This resource presents criteria for use when providing attestation or consulting services to evaluate controls relevant to the security, availability, and processing integrity of a system, and the confidentiality and privacy of the information processed by the system.

The guidance was established by the AICPA Assurance Services Executive Committee (ASEC) and is necessary when performing Service Organization Control -SOC 2® and SOC 3® engagements.

This edition:

  • Restructures and creates a new set of privacy criteria, offering a complete set of privacy criteria consisting of the common criteria plus the additional privacy criteria
  • Revises Appendix B, " Illustration of Risks and Controls for Sample Entity" to include the additional privacy criteria and examples of risks that may prevent the privacy criteria from being met as well as controls designed to address those risks. Additionally, certain revisions have been made to the illustrative risks and controls for the common criteria to conform to the additional privacy criteria
  • Modifies criteria CC3.1 and CC3.2 to clarify that the potential threats include those arising from the use of vendors and other third parties providing goods and services as well as threats arising from customer personnel and others with access to the system. Additionally, criterion CC3.3 was merged into CC3.1 and CC3.2 and eliminated for redundancy
  • Adds two new confidentiality criteria, C1.7 and C1.8, to address the retention and disposal of confidential information
  • Maps the new trust services privacy criteria to the extant generally accepted privacy principles

The trust services principles and criteria are effective for periods ending on or after December 15, 2016. Early implementation is permitted.

Key Benefits

  • New appendix mapping of the Trust Services Principles and Criteria to Extant Generally Accepted Privacy Principles
  • Updated Appendix B — Illustration of Risks and Controls for a Sample Entity for privacy
  • Expanded definitions

Who Will Benefit?

  • Practitioners performing attestation or consulting services
  • Practitioner performing SOC 2® and SOC 3® engagements