United States

SOC 2 common criteria: Addressing key changes in updated guidance


Download White Paper

The AICPA recently released key changes to service organization control (SOC) 2 guidelines, addressing evolving risks and how to increase reporting efficiency. Service organizations must be aware of new demands from the new guidance, as well as necessary framework adjustments to address any deficiencies. While the AICPA’s common criteria guidelines streamline many processes, they can also create challenges and vulnerabilities without the proper approach.

In the initial SOC 2 criteria, organizations recognized significant overlap in criteria requirements across the majority of the principles. Through adopting SOC 2 guidance and implementing reporting processes, service organizations and service auditors discovered efficiencies from reporting on a set of common criteria that applied to all principles, and adding the unique criteria specific to a principle.

As a result, the AICPA issued TSP Section 100: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy in February 2014. The publication includes guidance for adopting the common criteria, with a mandatory implementation date set for periods ending on or after Dec. 15, 2014.

With the new TSP Section 100 guidance, service organizations must re-evaluate SOC 2 reporting processes to implement new processes and mitigate risks. A key step to help ensure proper alignment with the common criteria is undergoing a readiness assessment, mapping existing internal controls to the relevant criteria under the new AICPA guidelines.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.




ERP implementation risks and their impact on your organization

  • March 29, 2017


2017 cybersecurity outlook and key considerations for nonprofits

  • January 31, 2017


2017 economic and risk outlook

  • January 09, 2017


AML and regulatory compliance webcast series—Fall 2016

  • December 15, 2016


PCI DSS 3.2—What’s next?

  • December 08, 2016