As of December 15, 2018, the 2017 Trust Services Criteria are officially in effect. Organizations that are issuing System and Organization Controls (SOC 2) Reports will need to ensure that their reports reflect the changes from the previous Trust Services Criteria and Principles.
How these changes impact your SOC 2 reporting requirements:
- Slight name change – the Trust Services Principles and Criteria are now the Trust Services Criteria
- Trust Services Criteria are aligned with the 17 principles of the COSO 2013 framework
- Adds supplemental criteria to better address cybersecurity risk
- Adds points of focus to all criteria
- Additional description criteria requirements
It’s our observation that the changes to the Trust Services Criteria will create more consistency among organizations using the Trust Services Criteria. This is important as user groups require greater transparency from the service organizations they work with. The additional criteria and description requirements will increase the number of controls in a SOC 2 as service organizations adjust for changes to requirements related to governance, risk management, third party management, service commitments, system requirements and system incidents.
- Review and understand the new Trust Services Criteria
- Identify potential gaps
- Implement additional controls as necessary
You can also ask me a question directly or call 513-241-8313, and I’ll be happy to chat with you at no cost to help you better understand the requirements and what you might or might not need.