AICPA Trust Services Principle and Criteria (TSP) – Introduction for SOC 2 Audits

The AICPA Trust Services Principles and Criteria (TSP) are essentially control criteria established by the Assurance Services Executive Committee (ASEC), and consist of Security, Availability, Processing Integrity, Confidentiality, and Privacy. Furthermore, such control criteria are used for attestation or consulting engagements for evaluating and reporting on controls over the security, availability, processing integrity, confidentiality, or privacy over information and systems (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity's operational, reporting, or compliance objectives; or (d) for a particular type of information used by the entity.

There are Five Trust Services Criteria (TSP)

As to the actual Trust Services Principles and Criteria (TSP), they comprise of the following:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

So, what is a “System” for Purposes of the Trust Service Principles and Criteria?

• Infrastructure. The physical structures, IT, and other hardware (for example, facilities, computers, equipment, mobile devices, and telecommunications networks).
• Software. The application programs and IT system software that supports application programs (operating systems, middleware, and utilities).
• People. The personnel involved in the governance, operation, and use of a system (developers, operators, entity users, vendor personnel and managers).
• Processes. The automated and manual procedures.
• Data. Transaction streams, files, databases, tables, and output used or processed by a system.

SECURITY Trust Services Principles & Criteria

SECURITY: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives. It’s important to note that the SECURTY TSP essentially refers to the protection of information during its collection or creation, use, processing, transmission, and storage.

Key to the SECURITY TSP is ensuring unauthorized access – logical or physical – to systems and facilities, thus the following “Common Criteria” relating to logical and physical access controls would apply when assessing the SECURTY TSP.

• Logical access security software, infrastructure, and architectures have been implemented to support various user activities.
• New internal and external users, whose access is administered by the entity, are registered and authorized prior to being issued system credentials, etc.
• Internal and external users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data) to meet the entity's commitments and system requirements, etc.
• Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to meet the entity's commitments and system requirements, etc.
• Physical access to facilities housing the system is restricted to authorized personnel to meet the entity's commitments and system requirements, etc.
• Logical access security measures have been implemented to protect against threats from sources outside the boundaries of the system to meet the entity's commitments and system requirements.
• The transmission, movement, and removal of information is restricted to authorized internal and external users and processes, etc.
• Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious software, etc.

Please note that the above listing of common criteria is merely a sample that are used for assessing the SECURITY TSP.

AVAILABILITY Trust Services Principles & Criteria

AVAILABILITY: Information and systems are available for operation and use to meet the entity's objectives. As for the AVAILABILTY TSP, it essentially refers to the accessibility of information used by the entity's systems, as well as the products or services provided to its customers.

Examples of the AVAILABILITY TSP being assessed during a SOC 2 audit would include the following:

• Current processing capacity and usage are maintained, monitored, and evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet the entity's availability commitments and system requirements.
• Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity's availability commitments and system requirements.
• Recovery plan procedures supporting system recovery are tested to help meet the entity's availability commitments and system requirements.

Please note that the above listing of common criteria is merely a sample that are used for assessing the AVAILABILITY TSP.

PROCESSING INTEGRITY Trust Services Principles & Criteria

PROCESSING INTEGRITY: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives. The PROCESSING INTEGRIGY TSP refers to the completeness, validity, accuracy, timeliness, and authorization of system processing.

Examples of the PROCESSING INTEGRITY TSP being assessed during a SOC 2 audit would include the following:

• Procedures exist to prevent, or detect and correct, processing errors to meet the entity's processing integrity commitments and system requirements.
• System inputs are measured and recorded completely, accurately, and timely to meet the entity's processing integrity commitments and system requirements.
• Data is processed completely, accurately, and timely as authorized to meet the entity's processing integrity commitments and system requirements.
• Data is stored and maintained completely, accurately, and in a timely manner for its specified life span to meet the entity's processing integrity commitments and system requirements.
• System output is complete, accurate, distributed, and retained to meet the entity's processing integrity commitments and system requirements.
• Modification of data, other than routine transaction processing, is authorized and processed to meet the entity's processing integrity commitments and system requirements.

Please note that the above listing of common criteria is merely a sample that are used for assessing the PROCESSING INTEGRITY TSP.

CONFIDENTIALITY Trust Services Principles & Criteria

CONFIDENTIALITY: Information designated as confidential is protected to meet the entity's objectives. The CONFIDENTIALITY TSP refers to the entity's ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity's control in accordance with management's objectives.

Examples of the CONFIDENTIALITY TSP being assessed during a SOC 2 audit would include the following:

• Confidential information is protected during the system design, development, testing, implementation, and change processes to meet the entity's confidentiality commitments and system requirements.
• Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition to meet the entity's confidentiality commitments and system requirements.
• Access to confidential information from outside the boundaries of the system and disclosure of confidential information is restricted to authorized parties to meet the entity's confidentiality commitments and system requirements.
• The entity obtains confidentiality commitments that are consistent with the entity's confidentiality system requirements from vendors and other third parties whose products and services are part of the system and have access to confidential information.
• Compliance with the entity's confidentiality commitments and system requirements by vendors and others third parties whose products and services are part of the system is assessed on a periodic and as-needed basis, and corrective action is taken, if necessary.

Please note that the above listing of common criteria is merely a sample that are used for assessing the CONFIDENTIALITY TSP.

PRIVACY: Personal information is collected, used, retained, disclosed, and disposed to meet the entity's objectives. The privacy criteria consist of the following:

• Notice and communication of objectives.
• Choice and consent.
• Collection.
• Use, retention, and disposal.
• Access.
• Disclosure and notification.
• Quality.
• Monitoring and enforcement.

NDNB. North America’s Leading Providers of SOC 2 Audits

NDNB has been a recognized leader in the field of regulatory compliance. We’ve issued hundreds of SAS 70, SSAE 16, SSAE 18, SOC 2 and SOC 3 reports since 2006. We offer fixed-fees, superior service, and a high-degree of audit efficiency.

Hosting in Amazon AWS and Need a SOC 1 or SOC 2 Audit? Let's Talk.

Additionally, we’re experts when it comes to SOC 2 compliance, having a deep understanding of how to apply the actual TSP to all applicable industries and sectors. From managed security services to SaaS platforms – and more – we truly understand how the SOC 2 framework should be applied.

To learn more about SOC 2 and TSP, please contact Christopher Nickell, CPA, at This email address is being protected from spambots. You need JavaScript enabled to view it., or at 1-800-277-5415, ext. 706 today. With literally hundreds of SOC 2 audit reports issued over the past decade, we are the firm to turn to when it comes to audit knowledge, expertise, efficiency, and pricing.