AICPA’s Assurance Services Executive Committee (ASEC), through its Trust Information Integrity Task Force’s SOC 2 Working Group, has developed a set of benchmarks, known as description criteria. These description criteria are to be used when preparing and evaluating the description of the service organization’s system (description) in an examination of a service organization’s controls over security, availability, processing integrity, confidentiality, and privacy (SOC 2 examination). This document presents the description criteria for use in that examination. (The AICPA’s trust services criteria are not addressed in this document. Those criteria are used in a SOC 2 examination to evaluate whether controls stated in the description were suitably designed and operated effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria.)
Applying the description criteria requires judgment. Therefore, in addition to the description criteria, this document also presents implementation guidance for each criterion. The implementation guidance presents factors to consider when making judgments about the nature and extent of disclosures called for by each criterion. This guidance does not address all possible situations; therefore, users should carefully consider the facts and circumstances of the service organization and its environment when applying the description criteria.
Revisions in This Version
This version of the 2018 description criteria has been modified to reflect revisions to the implementation guidance relevant to certain of the description criteria. As discussed in the introduction section, implementation guidance presents important factors to consider when making judgments about the nature and extent of disclosures called for by each criterion.
The revisions to the implementation guidance discussed in this notice to readers do not in any way alter the criteria in the 2018 description criteria. Such criteria continue to be suitable criteria for use when evaluating the description of a system in a SOC 2 engagement.