The AICPA released a new exposure draft of the SOC 2 Trust Services Principles and Criteria for public comment. This represents an effort by the Assurance Services Executive Committee (ASEC) to revise the trust services principles and criteria to increase clarity, eliminate redundancy and update based on today’s technologically driven business environment. Below is a summary of our observations on the current exposure draft:
- The primary change is that many of the current criteria have been combined into a set of “common criteria.” Common criteria constitute the complete set of criteria for the Security Trust Principle. The common criteria concept is widely accepted and already used in many international information technology assessment frameworks and security standards.
- As such, the Security Trust Principle must always be included in the scope of the report (one cannot report on Availability, Confidentiality or Processing Integrity Trust Principles without also including the Security Trust Principle).
- The common set of security criteria eliminates much of the redundancy that was found in the previous framework. This is a welcome change and as a result, reports in the future should be more concise and easier to understand.
- The Processing Integrity Trust Principle is laid out in a much more understandable format. The e-commerce criteria have been removed in this draft, making this applicable to a wider set of organizations.
- This exposure draft only affects the Security, Availability, Confidentiality and Processing Integrity Trust Principles. The Privacy Trust Principle will be revised separately in the Generally Accepted Privacy Principles (GAPP).
Sikich LLP has extensive experience helping service organizations demonstrate that their control environments are properly designed and operating effectively. We provide a range of SOC assurance services, including readiness assessment services and information technology consulting to assist your service organization in preparation for a successful SOC audit.