Compliance Audits

Understanding SOC 2 and Deciding Which Principles Are Right Your Company

October 22, 2020

If you’re a service company such as a cloud or SaaS provider, you need to pass what’s called the System Organization Controls (SOC) 2 audit. Passing the audit shows that you take cybersecurity seriously. But how do you pass? Well, you need to:

  • Choose which of the 5 SOC 2 principles apply
  • Instruct an assessment based on those principles

In other words, there’s no one-size-fits-all approach to SOC 2 audits. So, here’s a rundown of the 5 principles so you can decide which ones fit your company’s requirements.

1. Security

Security, or common criteria, is the only mandatory category. It’s mandatory because it sets out some fairly simple cybersecurity standards for service companies to meet.

Basically, you need to show that you can protect your systems from unauthorized access. Ways to pass this category include using:

  • Firewalls
  • Network intrusion detection
  • Multi-factor authentication

2. Processing Integrity

If you process client data, you need to show that you can process it quickly, accurately and securely. So, you need tools in place to spot processing errors like:

  • Duplicate records
  • Corrupted data
  • Unauthorized amendments

This category is less important if you just store data rather than process or handle it.

3. Confidentiality

If you handle restricted or classified data, you need to pass the confidentiality category. That’s because you must show that you have sufficient security in place to prevent unauthorized access and data leaks.

To pass this category, you need tools like:

  • Encryption to protect files
  • Firewalls and multi-factor authentication (which is also covered in category 1)
  • Software to safely erase data

4. Privacy

This category is less about restricted data and more about personal information, like names, addresses and telephone numbers. You need to prove you:

  • Follow regulatory guidelines e.g. HIPAA, GDPR
  • Monitor and restrict data access
  • Have clear data retention and destruction protocols

5. Availability

If service availability is critical to your contract with the client, you need to prove you’re taking all possible steps to keep your service online. In other words, you probably want to pass the availability category. You can pass by:

  • Measuring usage
  • Forecasting capacity needs
  • Proactively checking for system threats
  • Laying out a clear incident response plan for how you handle downtime

If you’re unsure which SOC 2 principles apply, ask a compliance specialist for advice.

Resources can help

View all
View all
January 10, 2026
October 9, 2019
main image

Saving Money with a PCI-DSS Scope Reduction

Read more
January 10, 2026
October 9, 2019
main image

Top 5 Cybersecurity Challenges Faced by the Healthcare Industry

Read more
January 10, 2026
October 30, 2019
main image

Grow Company Revenue Through Data Security Compliance

Read more
Work with us
work@trustly.com
Company
About Us Partner ProgramTestimonials
Compliance
CMMCNIST 800-171HIPAASOC 2 & SOC 1PCI DSSISO 27001GDPR / Privacy ShieldHITRUST
Services
Penetration TestingVulnerability ScanningPolicy & Procedure DevelopmentvCISO
Subscribe to our latest news.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Copyright 2009 - 2025 Interactive Security, Inc. All rights reserved.
Designed byJSI Studio
Boost Your Webflow with Pro Apps! Get 20% Off with Code WEBFLOW20
Try Now!
icon
More Templates
webflow icon
Buy this Template