SOC 2 Security vs. Confidentiality: What is the difference?
Updated: May 31
The differences between Security and Confidentiality, and also explain a few key reasons why it is important to understand those differences:
For most companies preparing for SOC 2 examinations, deciding which Trust Services Categories (TSCs) should be in scope is a difficult and sometimes confusing decision.
Two of the categories that present a little confusion are the security and confidentiality categories since these terms are used interchangeably in the information security industry.
However, in a SOC 2 examination, the differences between these two categories are clear and should be understood before making a decision on which should be included in your SOC 2 reports. In this post, we will describe the differences between Security and Confidentiality, and also explain a few key reasons why it is important to understand those differences.
What is the difference between Security and Confidentiality in a SOC 2 examination?
In a SOC 2 compliance examination, the Trust Services Categories (TSC) assessed should be based on your organization’s commitments and system requirements. Most, if not all, SOC 2 examinations include the Security TSC, so think of Security as the default category for a SOC 2 examination.
This category covers topics like risk assessment, logical access, monitoring, HR procedures, data encryption, etc. Some of these concepts cover general confidentiality principles, but SOC 2 Confidentiality TSC specifically covers how your organization deals with confidential data.
Going back to your commitments, a major aspect of the Confidentiality TSC is focused on the commitments you make to your customers regarding the deletion or removal of their data when they leave your service.
If you commit to your Master Services Agreement (MSA) to deleting all customer data within 30 days period of time after they leave the service or only upon request, the Confidentiality TSC is probably right for your organization.
Another key component of the Confidentiality Trust Service Criteria is the maintenance of your personal information, which is often addressed by controls included in the common criteria or Security TSC, but the most significant one to consider when determining whether or not to include Confidentiality in scope is based on the data maintenance and disposal obligations made to your customers.
Why is it Important to Understand the Difference?
If you’re pursuing a SOC 2 examination, your customers will expect to see the Security TSC. Adding additional TSCs shows an additional level of maturity and could differentiate your company from its competitors. It is important to understand what the Confidentiality TSC is communicating to your customers prior to including it in scope.
If you do not make any commitments regarding the disposal of customer data when they leave your service or request deletion, then the Confidentiality TSC may not be suitable for your company.
Adding an additional TSC requires additional effort from both your team and your third-party auditing team. This additional level of effort results in increased auditor fees due to additional reporting requirements and unnecessary overhead at status quo compliance firms.
This additional TSC also results in a few additional evidence requests, more on that in this overview of the Confidentiality Trust Service Criteria. While the additional evidence and level of effort are proportionately less than the Security TSC, you want to be sure of the applicability of each additional TSC (Availability, Confidentiality, Processing Integrity, or Privacy) prior to including them in your SOC 2 examination.
At ByteChek, it is important to us that your SOC 2 examination provides value to the readers of your report and does not include criteria that are not relevant or include a plethora of not applicable statements.
Other related articles: