We're excited to announce that we'll be joining the One Trust family! Together we'll help companies get certified, build trust, and win deals. Find out more about it here on the Helm or check out our official press release. Feel free to leave a comment or question regarding the big news.

Memorize All Five SOC 2 Trust Services Criteria with this 1 Weird Trick

edited June 2020 in SOC 2
Audit Day. The day you and your company have been preparing for has finally arrived. To paraphrase everyone's favorite Titan who did no wrong, "Dread it. Run from it. SOC 2 arrives all the same."

From herding all the cats to making sure everyone actually has some sort of antivirus (AV) installed on their computers (nowadays AV like Avast and AVG spy on your browser history and sell your data instead of detecting viruses and malware), owning and implementing controls feels like you're running a marathon.

That's why we came up with this mnemonic to help you quickly recall each of the Trust Services Criteria (or Trust Services Principles) whenever you're discussing their respective controls with your auditor or trying to flex at a dinner party.

SAPCP: SOC 2 Always Pains Compliance Professionals

Here is a brief layman's one-sentence question summary for each TSC (and check out the AICPA's latest 63-page guide on the TSCs if you want to get your nerd on):

  • Security: are the systems you use to store data and the data itself are protected against bad hombres from accessing them?
  • Availability: are the systems and information you provide always available and ready to use?
  • Processing Integrity (applies only to orgs who process credit card info): are you processing customer payment info correctly?
  • Confidentiality: are you keeping sensitive information (especially customers' info) safe and secure?
  • Privacy (similar to Confidentiality, but only applies to PII data): are you keeping personally identifiable information (PII) safe and secure?

Now, we actually don't know if compliance professionals actually find SOC 2 prep work and audits painful, but we do know that you'll know the TSCs like the back of your hand (and instantly recall them during Trivia Night and or on the next episode of Jeopardy ).

At this point, we'll pass it off to you. Are there any "tricks" or processes that you've found helpful for memorizing or explaining TCP to others? Let us know below. We're always looking to think outside the box!