Memorize All SOC 2 Trust Services Criteria with this One Weird Trick

Audit Day. The day you and your company have been preparing for has finally arrived. To paraphrase everyone’s favorite Titan who did no wrong, “Dread it. Run from it. SOC 2 arrives all the same.”

From herding all the cats to making sure everyone actually has some sort of antivirus (AV) installed on their computers (nowadays AV like Avast and AVG spy on your browser history and sell your data instead of detecting viruses and malware), owning and implementing controls feels like you’re running a marathon.

That’s why we came up with this mnemonic to help you quickly recall each of the Trust Services Criteria (or Trust Services Principles) whenever you’re discussing their respective controls with your auditor or trying to flex at a dinner party.

SAPCP: SOC 2 Always Pains Compliance Professionals

Here is a brief layman’s one-sentence question summary for each TSC (and check out the AICPA’s latest 63-page guide on the TSCs if you want to get your nerd on):

Security: are the systems you use to store data and the data itself are protected against bad hombres from accessing them?

Availability: are the systems and information you provide always available and ready to use?

Processing Integrity (applies only to orgs who process credit card info): are you processing customer payment info correctly?

Confidentiality: are you keeping sensitive information (especially customers’ info) safe and secure?

Privacy (similar to Confidentiality, but only applies to PII data): are you keeping personally identifiable information (PII) safe and secure?

Now, we actually don’t know if compliance professionals actually find SOC 2 prep work and audits painful, but we do know that you’ll know the TSCs like the back of your hand (and instantly recall them during Trivia Night and or on the next episode of Jeopardy).