United States

SOC 2 common criteria: Addressing key changes in updated guidance


Download White Paper

The AICPA recently released key changes to service organization control (SOC) 2 guidelines, addressing evolving risks and how to increase reporting efficiency. Service organizations must be aware of new demands from the new guidance, as well as necessary framework adjustments to address any deficiencies. While the AICPA’s common criteria guidelines streamline many processes, they can also create challenges and vulnerabilities without the proper approach.

In the initial SOC 2 criteria, organizations recognized significant overlap in criteria requirements across the majority of the principles. Through adopting SOC 2 guidance and implementing reporting processes, service organizations and service auditors discovered efficiencies from reporting on a set of common criteria that applied to all principles, and adding the unique criteria specific to a principle.

As a result, the AICPA issued TSP Section 100: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy in February 2014. The publication includes guidance for adopting the common criteria, with a mandatory implementation date set for periods ending on or after Dec. 15, 2014.

With the new TSP Section 100 guidance, service organizations must re-evaluate SOC 2 reporting processes to implement new processes and mitigate risks. A key step to help ensure proper alignment with the common criteria is undergoing a readiness assessment, mapping existing internal controls to the relevant criteria under the new AICPA guidelines.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.




Cybersecurity risks for employee benefit plans

  • January 11, 2018


Understanding cybersecurity and operational risks of cryptocurrency

  • November 09, 2017


Cybersecurity best practices and considerations for the public sector

  • October 26, 2017


Learn the real cost of a data breach

  • October 17, 2017


AML and regulatory compliance webcast series—Fall 2017

  • September 28, 2017