SOC 2 Type II Trust Service Criteria
AICPA Service Organization Control 2 framework covering Security, Availability, Processing Integrity, Confidentiality, and Privacy trust service criteria.
Logical and Physical Access Controls
The entity implements logical access security software, infrastructure, and architectures to protect information assets from security events.
User Access Provisioning
The entity registers and authorizes new users. Access credentials are provisioned and changes are authorized.
Role-Based Access and Least Privilege
The entity authorizes, modifies, or removes access based on roles following the principle of least privilege.
Network Access Restrictions
The entity restricts access to system resources through network segmentation, firewalls, and access control lists.
Encryption of Data in Transit
The entity uses encryption to protect data transmitted over networks.
Monitoring System Components
The entity monitors system components and their operation for anomalies and indicators of compromise.
Recovery and Business Continuity
The entity identifies, develops, and implements activities to recover from identified security incidents.
COSO Principle 1 — Commitment to Integrity and Ethical Values
The entity demonstrates a commitment to integrity and ethical values through tone-at-the-top, written codes of conduct, and accountability for ethical breaches.
COSO Principle 2 — Board Oversight and Independence
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control over security.
COSO Principle 3 — Management Establishes Structure and Authority
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives related to security.
COSO Principle 4 — Workforce Competence
The entity attracts, develops, and retains competent individuals to support the security control framework, with defined skill requirements per role and ongoing training.
COSO Principle 5 — Accountability for Internal Control
The entity holds individuals accountable for their security responsibilities through performance management, reward structures, and consequence frameworks.
Quality Information for Internal Control
The entity obtains or generates relevant, accurate, and timely information to support the functioning of security controls and management oversight.
Internal Communication of Security Information
The entity communicates security information, responsibilities, and procedures internally to enable personnel to carry out their security responsibilities.
External Communication About Security
The entity communicates with external parties (customers, regulators, vendors) regarding matters affecting security control operation, including incidents, policy changes, and assurance.
Specify Suitable Objectives
The entity specifies objectives with sufficient clarity to enable identification and assessment of risks relating to the objectives.
Identify and Analyze Risk
The entity identifies risks to the achievement of its security objectives across the entity and analyzes them as a basis for determining how the risks should be managed.
Consider Fraud and Misconduct Risk
The entity considers the potential for fraud (including insider threats, financial misstatement, asset misappropriation) in assessing risks to the achievement of objectives.
Identify and Assess Significant Changes
The entity identifies and assesses changes that could significantly impact the security control environment — including business changes, technology changes, regulatory changes, and adversary changes.
Ongoing Monitoring and Evaluation of Controls
The entity selects, develops, and performs ongoing evaluations of internal control activities to ascertain whether the components of internal control are present and functioning.
Evaluation and Communication of Control Deficiencies
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board.
Selection and Development of Control Activities
The entity selects and develops control activities that mitigate identified risks to the achievement of objectives — choosing controls proportionate to risk severity and business context.
Technology General Controls (ITGC)
The entity selects and develops general control activities over technology — including access controls, change management, system operations, and segregation of duties — to support the achievement of security objectives.
Policies and Procedures Deployed Through Documented Processes
The entity deploys control activities through documented policies and procedures, with evidence of operation, and reviews them periodically.
Physical Access to Facilities and Information Assets
The entity restricts physical access to facilities and protected information assets to authorized personnel, supplementing logical access controls.
Discontinue Logical and Physical Access Protection of Discarded Data
The entity discontinues logical and physical protections over physical assets, software, and data only after the ability to read or recover data has been diminished.
Vulnerability Management Program
The entity manages vulnerabilities through identification, evaluation, prioritization, and remediation — including ongoing scanning, severity-based SLAs, and a documented exception process.
Detection and Configuration of Security Monitoring Tools
The entity uses detection and monitoring procedures to identify (1) changes to configurations that result in vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
Security Event Evaluation and Incident Classification
The entity evaluates security events to determine whether they could result in failure of the entity to meet its objectives, and if so, classifies them as incidents requiring response.
Incident Response and Recovery
The entity responds to identified security incidents by executing a defined incident response program — containment, eradication, recovery, and post-incident review.
Change Management
The entity authorizes, designs, develops, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its security objectives.
Risk Mitigation Activities
The entity identifies, selects, and develops risk mitigation activities — including business continuity planning, insurance, and risk transfer arrangements.
Vendor and Business Partner Risk Assessment
The entity assesses and manages risks associated with vendors and business partners that handle, process, or have access to the entity's data or systems.