AICPA Trust Services Criteria define five criteria for evaluating an organization’s security controls for SOC 2 compliance: security, availability, processing integrity, confidentiality, and privacy.

While organizations may pick and choose which SOC 2 Trust Services Criteria they want to include in the scope of their audit, every SOC 2 report must include the Security Criteria, and the criteria used to test it are known as the Common Criteria.  

What is the SOC 2 Common Criteria List?

The Security TSC is all about protecting information and systems.

Is data secure during its collection or creation? Is it secure during its use, processing, transmission, and/or storage?  How does a company prevent and monitor any vulnerabilities in its systems?

The SOC 2 Common Criteria list, also known as the CC-series, includes nine subcategories:

• CC1 — Control environment
  Does the organization value integrity and security?
• CC2 — Communication and Information
  Are policies and procedures in place to ensure security? Are they communicated well to both internal and external partners?
• CC3 — Risk Assessment
  Does the organization analyze risk and monitor how changes impact that risk?
• CC4 — Monitoring Controls
  Does the organization monitor, evaluate, and communicate the effectiveness of its controls?
• CC5 — Control Activities
  Are the proper controls, processes, and technologies in place to reduce risk?
• CC6 – Logical and Physical Access Controls
  Does the organization encrypt data? Does it control who can access data and restrict physical access to servers?
• CC7 – System Operations
  Are systems monitored to ensure they function properly? Are incident response and disaster recovery plans in place?
• CC8 – Change Management
  Are material changes to systems properly tested and approved beforehand?
• CC9 – Risk Mitigation
  Does the organization mitigate risk through proper business processes and vendor management?

SOC 2 Common Criteria Mapping

Many organizations choose to pursue compliance with multiple security standards. The AICPA helps map the Common Criteria onto requirements for other frameworks, including ISO 27001, GDPR, and more.

Mapping SOC 2 Common Criteria to ISO 27001

ISO 27001 specifies requirements for establishing, implementing, maintaining, and improving an information security management system (ISMS). It includes 114 controls across 14 groups, the majority of which map to SOC 2 Trust Services Criteria.

The AICPA ISO 27001 mapping spreadsheet breaks down the overlap with the Trust Services Criteria.

Mapping SOC 2 Common Criteria to GDPR

The European Union’s General Data Protection Regulation is designed to protect EU citizens’ personal data rights. It applies to any company that comes in contact with these protected individuals’ data. It includes 99 articles across 11 chapters.

Nearly all of Chapters 2 and 3 and most of Chapter 4 of GDPR map onto SOC 2’s Trust Services Criteria.

The AICPA also provides an EU GDPR mapping spreadsheet to help cross-reference criteria and controls.