessment
| Control | Name | SOC 2 TSC References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | A1.2-POF1CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC3.1CC3.2-POF1CC3.2-POF3 +14 more |
| RA-02 | Security Categorization | CC3.2 |
| RA-03 | Risk Assessment | A1.2CC3.1-POF16CC3.2-POF1CC3.2-POF2CC3.2-POF3CC3.2-POF6CC3.2-POF8CC3.2-POF9 +8 more |
| RA-05 | Vulnerability Scanning | CC3.2-POF7CC3.4-POF6CC7.1CC7.1-POF5CC9.2-POF13 |
SA System and Services Acquisition
| Control | Name | SOC 2 TSC References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC2.3-POF10CC5.2CC5.2-POF4CC5.3 +25 more |
| SA-02 | Allocation Of Resources | CC1.4CC3.1-POF4CC4.1 |
| SA-03 | Life Cycle Support | CC5.2CC8.1CC8.1-POF1 |
| SA-04 | Acquisitions | CC1.1-POF5CC1.4-POF2CC1.4-POF3CC2.3-POF10CC2.3-POF12CC2.3-POF9CC3.3CC3.4 +22 more |
| SA-05 | Information System Documentation | CC2.1-POF7CC2.2-POF11CC6.1-POF1 |
| SA-08 | Security Engineering Principles | CC2.2CC3.2CC5.1CC5.2CC6.1-POF2CC6.1-POF7CC6.7-POF1CC7.1 +6 more |
| SA-09 | External Information System Services | CC3.3 |
| SA-11 | Developer Security Testing | CC4.1-POF1 |
SC System and Communications Protection
| Control | Name | SOC 2 TSC References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2CC2.2-POF1CC2.2-POF7CC3.2CC5.1CC5.2 +15 more |
| SC-05 | Denial Of Service Protection | A1.1A1.1-POF1A1.1-POF2A1.1-POF3 |
| SC-06 | Resource Priority | A1.1 |
| SC-07 | Boundary Protection | CC6.1CC6.1-POF5CC6.6CC6.6-POF1CC6.6-POF3CC6.6-POF4CC6.8 |
| SC-08 | Transmission Integrity | CC6.1CC6.1-POF10CC6.7CC6.7-POF2 |
| SC-12 | Cryptographic Key Establishment And Management | CC6.1CC6.1-POF10CC6.1-POF11 |
| SC-13 | Use Of Cryptography | CC6.1CC6.1-POF10CC6.1-POF11CC6.6-POF2CC6.7CC6.7-POF2CC6.7-POF3 |
| SC-17 | Public Key Infrastructure Certificates | CC6.1CC6.1-POF10CC6.1-POF11 |
SI System and Information Integrity
| Control | Name | SOC 2 TSC References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2CC2.2-POF1CC2.2-POF7CC3.2CC5.1CC5.2 +8 more |
| SI-02 | Flaw Remediation | CC3.2-POF7CC3.2-POF9CC3.4-POF6CC8.1-POF14CC8.1-POF16CC9.2-POF13 |
| SI-03 | Malicious Code Protection | CC3.2-POF7CC3.2-POF9CC3.4-POF6CC6.6CC6.6-POF2CC6.8CC6.8-POF4CC8.1-POF14 +5 more |
| SI-04 | Information System Monitoring Tools And Techniques | CC6.6CC6.6-POF2CC7.2CC7.2-POF1CC7.3PI1.2-POF1PI1.2-POF2PI1.2-POF3 |
| SI-05 | Security Alerts And Advisories | CC3.2-POF6CC3.2-POF7CC6.6CC6.6-POF2CC9.2-POF13PI1.2-POF1PI1.2-POF2PI1.2-POF3 |
| SI-07 | Software And Information Integrity | CC6.6CC6.6-POF2CC6.8CC7.1-POF2CC7.1-POF3CC7.1-POF4PI1.2-POF1PI1.2-POF2 +1 more |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | CC6.6CC6.6-POF2PI1.2-POF1PI1.2-POF2PI1.2-POF3 |
| SI-12 | Information Output Handling And Retention | C1.1-POF3C1.2C1.2-POF1C1.2-POF2CC6.5CC6.5-POF2P4.0P4.2 +5 more |
SR Supply Chain Risk Management
| Control | Name | SOC 2 TSC References |
|---|---|---|
| SR-01 | Policy and Procedures | CC1.1-POF5CC1.2-POF1CC1.4-POF1CC1.4-POF2CC1.4-POF3CC2.2-POF1CC2.2-POF7CC2.3-POF10 +23 more |
| SR-02 | Supply Chain Risk Management Plan | CC1.1-POF5CC3.1CC3.2CC3.2-POF7CC3.2-POF8CC4.1CC9.1CC9.2 +10 more |
| SR-03 | Supply Chain Controls and Processes | CC9.1 |
| SR-05 | Acquisition Strategies, Tools, and Methods | CC3.3CC9.1 |
| SR-06 | Supplier Assessments and Reviews | CC1.4-POF2CC1.4-POF3CC3.4CC3.4-POF5CC9.1CC9.2-POF12CC9.2-POF13CC9.2-POF6 +2 more |
| SR-07 | Supply Chain Operations Security | CC2.2CC3.1CC3.2CC3.2-POF7CC3.2-POF8CC4.1CC9.2CC9.2-POF1 +9 more |
| SR-08 | Notification Agreements | CC2.3-POF12CC9.2-POF13 |
| SR-12 | Component Disposal | C1.2-POF2CC6.5CC6.5-POF2P4.3-POF2P4.3-POF3 |