The AICPA SOC 2 Trust Services Principles and Criteria, outlined in TSP Section 100 (2017, regularly updated), provide a comprehensive framework for evaluating and reporting on a service organization’s controls related to security, availability, processing integrity, confidentiality, and privacy of a system. The security criteria, also known as the common criteria, are mandatory for all SOC 2 examinations and encompass controls that are foundational across all five trust service categories, including risk management and system protection. Organizations may include additional criteria—availability, processing integrity, confidentiality, and privacy—based on the nature of their services and client needs. The criteria emphasize management’s responsibility to meet commitments to customers and system requirements, covering aspects such as governance, risk assessment, control activities, information and communication, and monitoring of controls. The framework integrates principles from the COSO internal control framework and focuses on the entity’s objectives, risk identification and assessment, fraud considerations, and changes impacting internal control systems, ensuring a thorough and adaptable approach to trust and assurance in service organizations’ systems.
Home / Authority / Organization / AICPA
AICPA SOC2 Trust Services Principles and Criteria – TSP Section 100
This document focuses on:Certification