Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cart
Start Here
Products
Bundles
Updates
Reasons To Buy
Certification Options

Trust Services Criteria (TSC) For SOC 2® Certification

Since documentation artifacts (e.g., policies, standards, procedures, etc.) are expectations for demonstrating a cybersecurity program exists, a common question we receive is about "What products do I need for SOC 2 certification?" That is a bit of a loaded question, since there are a few missing pieces of information that need to be clarified before we can answer what ComplianceForge product will work best for your your specific needs.

  • It is important to note that ComplianceForge does not offer "SOC®-specific policies & standards" since we build our documentation to align with a single cybersecurity framework (e.g., NIST CSF, ISO 27001/2, NIST SP 800-53 and the Secure Controls Framework (SCF)). However, with the framework crosswalk mapping, it is possible to use the selected cybersecurity framework to ensure the necessary policies, standards, procedures, etc. address necessary TSC requirements.
  • The auditor you choose for a SOC 2 will be required to follow specific professional standards established by AICPA and it involves an assessment against AICPA’s Trust Services Criteria (TSC). The good news is the TSC maps to most common cybersecurity frameworks (e.g., ISO 27002, NIST 800-53, etc.).
Key Takeaways - Trust Services Criteria (TSC) for SOC 2
  • SOC 2 (System and Organization Controls 2) is an audit framework from the AICPA for service organizations managing customer data.
  • Based on five Trust Services Criteria. Security (required), Availability, Processing Integrity, Confidentiality, and Privacy (optional based on scope).
  • Type I evaluates control design at a point in time. Type II evaluates control effectiveness over a period (typically 6 to 12 months).
  • Increasingly required by enterprise customers, especially for SaaS, cloud, MSP / MSSP, and data processing organizations.
  • ComplianceForge TSC-aligned documentation also maps to NIST CSF, ISO 27001, and 200 plus frameworks through the SCF.
Overview

What Is SOC 2 / TSC?

Since Certified Public Accountant (CPA) firms are the only entities permitted to perform a SOC 2 certification, your first step must be to discuss what is in scope for the assessment with the CPA firm you’ve selected. The reason for this is certain control areas might not be applicable to your organization. From what we've experienced, most companies do not voluntarily choose to be assessed against all of the TSC controls. This is a management decision for your organization to define, in conjunction with the firm you select for your assessment services. In addition to covering the 17 Committee of Sponsoring Organizations (COSO) principles, the TSC covers dozens of cybersecurity and privacy controls associated with designing, implementing and operating security-related controls that cover these high-level categories:

  • Security;
  • Availability;
  • Processing Integrity;
  • Confidentiality; and
  • Privacy.

The “supplemental criteria” of the TSC also covers these categories of security controls:

  • Logical and physical access controls;
  • System operations;
  • Change management; and
  • Risk mitigation.
Framework Selection

What Cybersecurity Framework Is Best For My Needs?

Picking a cybersecurity framework is more of a business decision than a technical one. Additionally, each cybersecurity framework has its benefits and drawbacks, which means that they are not all equal. Picking the best framework is based on your statutory, regulatory and contractual needs. Generally, ISO 27001/2, NIST SP 800-53 (moderate or high baselines) or the SCF are the most appropriate frameworks to build a cybersecurity program when you need to address TSC requirements.

For enterprise-class environments with more complex compliance requirements, the Security, Compliance & Resilience Program (SCRP) might be the best choice for underlying policies and standards. For less complex compliance environment or smaller companies, ISO 27001/2 or NIST 800-53 version of the Cybersecurity & Data Protection Program (CDPP) can be adequate to address the need for policies and standards.

What Products Are Applicable?

How ComplianceForge Helps

When you break down what is required to comply with the individual TSC requirements, you will see how these ComplianceForge products can be leveraged to address specific compliance needs:

ComplianceForge ProductSupports The Following TSC Requirement(s)
Cybersecurity & Data Protection Program (CDPP) or Security, Compliance & Resilience Program (SCRP)CC1.2, CC5.3
Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SCRM SIP)CC3.3, CC3.4, CC4.2, CC9.1, CC9.2
Cybersecurity Risk Management Program (RMP)A1.2, CC3.1, CC3.2, CC4.2, CC5.1, CC5.2, CC7.2, CC7.3, CC7.4, CC9.2, PI1.1
Cybersecurity Risk Assessment Template (CRA)-
Vulnerability & Patch Management Program (VPMP)CC4.2, CC7.1
Integrated Incident Response Program (IIRP)CC2.3, CC7.3, CC7.4, P6.3, P6.6, P6.7
Secure Engineering & Data Privacy (SEDP) ProgramC1.2, CC2.3, CC6.5, Privacy Section
Cybersecurity Standardized Operating Procedures (CSOP)CC2.2, CC5.1, CC5.3
Continuity of Operations Plan (COOP)A1.2, A1.3, CC7.5, CC9.1
Secure Baseline Configurations (SBC)CC7.1, CC8.1
Information Assurance Program (IAP)CC4.1, CC4.2