Trust services criteria (TSC) are a set of standards used to evaluate the effectiveness of an organizationโs controls related to security, processing integrity, confidentiality, and availability.
What Are Trust Services Criteria?
The term trust services criteria refers to a comprehensive framework developed to evaluate the adequacy and effectiveness of an organization's controls across various aspects of data protection and system performance. Specifically, TSC focuses on the principles of security, availability, processing integrity, confidentiality, and privacy. It is primarily used in the context of audits, such as SOC 2 (System and Organization Controls), to ensure that service organizations meet stringent requirements regarding the safeguarding of sensitive information and the reliability of their operational systems.
By assessing these criteria, organizations demonstrate their commitment to maintaining high standards of data protection, operational resilience, and privacy, which are essential for building trust with clients and stakeholders. TSC provides a structured approach to evaluating an organization's internal controls, ensuring that they not only comply with industry standards but also minimize risks associated with data breaches, system downtime, and other vulnerabilities.
What Are the Five Trust Services Criteria?
The five trust services criteria are:
- Security. This criterion focuses on the protection of systems and data from unauthorized access, attacks, and breaches. It ensures that appropriate security measures are in place to prevent harm to the organizationโs assets and to preserve the confidentiality, integrity, and availability of information.
- Availability. This criterion assesses whether the systems and services provided by the organization are available for operation and use as agreed. It involves evaluating the organizationโs ability to maintain uptime and meet service level agreements (SLAs).
- Processing integrity. This criterion ensures that the systemโs processes are complete, accurate, and timely. It evaluates whether the system can consistently process data in accordance with business objectives and user expectations.
- Confidentiality. This criterion focuses on ensuring that information classified as confidential is protected according to its sensitivity. It involves safeguarding sensitive data from unauthorized access and disclosure.
- Privacy. This criterion ensures that personal data is collected, used, retained, disclosed, and disposed of in compliance with relevant privacy laws and regulations. It evaluates the organization's ability to maintain the privacy of personal information in a manner that meets both legal and contractual obligations.
Trust Services Criteria and COSO Integration
The trust services criteria and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework are both essential in evaluating an organizationโs internal controls, but they focus on different aspects of governance and risk management. Integrating TSC with COSO can help organizations ensure a comprehensive approach to risk management, compliance, and internal control effectiveness.
The trust services criteria, as mentioned, include five key areas: security, availability, processing integrity, confidentiality, and privacy. These criteria are primarily used in audits such as SOC 2 to evaluate whether an organizationโs controls are designed and operating effectively to protect data and ensure reliable system operations. The criteria help organizations demonstrate their commitment to safeguarding sensitive data, ensuring high availability of systems, and protecting privacy rights, among other things.
The COSO framework, on the other hand, provides a broader, overarching set of principles and practices for effective internal control. It includes five components: control environment, risk assessment, control activities, information and communication, and monitoring. The COSO framework is commonly used to evaluate internal controls in areas such as financial reporting and compliance with laws and regulations, and it is a widely adopted standard for governance and risk management.
Integration of Trust Services Criteria and the COSO Framework
Integrating TSC and COSO creates a more robust internal control environment for an organization by ensuring that both the technical and organizational aspects of risk management are adequately addressed. This includes:
- Control environment. The COSO control environment involves setting the tone at the top, ensuring leadership commitment to security, availability, processing integrity, confidentiality, and privacy. This aligns with the TSC, which requires top-level oversight of controls designed to protect systems and data.
- Risk assessment. Both TSC and COSO emphasize the importance of risk assessments. TSCโs security and privacy criteria require organizations to identify and mitigate risks to sensitive information, while COSOโs risk assessment component ensures that risksโfinancial, operational, and complianceโare properly identified, assessed, and managed.
- Control activities. COSOโs control activities ensure that policies and procedures are in place to address identified risks. This directly supports the TSC, particularly in areas like processing integrity and confidentiality, where detailed processes must be designed to ensure the accurate processing of data and the protection of confidential information.
- Information and communication. Both frameworks stress the importance of ensuring that relevant information is communicated effectively across the organization. TSC's privacy and security criteria require that information regarding data handling practices be communicated clearly and transparently, while COSOโs component emphasizes the role of communication in managing internal controls and ensuring accountability.
- Monitoring. The monitoring component of COSO ensures that internal controls are continuously evaluated and improved. This aligns with the TSC's requirements for continuous monitoring of controls, especially in areas like security and availability, to ensure that systems remain secure, accessible, and free from vulnerabilities.
Trust Services Criteria in SOC 2
In the context of SOC 2, TSC are the standards used to assess and evaluate the controls implemented by service organizations to protect sensitive data, ensure system reliability, and maintain privacy.
SOC 2 is a framework primarily used for evaluating the security, availability, processing integrity, confidentiality, and privacy of an organizationโs systems and data. These criteria help determine if the organizationโs controls meet specific requirements to safeguard sensitive information and meet the expectations of its clients and stakeholders.
SOC 2 reports are typically used by technology companies, particularly those offering cloud-based or SaaS (Software-as-a-Service) solutions, to demonstrate their commitment to maintaining the highest standards of data protection, privacy, and security.
The five trust services criteria in SOC 2 are:
- Security. The security criterion focuses on the protection of systems from unauthorized access, cyberattacks, and other forms of intrusion. It evaluates whether an organizationโs systems and data are protected against both internal and external threats. Key security measures may include firewalls, encryption, intrusion detection systems, and other technical controls that prevent unauthorized access or data modification.
- Availability. This criterion evaluates whether the organizationโs systems and services are available for operation and use as intended. It assesses the organizationโs ability to maintain uptime and meet service level agreements. This is critical for clients who rely on the availability of services for their own operations, such as in cloud hosting or SaaS solutions.
- Processing integrity. Processing integrity ensures that systems process data accurately, completely, and in a timely manner. This criterion evaluates whether the systemโs processes function correctly and deliver the intended results, which is essential for clients that depend on the reliability of processed information. This could include validating transaction accuracy, timely processing, and proper handling of errors.
- Confidentiality. The confidentiality criterion focuses on the protection of sensitive information from unauthorized access or disclosure. It evaluates the organizationโs ability to protect confidential data such as intellectual property, trade secrets, and personal information, in line with data privacy laws and contractual obligations. This can include encryption, secure storage, and restricted access protocols.
- Privacy. The privacy criterion ensures that personal information is collected, used, retained, disclosed, and disposed of in accordance with relevant privacy laws, such as the GDPR or CCPA. It ensures that organizations implement practices that safeguard personal data, protecting individualsโ privacy rights while adhering to legal and regulatory requirements.
Trust Services Criteria and Other Compliance Frameworks
Hereโs a comparison of the TSC used in SOC 2 with other popular compliance frameworks:
| Compliance framework | Key areas/criteria | Focus | Typical use cases |
| SOC 2 (Trust services criteria) | Security, Availability, Processing Integrity, Confidentiality, Privacy | Evaluates the effectiveness of internal controls related to security, privacy, availability, and data integrity for service organizations | Cloud service providers, SaaS companies, IT service providers |
| SOC 1 | Control Objectives for Financial Reporting (no Trust Criteria) | Focuses on controls related to financial reporting, particularly for user organizations relying on outsourced services | Outsourced financial services, payroll services, and accounting firms |
| ISO/IEC 27001 | Information Security Management System (ISMS) | Focuses on establishing, implementing, and maintaining an information security management system (ISMS) | Enterprises requiring a comprehensive information security system |
| HIPAA (Health Insurance Portability and Accountability Act) | Security, Privacy, Breach Notification, Enforcement | Focuses on protecting the privacy and security of health information in the U.S. healthcare industry | Healthcare organizations, healthcare providers, health insurance companies |
| GDPR (General Data Protection Regulation) | Data Protection, Privacy | Protects the personal data and privacy of individuals within the European Union | Companies handling personal data of EU residents, multinational corporations |
| PCI DSS (Payment Card Industry Data Security Standard) | Data Protection, Network Security, Monitoring, and Access Control | Focuses on securing payment card information and ensuring safe transactions for cardholders | Ecommerce platforms, merchants, payment processors, financial institutions |
| NIST Cybersecurity Framework | Identify, Protect, Detect, Respond, Recover | Provides a risk-based approach to improving cybersecurity infrastructure and resilience | Government entities, critical infrastructure, enterprises seeking comprehensive cybersecurity guidance |
| FISMA (Federal Information Security Modernization Act) | Security and Privacy | Focuses on ensuring the protection of federal information systems and data | U.S. federal agencies, contractors, and entities working with federal data |
| CSA STAR (Cloud Security Alliance Security, Trust & Assurance Registry) | Security, Privacy, Governance, Risk, and Compliance | Cloud security standards focused on the security posture of cloud providers and the trust they establish with customers | Cloud providers, businesses using cloud services |
Trust Services Criteria Examples
Here are a few examples of how the TSC are applied in different scenarios:
- Security. An online payment processor implements multi-factor authentication for both users and administrators. This ensures that only authorized individuals can access sensitive payment information and processing systems, reducing the risk of unauthorized access or cyberattacks.
- Availability. A cloud hosting provider deploys an automated backup and disaster recovery solution with a 99.9% uptime SLA. This guarantees that clients' websites and data are always available, even during unexpected system outages or disasters, ensuring minimal downtime and service disruption.
- Processing integrity. A customer support software provider ensures that all customer inquiries are automatically logged and routed to the appropriate support team within minutes. The system provides real-time updates and confirmations, ensuring data accuracy and timely processing of customer requests.
- Confidentiality. A law firm uses encryption to secure confidential client data stored in its database. Additionally, access to sensitive documents is limited to authorized employees only, ensuring that legal documents and client communications are not exposed to unauthorized parties.
- Privacy. A healthcare provider collects personal health information (PHI) from patients but implements strict data handling procedures. These include encryption of PHI both in transit and at rest, as well as allowing patients to access and delete their data, in compliance with privacy regulations like HIPAA.
Why Are Trust Services Criteria Important?
Trust services criteriaare important because they provide a structured and standardized way for organizations to demonstrate their commitment to securing and managing data, ensuring reliable services, and protecting client privacy. Here are several key reasons why TSC are crucial:
- Builds trust with clients and stakeholders. Organizations that comply with the trust services criteria show their dedication to safeguarding sensitive information and maintaining operational reliability. This fosters trust with clients, partners, and stakeholders, which is vital for business growth and retention.
- Enhances data protection and security. The criteria help organizations implement robust security measures to protect data from unauthorized access, cyber attacks, and breaches. By focusing on the security and confidentiality aspects, TSC ensure that sensitive information is adequately protected.
- Supports regulatory compliance. Many regulatory frameworks, such as GDPR, HIPAA, and PCI DSS, overlap with the criteria established in TSC. Adhering to these standards helps organizations meet legal and regulatory requirements, reducing the risk of non-compliance and potential penalties.
- Mitigates operational risks. By focusing on availability and processing integrity, TSC ensure that systems are resilient, accurate, and available when needed. This minimizes the risks of system failures, data errors, or service disruptions that could impact business operations and customer satisfaction.
- Improves operational efficiency. Implementing TSC helps organizations streamline their processes, identify weaknesses, and improve their control environment. It leads to more efficient risk management, reduces redundancies, and ensures that resources are properly allocated to maintain system integrity.
- Provides a competitive advantage. Achieving compliance with trust services criteria demonstrates that an organization is following industry best practices. This sets a company apart in competitive markets, as clients are more likely to choose service providers that prioritize data security, privacy, and operational reliability.
- Reduces risk of data breaches and legal liabilities. With privacy and confidentiality being core components of TSC, organizations are better equipped to protect customer data from breaches. By following these criteria, organizations minimize the chances of costly data breaches, lawsuits, or reputational damage.
- Enables transparent reporting. Compliance with TSC is often verified through external audits, such as SOC 2 reports. These third-party evaluations provide transparency and independent validation of an organizationโs commitment to data protection, offering assurance to clients and investors.
Who Maintains Trust Services Criteria?
The trust services criteria are maintained by the American Institute of Certified Public Accountants (AICPA). AICPA is a professional organization that sets standards for auditing, accounting, and reporting in the United States.
AICPA developed the trust services criteria as part of the SOC framework, which includes SOC 1, SOC 2, and SOC 3 reports. These criteria are regularly reviewed and updated by AICPA to align with evolving industry standards, technological advancements, and regulatory requirements. The TSC serves as the foundation for evaluating service organizationsโ controls over security, availability, processing integrity, confidentiality, and privacy, especially within the context of SOC 2 and SOC 3 audits.
AICPA ensures that the criteria remain relevant by consulting with industry experts and stakeholders, allowing organizations to demonstrate compliance with best practices and ensure the protection of sensitive data and system integrity.
How Often Should Trust Services Criteria Controls Be Updated?
The trust services criteria controls should be updated regularly to ensure that they remain effective and aligned with evolving security, privacy, and regulatory standards. However, the frequency of updates depends on various factors, such as changes in the organizationโs systems, emerging threats, and shifts in regulatory requirements. Here are a few guidelines for when controls should be reviewed and updated:
- Ongoing monitoring and updates. Controls should be continuously monitored, and any gaps or inefficiencies should trigger a review. Regular internal audits, automated monitoring, and threat intelligence gathering help in identifying areas where the controls may need to be updated more frequently.
- Annual review. It is recommended that organizations review their TSC controls at least annually to ensure that they align with current industry standards and evolving threats.An annual review helps organizations stay proactive in adapting to new risks, technologies, and compliance requirements. It also ensures that any changes in the business or operational environment are reflected in the controls.
- Following major changes. If an organization undergoes a major system upgrade, a shift in architecture (e.g., moving to the cloud), or an update to critical infrastructure, itโs important to review and potentially update the controls. Similarly, if the organization merges with or acquires another company, the existing controls should be reviewed to ensure integration with the new business processes.
- After regulatory or legal changes. Changes in data protection laws (e.g., GDPR, CCPA) or industry regulations (e.g., HIPAA, PCI DSS) may necessitate updates to the organizationโs controls to ensure ongoing compliance with the new legal frameworks.
- In response to identified vulnerabilities or security incidents. If a vulnerability is discovered or a data breach occurs, controls should be reviewed immediately to ensure that appropriate measures are in place to prevent similar incidents in the future. This review could result in the tightening of security policies, the addition of new monitoring tools, or changes in data handling procedures.
- As part of SOC 2 audits. If an organization undergoes a SOC 2 Type II audit, which assesses the operational effectiveness of controls over a period (usually 6โ12 months), it is a good practice to review and possibly update the controls in preparation for the audit.The SOC 2 audit assesses whether the organization's controls are designed and operating effectively, so ensuring that the controls are up to date and comprehensive before the audit is essential.
