That's why we came up with this mnemonic to help you quickly recall each of the Trust Services Criteria (or Trust Services Principles) whenever you're discussing their respective controls with your auditor or trying to flex at a dinner party.
SAPCP: SOC 2 Always Pains Compliance Professionals
Here is a brief layman's one-sentence question summary for each TSC (and check out the AICPA's latest 63-page guide on the TSCs if you want to get your nerd on):
- Security: are the systems you use to store data and the data itself are protected against bad hombres from accessing them?
- Availability: are the systems and information you provide always available and ready to use?
- Processing Integrity (applies only to orgs who process credit card info): are you processing customer payment info correctly?
- Confidentiality: are you keeping sensitive information (especially customers' info) safe and secure?
- Privacy (similar to Confidentiality, but only applies to PII data): are you keeping personally identifiable information (PII) safe and secure?
Now, we actually don't know if compliance professionals actually find SOC 2 prep work and audits painful, but we do know that you'll know the TSCs like the back of your hand (and instantly recall them during Trivia Night and or on the next episode of Jeopardy ).