While SOC 1 compliance is designed for service organizations who have reporting requirements about Internal Control over Financial Reporting, SOC 2 compliance is designed for the growing number of technology service organization entities that need a more technical audit with emphasis over comprehensive information security policies and procedures. SOC 2 utilizes the five Trust Services Principles (TSP) as the general framework for conducting this type of engagement.
The five TSPs are the following:
- Security: The system is protected against unauthorized access.
- Availability: The system is available for operation and use as committed or agreed to.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality: Information that is designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of CPAs (AICPA) and the Canadian Institute of Chartered Accountants (CICA).