BLOG

When an organization decides to undergo a SOC 2 examination, one of the decisions that must be made is what Trust Services Criteria (TSC) categories should be in scope. There are five categories which make up the TSC: 

• Security (sometimes called the “Common Criteria”)
• Availability
• Processing Integrity
• Confidentiality
• Privacy

You must include the Security category in your examination scope, but the other categories are optional. Choosing more categories allows you to showcase a broader range of controls within your report. However, adding additional categories increases the effort needed to demonstrate those controls were designed and operating effectively throughout the reporting period.  

In addition, adding categories increases the risk one or more controls may not have been designed appropriately or didn’t operate as expected. This may generate control exceptions within your report. 

Knowing which additional categories to choose, if any, is an important step in your journey toward a SOC 2 examination. Unless there is a contractual obligation to choose certain TSC categories, the choice is up to your organization.  

Let’s look at the optional categories to see if they may be right for your organization. 

Availability 

The in-scope system is available for operation and use.  

Areas covered include: 

• System and resource capacity planning, demand, and management
• Environmental protections
• Data backup and replication processes
• Recovery infrastructure
• Disaster recovery and business continuity plan testing

Many organizations are using a third party to host some or all of their systems and applications. If you are relying on someone else for these functions (e.g., AWS), the Availability category probably isn’t needed in your report. The third party performs these controls, and your responsibility is more focused on appropriate vendor management of the third party.  

Usually, these organizations are “carved out” as a sub service provider in your report with information about which controls the third party should be performing. 

Processing Integrity 

The system processing is complete, valid, accurate, timely, and authorized.  

Areas covered include: 

• Obtaining, generating, using, and communicating processing objectives
• Policy and processes regarding system inputs, system processing, and system outputs
• Policy and processes to ensure storage inputs, items in processing, and outputs are handled completely, accurately, and timely

For healthcare organizations, we don’t usually see this category included. Unless the in-scope system is actually processing data, not just storing or transferring it, this category is probably not relevant to your SOC 2 control set. 

Confidentiality 

The system maintains the confidentiality of designated information.  

Areas covered include: 

• Identification and maintenance of confidential information
• Appropriate disposal of confidential information

This category is common for healthcare organizations to have in their SOC 2 report. Ensuring information stays confidential is important to readers of a SOC 2 report. This is a small category and doesn’t add a lot of effort to establish appropriate controls.  

Confidentiality controls can be added in other areas if you choose not to include this category. 

Privacy 

The system maintains the privacy of personal information, which is collected, used, retained, disclosed, and disposed.  

Areas covered include: 

• Notice of the organization’s privacy objectives to data subjects
• Choices available regarding the collection, use, retention, disclosure, and disposal of a data subject’s personal information
• The collection of personal information
• The use, retention, and disposal of personal information
• Allowing a data subject to review and/or correct their personal information
• How personal information may be disclosed
• Notification to data subjects regarding incidents and breaches of personal information
• How personal information is kept accurate, up to date, complete, and relevant
• Monitoring and compliance with privacy objectives
• Addressing privacy-related inquiries, complaints, and disputes

The privacy category covers a lot of areas and can be overwhelming for smaller organizations. This category adds many controls to your report and may require a lot of effort to implement and monitor. We recommend not including the privacy category unless you have a contractual or other obligation to include it. 

But Privacy Sounds Important! 

While privacy sounds like something that should be included, you’ll notice it only covers personal information. The Confidentiality category covers all sensitive information and is usually a more appropriate category. You can add controls within confidentiality addressing many types of sensitive information, which will therefore include personal information. 

So How Do We Choose? 

If you answer “no” to either one of the following questions, we recommend not including the Privacy category in your SOC 2 scope: 

• Does the system create, collect, transmit, use, or store personal information? 
• Does the organization make commitments to system users regarding one or more of the following? 
• Notice of your privacy commitments and practices.
• Data subjects’ choices regarding the use and disclosure of their personal information. 
• Data subjects’ rights to access, review, and update their personal information. 
• An inquiry, compliant, and dispute resolution process regarding personal information. 

Remember, even if you answered “yes” to one of those questions, you could elect not to include the Privacy category in your SOC 2 examination scope. 

I Still Have Questions 

Meditology is here to provide you with a steady, guiding hand throughout your journey to obtaining a SOC 2 examination report. Our team has done lots of SOC 2 examinations over the years and has the experience to be your partner. We would be glad to answer any questions, provide some basic education, and talk with you about what would work best for your organization. Contact us.

---

About the Author

Alan DeVaughan is an experienced compliance and information security senior manager specializing in assisting organizations with SOC 2 readiness assessments and examinations for over 10 years. In addition to leading the firm's SOC 2 service line, he serves as a consultant team leader focused on advising healthcare clients of varying size and complexity in areas of IT, privacy, security, and compliance. Alan has in-depth knowledge of security technology frameworks such as NIST, HITRUST, SOC 1 / SOC 2, HIPAA, and FFIEC. With a background in network administration, he has over 25 years’ experience in information technology consulting for a wide variety of organizations and industries.