The five SOC 2 criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy.
- Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.
- Information and systems are available for operation and use to meet the entity’s objectives.
- Processing Integrity:
- System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives (over the provision of services or the production, manufacturing, or distribution of goods)
- Addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives.
- Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.