Trust Services Criteria (TSC) For SOC 2® Certification

Note - System and Organization Controls (SOC®) is a registered trademark via the AICPA Trust Services Criteria (TSC). This page is educational guidance to answer Frequently Asked Questions (FAQ) pertaining to TSC/SOC 2 compliance efforts.

Since documentation artifacts (e.g., policies, standards, procedures, etc.) are expectations for demonstrating a cybersecurity program exists, a common question we receive is about "What products do I need for SOC 2 certification?" That is a bit of a loaded question, since there are a few missing pieces of information that need to be clarified before we can answer what ComplianceForge product will work best for your your specific needs.

• It is important to note that ComplianceForge does not offer "SOC®-specific policies & standards" since we build our documentation to align with a single cybersecurity framework (e.g., NIST CSF, ISO 27001/2, NIST SP 800-53 and the Secure Controls Framework (SCF)). However, with the framework crosswalk mapping, it is possible to use the selected cybersecurity framework to ensure the necessary policies, standards, procedures, etc. address necessary TSC requirements.
• The auditor you choose for a SOC 2 will be required to follow specific professional standards established by AICPA and it involves an assessment against AICPA’s Trust Services Criteria (TSC). The good news is the TSC maps to most common cybersecurity frameworks (e.g., ISO 27002, NIST 800-53, etc.).

Since Certified Public Accountant (CPA) firms are the only entities permitted to perform a SOC 2 certification, your first step must be to discuss what is in scope for the assessment with the CPA firm you’ve selected. The reason for this is certain control areas might not be applicable to your organization. From what we've experienced, most companies do not voluntarily choose to be assessed against all of the TSC controls. This is a management decision for your organization to define, in conjunction with the firm you select for your assessment services. In addition to covering the 17 Committee of Sponsoring Organizations (COSO) principles, the TSC covers dozens of cybersecurity and privacy controls associated with designing, implementing and operating security-related controls that cover these high-level categories:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

The “supplemental criteria” of the TSC also covers these categories of security controls:

• Logical and physical access controls
• System operations
• Change management
• Risk mitigation

What Cybersecurity Framework Is Best For My Needs? 

Picking a cybersecurity framework is more of a business decision than a technical one. Additionally, each cybersecurity framework has its benefits and drawbacks, which means that they are not all equal. Picking the best framework is based on your statutory, regulatory and contractual needs. Generally, ISO 27001/2, NIST SP 800-53 (moderate or high baselines) or the SCF are the most appropriate frameworks to build a cybersecurity program when you need to address TSC requirements. 

For enterprise-class environments with more complex compliance requirements, the Digital Security Program (DSP) might be the best choice for underlying policies and standards. For less complex compliance environment or smaller companies, ISO 27001/2 or NIST 800-53 version of the Cybersecurity & Data Protection Program (CDPP) can be adequate to address the need for policies and standards. 

• Digital Security Program (DSP)
• ISO 27002 CDPP 
• NIST 800-53 CDPP

What Products Are Applicable? 

When you break down what is required to comply with the individual TSC requirements, you will see how these ComplianceForge products can be leveraged to address specific compliance needs:

ComplianceForge Product	Supports  The Following TSC Requirement(s)
Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP)	CC1.2 CC5.3
Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SCRM SIP)	CC3.3 CC3.4 CC4.2 CC9.1 CC9.2
Cybersecurity Risk Management Program (RMP)	A1.2 CC3.1 CC3.2 CC4.2 CC5.1 CC5.2 CC7.2 CC7.3 CC7.4 CC9.2 PI1.1
Cybersecurity Risk Assessment Template (CRA)
Vulnerability & Patch Management Program (VPMP)	CC4.2 CC7.1
Integrated Incident Response Program (IIRP)	CC2.3 CC7.3 CC7.4 P6.3 P6.6 P6.7
Security & Privacy By Design (SPBD)	C1.2 CC2.3 CC6.5 Privacy Section
Cybersecurity Standardized Operating Procedures (CSOP)	CC2.2 CC5.1 CC5.3
Continuity of Operations Plan (COOP)	A1.2 A1.3 CC7.5 CC9.1
Secure Baseline Configurations (SBC)	CC7.1 CC8.1
Information Assurance Program (IAP)	CC4.1 CC4.2

Please note that if you want a customized bundle, we are happy to create one for you. Just contact us with your needs and we will generate a quote for you.

 

• Efficient CMMC Scoping

  Determining the scope of controls (e.g., assessment boundary) is different than determining control...

• Are you a cyber criminal?

  As a Chief Information Security Officer (CISO) or cybersecurity director, it is likely that you been...

• New Standard For Third-Party Cybersecurity Assessments

  The release of the Cybersecurity & Data Protection Assessment Standards (CDPAS) is important to the...

• Cybersecurity Materiality & Key Controls

  There is a "materiality ecosystem" that exists within modern cybersecurity risk management discussio...

---