SOC 2 Trust Services Criteria
Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. Used for SOC 2 attestation engagements.
| Clause | Title | SP 800-53 Controls |
|---|---|---|
| A1.1 | The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives | |
| A1.1-POF1 | A1.1 POF1: Manages capacity to meet objectives — Processing capacity and use of system components are managed | |
| A1.2 | The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives | |
| A1.2-POF1 | A1.2 POF1: Implements recovery infrastructure and software — Recovery infrastructure is implemented and maintained | |
| A1.2-POF2 | A1.2 POF2: Implements environmental protections — Environmental protections for data centers and facilities are implemented | |
| A1.2-POF3 | A1.2 POF3: Implements data backup processes — Data backup and recovery processes are implemented and maintained | |
| A1.3 | The entity tests recovery plan procedures supporting system recovery to meet its objectives | |
| C1.1 | The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality | |
| C1.1-POF1 | C1.1 POF1: Identifies confidential information — The entity has procedures to identify confidential information | |
| C1.2 | The entity disposes of confidential information to meet the entity's objectives related to confidentiality | |
| CC1.1 | COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values | |
| CC1.1-POF1 | CC1.1 POF1: Sets the tone at the top — The board of directors and management demonstrate commitment to integrity and ethical values | |
| CC1.1-POF2 | CC1.1 POF2: Establishes standards of conduct — Expectations of the board and senior management concerning integrity and ethical values are defined | |
| CC1.1-POF3 | CC1.1 POF3: Evaluates adherence to standards of conduct — Processes are in place to evaluate performance against standards of conduct | |
| CC1.1-POF4 | CC1.1 POF4: Addresses deviations in a timely manner — Deviations from standards of conduct are identified and remedied in a timely manner | |
| CC1.2 | COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control | |
| CC1.2-POF1 | CC1.2 POF1: Establishes oversight responsibilities — The board identifies and accepts its oversight responsibilities in relation to established requirements and expectations | |
| CC1.3 | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives | |
| CC1.3-POF1 | CC1.3 POF1: Considers all structures of the entity — Management and the board consider the multiple structures used to support the achievement of objectives | |
| CC1.4 | COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives | |
| CC1.4-POF1 | CC1.4 POF1: Establishes policies and practices — Policies and practices reflect expectations of competence necessary to support the achievement of objectives | |
| CC1.4-POF2 | CC1.4 POF2: Evaluates competence and addresses shortcomings — The board and management evaluate competence and address shortcomings | |
| CC1.4-POF3 | CC1.4 POF3: Attracts, develops, and retains individuals — The entity provides mentoring and training to attract, develop, and retain sufficient and competent personnel | |
| CC1.4-POF4 | CC1.4 POF4: Plans and prepares for succession — Senior management and the board develop succession plans for key roles | |
| CC1.5 | COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives | |
| CC1.5-POF1 | CC1.5 POF1: Enforces accountability through structures, authorities, and responsibilities — Management and the board establish mechanisms to communicate and hold individuals accountable | |
| CC2.1 | COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control | |
| CC2.1-POF1 | CC2.1 POF1: Identifies information requirements — A process is in place to identify information required to support internal control | |
| CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control | |
| CC2.2-POF1 | CC2.2 POF1: Communicates internal control information — A process is in place to communicate required information to enable all personnel to understand and carry out their responsibilities | |
| CC2.2-POF3 | CC2.2 POF3: Communicates with the board of directors — Information necessary for the board to oversee internal control is communicated | |
| CC2.2-POF7 | CC2.2 POF7: Communicates objectives and changes to objectives — The entity communicates its objectives and changes to those objectives | |
| CC2.2-POF10 | CC2.2 POF10: Provides separate communication lines — Separate communication channels such as whistle-blower hotlines are in place and serve as fail-safe mechanisms | |
| CC2.3 | COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control | |
| CC2.3-POF1 | CC2.3 POF1: Communicates to external parties — Processes are in place to communicate relevant information to external parties | |
| CC2.3-POF12 | CC2.3 POF12: Provides information on notification agreements — The entity notifies external parties of system changes affecting their operation | |
| CC3.1 | COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives | |
| CC3.2 | COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed | |
| CC3.2-POF1 | CC3.2 POF1: Includes entity, subsidiary, division, operating unit, and functional levels | |
| CC3.3 | COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives | |
| CC3.3-POF1 | CC3.3 POF1: Considers various types of fraud — The entity considers fraudulent reporting, possible loss of assets, and corruption | |
| CC3.4 | COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control | |
| CC3.4-POF1 | CC3.4 POF1: Assesses changes in the external environment — The entity considers changes in regulatory, economic, and physical environments | |
| CC3.4-POF2 | CC3.4 POF2: Assesses changes in the business model — The entity considers the impact of new business lines, altered compositions of existing business lines, and acquired or divested business operations | |
| CC3.4-POF3 | CC3.4 POF3: Assesses changes in leadership — The entity considers changes in management and other personnel | |
| CC4.1 | COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning | |
| CC4.1-POF1 | CC4.1 POF1: Considers a mix of ongoing and separate evaluations — Management includes a balance of ongoing evaluations built into processes and separate evaluations | |
| CC4.2 | COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate | |
| CC4.2-POF1 | CC4.2 POF1: Assesses results — Management and the board assess results of ongoing and separate evaluations | |
| CC4.2-POF2 | CC4.2 POF2: Communicates deficiencies — Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board as appropriate | |
| CC5.1 | COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels | |
| CC5.2 | COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives | |
| CC5.2-POF1 | CC5.2 POF1: Determines dependency between the use of technology in business processes and technology general controls | |
| CC5.3 | COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action | |
| CC5.3-POF1 | CC5.3 POF1: Establishes policies and procedures to support deployment of management's directives | |
| CC5.3-POF6 | CC5.3 POF6: Reassesses policies and procedures — Management periodically reassesses policies and procedures for continued relevance and effectiveness | |
| CC6.1 | Logical and Physical Access Controls — The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives | |
| CC6.1-POF1 | CC6.1 POF1: Identifies and manages the inventory of information assets — The entity identifies and manages information assets | |
| CC6.1-POF2 | CC6.1 POF2: Restricts logical access — Access to information assets is restricted through logical access security measures | |
| CC6.1-POF3 | CC6.1 POF3: Considers network segmentation — Network segmentation is implemented to restrict access | |
| CC6.1-POF4 | CC6.1 POF4: Manages points of access — Points of access to information assets are managed and protected | |
| CC6.1-POF5 | CC6.1 POF5: Restricts access to information assets — Access to information assets is restricted through identity management | |
| CC6.1-POF6 | CC6.1 POF6: Manages identification and authentication — User identification and authentication is managed | |
| CC6.1-POF7 | CC6.1 POF7: Manages credentials for infrastructure and software — System and application credentials are managed | |
| CC6.1-POF8 | CC6.1 POF8: Uses encryption to protect data — Encryption is used to protect data at rest and in transit | |
| CC6.1-POF9 | CC6.1 POF9: Protects encryption keys — Encryption keys are managed to protect data | |
| CC6.2 | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity | |
| CC6.2-POF1 | CC6.2 POF1: Controls access credentials to protected assets — New internal and external users are registered and authorized prior to being issued credentials and granted access | |
| CC6.3 | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties | |
| CC6.3-POF1 | CC6.3 POF1: Creates or modifies access — Processes are in place to create or modify access to protected assets | |
| CC6.4 | The entity restricts physical access to facilities and protected information assets to authorized personnel to meet the entity's objectives | |
| CC6.5 | The entity discontinues logical and physical access to protected information assets when that access is no longer required | |
| CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries | |
| CC6.6-POF1 | CC6.6 POF1: Restricts access — The entity restricts access through network security and entry points | |
| CC6.6-POF2 | CC6.6 POF2: Protects identification and authentication credentials — Identification and authentication credentials are protected during transmission outside system boundaries | |
| CC6.6-POF3 | CC6.6 POF3: Requires additional authentication or credentials — Additional authentication measures are required for access from outside system boundaries | |
| CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives | |
| CC6.7-POF1 | CC6.7 POF1: Restricts the ability to perform transmission — Data loss prevention processes are in place to detect and prevent unauthorized transmission | |
| CC6.8 | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives | |
| CC7.1 | To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities | |
| CC7.1-POF1 | CC7.1 POF1: Uses defined configuration standards — The entity uses defined configuration standards to assess newly deployed or changed IT assets | |
| CC7.2 | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events | |
| CC7.2-POF1 | CC7.2 POF1: Implements detection policies, procedures, and tools — The entity implements and maintains detection policies, procedures, and tools | |
| CC7.2-POF2 | CC7.2 POF2: Designs detection measures — Detection measures are designed to identify anomalies including known and unknown threats | |
| CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures | |
| CC7.3-POF1 | CC7.3 POF1: Responds to security incidents — Procedures are in place to respond to security incidents | |
| CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate | |
| CC7.4-POF1 | CC7.4 POF1: Assigns roles and responsibilities — Roles and responsibilities for responding to incidents are assigned | |
| CC7.4-POF2 | CC7.4 POF2: Contains security incidents — Processes are in place to contain security incidents | |
| CC7.4-POF3 | CC7.4 POF3: Mitigates ongoing security incidents — Procedures are in place to mitigate the effects of ongoing incidents | |
| CC7.4-POF4 | CC7.4 POF4: Ends threats posed by security incidents — Steps are taken to end the threats posed by security incidents | |
| CC7.4-POF5 | CC7.4 POF5: Restores operations — Procedures are in place to restore normal operations | |
| CC7.4-POF6 | CC7.4 POF6: Develops and implements communication protocols for security incidents | |
| CC7.4-POF10 | CC7.4 POF10: Meets regulatory notification requirements — The entity meets notification requirements for security incidents | |
| CC7.4-POF11 | CC7.4 POF11: Obtains understanding of nature of incident — The entity obtains understanding of the incident nature and scope | |
| CC7.4-POF12 | CC7.4 POF12: Remediates identified vulnerabilities — The entity remediates identified vulnerabilities following incidents | |
| CC7.4-POF13 | CC7.4 POF13: Evaluates the effectiveness of incident response — The entity evaluates incident response effectiveness | |
| CC7.5 | The entity identifies, develops, and implements activities to recover from identified security incidents | |
| CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures required to meet its objectives | |
| CC8.1-POF1 | CC8.1 POF1: Manages changes throughout the system life cycle — Processes are in place to manage changes to system components through the life cycle | |
| CC9.1 | The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions | |
| CC9.1-POF1 | CC9.1 POF1: Considers mitigation through business continuity — The entity considers mitigation through contingency planning | |
| CC9.2 | The entity assesses and manages risks associated with vendors and business partners | |
| CC9.2-POF1 | CC9.2 POF1: Creates policies for vendor and business partner risk management — Vendor risk management processes are established | |
| CC9.2-POF13 | CC9.2 POF13: Assesses vendor and business partner risks — The entity periodically assesses vendor and business partner risks | |
| P1.0 | Privacy Criteria Introduction — The entity's privacy practices meet its objectives | |
| P1.1 | The entity provides notice to data subjects about its privacy practices to meet the entity's objectives related to privacy | |
| P1.1-POF1 | P1.1 POF1: Communicates to data subjects — Privacy notices are provided to data subjects | |
| P1.1-POF5 | P1.1 POF5: Provides notice of changes — Data subjects are notified of changes to the entity's privacy practices | |
| P1.2 | The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects and obtains consent | |
| P1.3 | The entity collects personal information only for the purposes identified in the notice to the data subject | |
| P1.4 | The entity limits the use of personal information to the purposes identified in the notice and for which the data subject has provided explicit consent | |
| P1.5 | The entity retains personal information consistent with the entity's objectives related to privacy | |
| P1.6 | The entity disposes of personal information to meet the entity's privacy objectives | |
| P1.7 | The entity discloses personal information to third parties with the consent of the data subject or as authorized under applicable law or regulation | |
| P1.8 | The entity provides data subjects with access to their personal information for review and correction | |
| P1.9 | The entity provides data subjects the ability to update and correct personal information | |
| PI1.1 | The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services | |
| PI1.2 | The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives | |
| PI1.3 | The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity's objectives | |
| PI1.4 | The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity's objectives | |
| PI1.5 | The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives |