SOC 2 Trust Services Criteria
Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. Used for SOC 2 attestation engagements.
AC (8) AT (2) AU (7) CA (6) CM (9) CP (8) IA (5) IR (5) MA (1) MP (3) PE (15) PL (4) PS (8) PT (3) RA (6) SA (8) SC (11) SI (9) SR (8)
AC Access Control
| Control | Name | SOC 2 TSC References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC6.1CC6.1-POF3CC6.1-POF7CC6.1-POF8CC6.1-POF9CC6.6CC6.6-POF2CC6.6-POF3CC7.2-POF1P1.1-POF5 |
| AC-02 | Account Management | CC6.1CC6.6CC6.6-POF2 |
| AC-03 | Access Enforcement | CC6.1CC6.6CC6.6-POF2 |
| AC-04 | Information Flow Enforcement | CC6.1CC6.1-POF6CC6.6CC6.6-POF1 |
| AC-05 | Separation Of Duties | CC5.1CC6.6CC6.6-POF2 |
| AC-06 | Least Privilege | CC6.1CC6.1-POF7 |
| AC-17 | Remote Access | CC6.6CC6.6-POF3 |
| AC-20 | Use Of External Information Systems | CC6.7 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | SOC 2 TSC References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC7.2CC7.2-POF1P1.1-POF5 |
| AU-02 | Auditable Events | CC6.1-POF7CC6.7-POF1CC7.1CC7.1-POF1CC7.2CC7.2-POF1CC7.3CC8.1PI1.4 |
| AU-03 | Content Of Audit Records | PI1.4 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | CC7.2CC7.2-POF1CC7.3 |
| AU-07 | Audit Reduction And Report Generation | CC7.2CC7.3 |
| AU-09 | Protection Of Audit Information | PI1.4PI1.5 |
| AU-11 | Audit Record Retention | C1.2 |
CA Security Assessment and Authorization
| Control | Name | SOC 2 TSC References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC4.1CC5.3CC5.3-POF1CC5.3-POF6CC6.1-POF2CC6.1-POF9CC7.2-POF1P1.1-POF5 |
| CA-02 | Security Assessments | CC1.1-POF3CC3.1CC4.1CC5.2CC6.1-POF2 |
| CA-05 | Plan Of Action And Milestones | CC4.2 |
| CA-06 | Security Accreditation | CC6.1-POF9 |
| CA-07 | Continuous Monitoring | CC1.1CC1.1-POF3CC2.2CC2.3CC4.2-POF1CC4.2-POF2 |
| CA-09 | Internal System Connections | CC6.1CC7.1 |
CM Configuration Management
| Control | Name | SOC 2 TSC References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC7.1CC7.1-POF1CC7.2-POF1P1.1-POF5 |
| CM-02 | Baseline Configuration | CC6.1-POF7CC6.7-POF1CC7.1CC7.1-POF1CC8.1 |
| CM-03 | Configuration Change Control | CC3.4CC8.1CC8.1-POF1 |
| CM-04 | Monitoring Configuration Changes | CC3.4 |
| CM-06 | Configuration Settings | CC6.1-POF7CC6.7-POF1CC7.1CC7.1-POF1CC8.1 |
| CM-07 | Least Functionality | CC6.1-POF7CC6.7-POF1 |
| CM-08 | Information System Component Inventory | CC6.1-POF1 |
| CM-12 | Information Location | C1.1CC6.1-POF1 |
| CM-13 | Data Action Mapping | CC6.7P1.3P1.4P1.5P1.6P1.7 |
CP Contingency Planning
| Control | Name | SOC 2 TSC References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | A1.2A1.2-POF1A1.2-POF2A1.2-POF3CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC7.2-POF1CC7.4-POF5CC7.5CC9.1CC9.1-POF1P1.1-POF5 |
| CP-02 | Contingency Plan | A1.2A1.2-POF1A1.2-POF2A1.2-POF3CC7.4-POF5CC7.5CC9.1CC9.1-POF1 |
| CP-04 | Contingency Plan Testing And Exercises | A1.3CC7.4-POF10CC7.5 |
| CP-06 | Alternate Storage Site | A1.2 |
| CP-07 | Alternate Processing Site | A1.2 |
| CP-08 | Telecommunications Services | A1.2 |
| CP-09 | Information System Backup | A1.2CC7.5 |
| CP-10 | Information System Recovery And Reconstitution | A1.2A1.2-POF1A1.2-POF2A1.2-POF3CC7.4-POF5CC7.5CC9.1CC9.1-POF1 |
IA Identification and Authentication
| Control | Name | SOC 2 TSC References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC6.1CC6.1-POF3CC6.1-POF7CC6.1-POF8CC6.1-POF9CC6.6CC6.6-POF2CC6.6-POF3CC7.2-POF1P1.1-POF5 |
| IA-02 | User Identification And Authentication | CC6.1CC6.1-POF3CC6.1-POF4CC6.1-POF8 |
| IA-03 | Device Identification And Authentication | CC6.1CC6.1-POF3CC6.1-POF8 |
| IA-04 | Identifier Management | CC6.1CC6.1-POF3CC6.1-POF4CC6.6CC6.6-POF2CC6.6-POF3 |
| IA-05 | Authenticator Management | CC6.1 |
IR Incident Response
| Control | Name | SOC 2 TSC References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF10CC2.2-POF3CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC7.2-POF1CC7.3CC7.3-POF1CC7.4CC7.4-POF1CC7.4-POF10CC7.4-POF11CC7.4-POF12CC7.4-POF13CC7.4-POF2CC7.4-POF3CC7.4-POF4CC7.4-POF5CC7.4-POF6P1.1-POF5 |
| IR-04 | Incident Handling | CC2.2-POF10CC2.2-POF3CC7.3CC7.3-POF1CC7.4CC7.4-POF1CC7.4-POF10CC7.4-POF11CC7.4-POF12CC7.4-POF13CC7.4-POF2CC7.4-POF3CC7.4-POF4CC7.4-POF5CC7.4-POF6 |
| IR-05 | Incident Monitoring | CC7.4CC7.4-POF6 |
| IR-06 | Incident Reporting | CC2.3CC2.3-POF1CC7.4CC7.4-POF13CC7.4-POF6 |
| IR-09 | Information Spillage Response | CC7.4 |
MA Maintenance
| Control | Name | SOC 2 TSC References |
|---|---|---|
| MA-01 | System Maintenance Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC7.2-POF1P1.1-POF5 |
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | SOC 2 TSC References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | A1.2A1.2-POF1A1.2-POF2A1.2-POF3CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.3CC5.3-POF1CC5.3-POF6CC6.4CC7.2-POF1P1.1-POF5 |
| PE-02 | Physical Access Authorizations | CC6.4 |
| PE-03 | Physical Access Control | CC6.4 |
| PE-05 | Access Control For Display Medium | PI1.4 |
| PE-09 | Power Equipment And Power Cabling | A1.2 |
| PE-10 | Emergency Shutoff | A1.2 |
| PE-11 | Emergency Power | A1.2 |
| PE-12 | Emergency Lighting | A1.2 |
| PE-13 | Fire Protection | A1.2 |
| PE-14 | Temperature And Humidity Controls | A1.2A1.2-POF2 |
| PE-15 | Water Damage Protection | A1.2 |
| PE-16 | Delivery And Removal | A1.2 |
| PE-17 | Alternate Work Site | A1.2 |
| PE-18 | Location Of Information System Components | A1.2 |
| PE-19 | Information Leakage | A1.2 |
PL Planning
| Control | Name | SOC 2 TSC References |
|---|---|---|
| PL-01 | Security Planning Policy And Procedures | CC1.2-POF1CC1.4-POF1CC1.5CC2.2CC2.2-POF1CC2.2-POF7CC2.3CC3.1CC3.4CC5.2CC5.3CC5.3-POF1CC5.3-POF6CC7.2-POF1P1.1-POF5PI1.2PI1.3 |
| PL-02 | System Security Plan | C1.1-POF1CC2.1CC4.1 |
| PL-04 | Rules Of Behavior | CC1.1 |
| PL-09 | Central Management | CC1.1CC5.3 |
PS Personnel Security
| Control | Name | SOC 2 TSC References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | CC1.1CC1.1-POF1CC1.1-POF3CC1.2-POF1CC1.4CC1.4-POF1CC1.4-POF2CC1.4-POF3CC2.2-POF1CC2.2-POF3CC2.2-POF7CC3.3-POF1CC5.3CC5.3-POF1CC5.3-POF6CC7.2-POF1P1.1-POF5 |
| PS-02 | Position Categorization | CC1.2CC1.2-POF1CC1.3CC1.4-POF2CC1.5CC5.3 |
| PS-04 | Personnel Termination | CC1.5 |
| PS-05 | Personnel Transfer | CC1.5 |
| PS-06 | Access Agreements | CC1.5 |
| PS-07 | Third-Party Personnel Security | CC5.3 |
| PS-08 | Personnel Sanctions | CC1.1-POF4CC1.5 |
| PS-09 | Position Descriptions | CC1.4CC1.5 |
PT Personally Identifiable Information Processing and Transparency
RA Risk Assessment
| Control | Name | SOC 2 TSC References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | A1.2-POF1CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC3.1CC3.2-POF1CC3.4-POF1CC3.4-POF2CC3.4-POF3CC4.1CC5.1CC5.3CC5.3-POF1CC5.3-POF6CC7.2-POF1CC9.1P1.1-POF5 |
| RA-02 | Security Categorization | CC3.2 |
| RA-03 | Risk Assessment | A1.2CC3.2-POF1CC3.4-POF1CC3.4-POF2CC3.4-POF3CC4.1CC7.3 |
| RA-05 | Vulnerability Scanning | CC7.1CC9.2-POF13 |
| RA-07 | Risk Response | CC3.2CC9.1 |
| RA-09 | Criticality Analysis | CC3.1CC9.1 |
SA System and Services Acquisition
| Control | Name | SOC 2 TSC References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2-POF1CC2.2-POF7CC5.2CC5.3CC5.3-POF1CC5.3-POF6CC7.2-POF1P1.1-POF5PI1.1PI1.2PI1.3PI1.4PI1.5 |
| SA-02 | Allocation Of Resources | CC1.4CC4.1 |
| SA-03 | Life Cycle Support | CC5.2CC8.1CC8.1-POF1 |
| SA-04 | Acquisitions | CC1.4-POF2CC1.4-POF3CC2.3-POF12CC3.3CC3.4CC5.2CC9.1CC9.2CC9.2-POF1PI1.2PI1.3 |
| SA-05 | Information System Documentation | CC6.1-POF1 |
| SA-08 | Security Engineering Principles | CC2.2CC3.2CC5.1CC5.2CC6.1-POF2CC6.1-POF7CC6.7-POF1CC7.1CC7.1-POF1CC8.1 |
| SA-09 | External Information System Services | CC3.3 |
| SA-11 | Developer Security Testing | CC4.1-POF1 |
SC System and Communications Protection
| Control | Name | SOC 2 TSC References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2CC2.2-POF1CC2.2-POF7CC3.2CC5.1CC5.2CC5.3CC5.3-POF1CC5.3-POF6CC6.1CC6.1-POF2CC6.1-POF5CC6.6CC6.6-POF1CC6.6-POF2CC6.6-POF3CC7.2-POF1P1.1-POF5 |
| SC-05 | Denial Of Service Protection | A1.1A1.1-POF1 |
| SC-06 | Resource Priority | A1.1 |
| SC-07 | Boundary Protection | CC6.1CC6.1-POF5CC6.6CC6.6-POF1CC6.6-POF3CC6.8 |
| SC-08 | Transmission Integrity | CC6.1CC6.7 |
| SC-12 | Cryptographic Key Establishment And Management | CC6.1 |
| SC-13 | Use Of Cryptography | CC6.1CC6.6-POF2CC6.7 |
| SC-17 | Public Key Infrastructure Certificates | CC6.1 |
| SC-24 | Fail in Known State | A1.2CC7.4-POF5 |
| SC-42 | Sensor Capability and Data | P1.0P1.3 |
| SC-45 | System Time Synchronization | CC7.1CC7.2 |
SI System and Information Integrity
| Control | Name | SOC 2 TSC References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | CC1.2-POF1CC1.4-POF1CC2.2CC2.2-POF1CC2.2-POF7CC3.2CC5.1CC5.2CC5.3CC5.3-POF1CC5.3-POF6CC6.1-POF2CC7.2-POF1P1.1-POF5 |
| SI-02 | Flaw Remediation | CC9.2-POF13 |
| SI-03 | Malicious Code Protection | CC6.6CC6.6-POF2CC6.8CC9.2-POF13 |
| SI-04 | Information System Monitoring Tools And Techniques | CC6.6CC6.6-POF2CC7.2CC7.2-POF1CC7.3 |
| SI-05 | Security Alerts And Advisories | CC6.6CC6.6-POF2CC9.2-POF13 |
| SI-07 | Software And Information Integrity | CC6.6CC6.6-POF2CC6.8 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | CC6.6CC6.6-POF2 |
| SI-12 | Information Output Handling And Retention | C1.2CC6.5PI1.5 |
| SI-18 | Personally Identifiable Information Quality Operations | P1.8P1.9 |
SR Supply Chain Risk Management
| Control | Name | SOC 2 TSC References |
|---|---|---|
| SR-01 | Policy and Procedures | CC1.2-POF1CC1.4-POF1CC1.4-POF2CC1.4-POF3CC2.2-POF1CC2.2-POF7CC2.3-POF12CC3.3CC5.3CC5.3-POF1CC5.3-POF6CC7.2-POF1CC9.1CC9.2CC9.2-POF1P1.1-POF5 |
| SR-02 | Supply Chain Risk Management Plan | CC3.1CC3.2CC4.1CC9.1CC9.2CC9.2-POF1 |
| SR-03 | Supply Chain Controls and Processes | CC9.1 |
| SR-05 | Acquisition Strategies, Tools, and Methods | CC3.3CC9.1 |
| SR-06 | Supplier Assessments and Reviews | CC1.4-POF2CC1.4-POF3CC3.4CC9.1CC9.2-POF13 |
| SR-07 | Supply Chain Operations Security | CC2.2CC3.1CC3.2CC4.1CC9.2CC9.2-POF1 |
| SR-08 | Notification Agreements | CC2.3-POF12CC9.2-POF13 |
| SR-12 | Component Disposal | CC6.5 |