SSAE 16 SOC 2 Report: The 5 Trust Principles

Over the past several weeks, we have been digging in to the SSAE 16 SOC 2 reports. We have looked at what a SOC 2 report is, the differences between a Type I and Type II report, and why the Section III is so important. This week we are going to look at what are called the 5 Trust Service Principles. These are very specific to the SSAE 16 SOC 2 report and are critical when going through the entire process.

Before we dig into the 5 Trust Service Principles, let's define what they are and why they are so important. According to the AICPA, the 5 Trust Service Principles are "a set of professional attestation and advisory services based on a core set of principles and criteria that address the risks and opportunities of IT-enabled systems and privacy programs." Whew, that was a mouthful! But what does that mean in simpler terms? The 5 Trust Service Principles are defined criteria, or controls, that must be met to render an unqualified opinion when going through your SSAE 16 SOC 2 Report. Essentially this means that the auditor did not find any significant exceptions, or findings, during the engagement (i.e. a favorable result).

So with that, let's look at what the 5 Trust Service Principles are and give a high level definition of them:

• Security - The system is protected against unauthorized access, both physical and logical
• Availability - The system is available for operation and use as committed or agreed
• Processing Integrity - System processing is complete, accurate, timely, and authorized
• Confidentiality - Information designated as confidential is protected as committed or agreed
• Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity's privacy notice and with the criteria set forth in Generally Accepted Privacy Principles (GAPP)

Now that we know the 5 Trust Service Principles, there is one major question that remains: Who chooses and determines what Trust Service Principles are in scope for an SSAE 16 SOC 2 Report? While there is not a checklist that you can use to identify which Trust Service Principles are in scope, it comes down to management and a well-trained auditor to make that decision after looking at the systems in scope for the SOC 2 report and the infrastructure, software, people, policies/procedures, and data that surround that system that is in scope. 

Bottom line is, if you are getting ready to go through the SSAE 16 SOC 2 Report process (either a Type I or a Type II), it would be in your best interest to engage a professional to assist with both your Section III as well as outlining which Trust Service Principles will be in scope, based on those factors outlined above. For help getting started with and going through the SSAE 16 SOC 2 Report process, contact us for a no cost consultation!