SSAE 18 SOC Reports: The 5 Trust Services Criteria

3 min read
July 31, 2019 at 1:04 PM

For organizations receiving pressure to obtain an SSAE 18 SOC Attestation Report, the path can be confusing to navigate and understand. First off, SSAE stands for Statement on Standards for Attestation Engagements, and SOC stands for System and Organization Controls. Changes in wording and titles are very common in this area of expertise. In May of 2017, SSAE 18 replaced SSAE 16, and prior to SSAE 16, SAS-70 was used (up until 2010). In addition, the five Trust Services Principles (TSP) used for SOC 2 and SOC 3 reports were renamed to the five Trust Services Criteria (TSC) in December of 2018, listed under TSP Section 100. The five Trust Services Criteria are as follows:


  • Also known as common criteria. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives. This is the only required criteria


  • Information and systems are available for operation and use to meet the entity's objectives. This refers to the accessibility of information used by the entity's systems, as well as the products or services provided to its customers

Processing Integrity

  • System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives. This addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation


  • Information designated as confidential is protected to meet the entity's objectives. This addresses the entity's ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity's control in accordance with management's objectives


  • Personal information is collected, used, retained, disclosed, and disposed to meet the entity's objectives. Although the confidentiality applies to various types of sensitive information, privacy applies only to personal information. The privacy criteria are organized as follows:
  1. Notice and communication of objective - The entity provides notice to data subjects about its objectives related to privacy
  2. Choice and consent - The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects
  3. Collection - The entity collects personal information to meet its objectives related to privacy
  4. Use, retention, and disposal - The entity limits the use, retention, and disposal of personal information to meet its objectives related to privacy
  5. Access - The entity provides data subjects with access to their personal information for review and correction (including updates) to meet its objectives related to privacy
  6. Disclosure and notification - The entity discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators, and others to meet its objectives related to privacy
  7. Quality - The entity collects and maintains accurate, up-to date, complete, and relevant personal information to meet its objectives related to privacy
  8. Monitoring and enforcement - The entity monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints, and disputes

There have been some changes to these criteria. The controls that organizations have in place will need to align with these changes. At a high level, these criteria now have added focus on board and management oversight of controls, how risks are managed in the organization, how controls are monitored and maintained, and how organizations communicate internally and externally about their controls. These changes were brought upon as a result of the ever-changing security threat landscape.

When an organization is going to obtain a SOC 2 or SOC 3 Attestation Report, it’s up to them to select what Trust Services Criteria are in scope and appropriate based on the client needs, data handled, IT systems, etc. The only TSC that is required is the security criteria (common criteria). The other TSCs should be selected based on how the organization provides their services.

Compass IT Compliance partners with organizations across every industry to address their SOC Report needs and goals. We’re here to help you navigate the waters of SOC 1, SOC 2, and SOC 3 (Types I & II). Our team of security and compliance specialists can also help in identifying the criteria that are appropriate for your organization. Obtaining a SOC Report will show customers, clients, and vendors that suitable controls are in place and operating effectively within your organization. This can be a key differentiator in the decision-making process for both your clients and vendors. Contact us today to learn more!

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think