Blog Post
7 min read

How do I know what categories to choose for my SOC 2® report?

Shonda Knowles Elliott, CPA, Senior Manager

April 27, 2023
The Compass:
Helping you navigate the myths, intricacies, and questions around SOC 2 compliance.

Q:  How do I know what categories to choose for my SOC 2® report?

A:  MJD Answer

In general, all SOC 2 reports must cover the trust services criteria relevant to security, so that is a good place to start. Deciding on the other trust services categories (availability, confidentiality, processing integrity, and privacy), you’ll want to consider the types of services you provide and the risks associated with those services. Here’s a quick explanation of each of the trust services criteria:

  • Security - Systems and data stored by a company are protected against unauthorized access and unauthorized disclosure.
  • Availability - Information and systems are available for operation and use.
  • Confidentiality - Confidential information is protected.
  • Processing Integrity - System processing is complete, valid, accurate, timely, and authorized. 
  • Privacy - Personal information is collected, used, retained, disclosed, and disposed on in accordance with pre-stated policies.

Generally, starting with the service commitments communicated to users and/or business partners of your services is really helpful for highlighting the criteria that are likely most relevant and would be most useful to the readers of your SOC 2 report. Put simply, if you’re wondering whether the availability trust services category should be included in the scope of your report but you’re not making commitments related to uptime, backups and recovery plans, or other availability factors either in agreements with your customers or on your website, then the answer to such question is likely “no.” The reason being that many of the criteria related to availability may not be relevant to your customers given your service commitments and respective system requirements.

ChatGPT answer

​​Choosing the appropriate trust services criteria for your SOC 2 report will depend on your organization's specific circumstances and the type of services that you provide to your customers. The trust services criteria are divided into five categories:

  1. Security: Addresses the security of an organization's systems and data, including access controls, encryption, and physical security measures.
  2. Availability: Addresses an organization's ability to provide timely and reliable access to its services, including system uptime, disaster recovery, and business continuity planning.
  3. Processing Integrity: Addresses the accuracy, completeness, and validity of an organization's data processing, including data input, processing, output, and storage.
  4. Confidentiality: Addresses an organization's ability to protect confidential information, including sensitive customer data, financial information, and intellectual property.
  5. Privacy: Addresses an organization's collection, use, retention, disclosure, and disposal of personal information in accordance with its privacy policies and applicable laws and regulations.

To determine which trust services criteria to choose, you should consider the services that your organization provides and the types of risks that are associated with those services. You should also consider any regulatory requirements that your organization must comply with, as well as the expectations of your customers.

You may also want to consult with a qualified auditor or a SOC 2 consulting firm to help you identify the most appropriate trust services criteria for your organization and to ensure that you are meeting the necessary requirements for a successful SOC 2 audit.

Overall, maintaining SOC 2 compliance is an ongoing process that requires continuous attention and effort. The organization should be proactive in addressing any issues and maintaining its controls to ensure ongoing compliance with SOC 2 requirements.

More posts

GRC Superheroes

Putting the right team together can be exciting and challenging. It's something we think about a lot, so we decided to share the superheroes that make up our GRC dream team.

Blog Post
What's required after my first SOC 2® report?

You’ve completed your SOC 2 report. That first-time report can be a lot of work, and it’s worth celebrating while you hang the new AICPA logo on the website. So what’s next?

Penetration Testing: Why It’s Important + Common Types

Penetration testing simulates an outside attack on your applications and network. Drata shares the types of pen tests and how to conduct one to prevent risk.