Trust Services Criteria (TSC) For SOC 2® Certification

Note - System and Organization Controls (SOC®) is a registered trademark via the AICPA Trust Services Criteria (TSC). This page is educational guidance to answer Frequently Asked Questions (FAQ) pertaining to TSC/SOC 2 compliance efforts.

Since documentation artifacts (e.g., policies, standards, procedures, etc.) are expectations for demonstrating a cybersecurity program exists, a common question we receive is about "What products do I need for SOC 2 certification?" That is a bit of a loaded question, since there are a few missing pieces of information that need to be clarified before we can answer what ComplianceForge product will work best for your your specific needs.

Since Certified Public Accountant (CPA) firms are the only entities permitted to perform a SOC 2 certification, your first step must be to discuss what is in scope for the assessment with the CPA firm you’ve selected. The reason for this is certain control areas might not be applicable to your organization. From what we've experienced, most companies do not voluntarily choose to be assessed against all of the TSC controls. This is a management decision for your organization to define, in conjunction with the firm you select for your assessment services. In addition to covering the 17 Committee of Sponsoring Organizations (COSO) principles, the TSC covers dozens of cybersecurity and privacy controls associated with designing, implementing and operating security-related controls that cover these high-level categories:

The “supplemental criteria” of the TSC also covers these categories of security controls:

What Cybersecurity Framework Is Best For My Needs? 

Picking a cybersecurity framework is more of a business decision than a technical one. Additionally, each cybersecurity framework has its benefits and drawbacks, which means that they are not all equal. Picking the best framework is based on your statutory, regulatory and contractual needs. Generally, ISO 27001/2, NIST SP 800-53 (moderate or high baselines) or the SCF are the most appropriate frameworks to build a cybersecurity program when you need to address TSC requirements. 

For enterprise-class environments with more complex compliance requirements, the Digital Security Program (DSP) might be the best choice for underlying policies and standards. For less complex compliance environment or smaller companies, ISO 27001/2 or NIST 800-53 version of the Cybersecurity & Data Protection Program (CDPP) can be adequate to address the need for policies and standards. 

Trust Services Criteria vs NIST 800-53 vs ISO 27002 vs SCF

What Products Are Applicable? 

When you break down what is required to comply with the individual TSC requirements, you will see how these ComplianceForge products can be leveraged to address specific compliance needs:

ComplianceForge Product Supports  The Following TSC Requirement(s)

Cybersecurity & Data Protection Program (CDPP) or
Digital Security Program (DSP)

CC1.2
CC5.3

Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SCRM SIP)

CC3.3
CC3.4
CC4.2
CC9.1
CC9.2

Cybersecurity Risk Management Program (RMP)

A1.2
CC3.1
CC3.2
CC4.2
CC5.1
CC5.2
CC7.2
CC7.3
CC7.4
CC9.2
PI1.1

Cybersecurity Risk Assessment Template (CRA)
Vulnerability & Patch Management Program (VPMP)

CC4.2
CC7.1

Integrated Incident Response Program (IIRP)

CC2.3
CC7.3
CC7.4
P6.3
P6.6
P6.7

Security & Privacy By Design (SPBD)

C1.2
CC2.3
CC6.5
Privacy Section

Cybersecurity Standardized Operating Procedures (CSOP)

CC2.2
CC5.1
CC5.3

Continuity of Operations Plan (COOP)

A1.2
A1.3
CC7.5
CC9.1

Secure Baseline Configurations (SBC)

CC7.1
CC8.1

Information Assurance Program (IAP)

CC4.1
CC4.2

Please note that if you want a customized bundle, we are happy to create one for you. Just contact us with your needs and we will generate a quote for you.

 

Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    $9,500.00
    Choose Options
  • NIST 800-53 rev5 policies & standards

    NIST 800-53 R5 (moderate) Policy Template

    ComplianceForge NIST 800-53 Compliance Documentation Templates

    NIST 800-53 Rev5 Policy Template  LOW & MODERATE BASELINE   Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common questions we receive...

    $1,800.00
    Choose Options
  • CDPP Bundle #1b: Cybersecurity policies, standards and procedures. ISO 27001 & 27002.

    ISO 27001/27002 Policies & Procedures Bundle

    ComplianceForge ISO 27001 & 27002 Compliance Documentation Templates

    Cybersecurity & Data Protection Program (CDPP) Bundle #1B -  ISO 27002:2022   (20% discount) This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing NIST SP 800-53 R5...

    $6,075.00
    $6,075.00
    $4,860.00
    Choose Options
  • CDPP Bundle #1c: Cybersecurity policies, standards and procedures. NIST 800-53 - moderate baseline.

    NIST 800-53 R5 (moderate) Policies & Procedures Bundle

    ComplianceForge NIST 800-53 Compliance Documentation Templates

    Cybersecurity & Data Protection Program (CDPP) Bundle #1C -  NIST SP 800-53 R5 Low & Moderate Baselines  (20% discount) This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing...

    $6,075.00
    $6,075.00
    $4,860.00
    Choose Options
  • CDPP Bundle 3: ISO 27002 Compliance

    ISO 27001 & 27002 Compliance Templates

    ComplianceForge ISO 27001 & 27002 Compliance Documentation Templates

    Cybersecurity & Data Protection Program (CDPP) Bundle #3  ISO 27002:2022  (35% discount) This is a bundle that includes the following eleven (11) ComplianceForge products that are focused on operationalizing ISO...

    $30,275.00
    $30,275.00
    $19,679.00
    Choose Options
  • CDPP Bundle 4a: NIST 800-53 R5 Low Moderate Compliance

    NIST 800-53 R5 (moderate) Compliance Templates

    ComplianceForge NIST 800-53 Compliance Documentation Templates

    Cybersecurity & Data Protection Program (CDPP) Bundle #4a (40% discount) This is a bundle that includes the following fourteen (14) ComplianceForge products that are focused on operationalizing NIST SP 800-53 R5 (low & moderate...

    $36,990.00
    $36,990.00
    $22,194.00
    Choose Options
  • DSP Bundle 1: DSP-CSOP

    DSP Bundle 1: Policies, Standards, Procedures & Controls

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount) This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing the Secure Controls Framework...

    $15,325.00
    $15,325.00
    $11,494.00
    Choose Options
  • DSP Bundle 2

    DSP Bundle 2: Enhanced Digital Security Documentation

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount) This is a bundle that includes the following seven (7) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...

    $26,850.00
    $26,850.00
    $17,453.00
    Choose Options
  • DSP Bundle 3: Whole Enchilada

    DSP Bundle 3: Robust Digital Security Documentation

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount) This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...

    $45,350.00
    $45,350.00
    $24,943.00
    Choose Options

Learn More About Cybersecurity & Data Privacy