This resource presents measurement criteria for use when providing attestation or consulting services to evaluate controls relevant to the security, availability, and processing integrity of a system, and the confidentiality and privacy of the information processed by the system.
The guidance was established by the Assurance Services Executive Committee (ASEC) of the AICPA, and is necessary when performing Service Organization Control -SOCSM 2 and SOCSM 3 engagements.
This edition improves clarity and eliminates redundancy, and updates the criteria based on the changing technology and business environment. The most significant changes include:
Restructuring of the trust services principles and criteria: The principles and criteria for security, availability, processing integrity, and confidentiality are restructured into (1) common criteria that is applicable to all four principles, and (2) criteria applicable only to a single principle. The criteria related to the privacy principle contained in the generally accepted privacy principles (GAPP) are being revised separately.
Risk assessment: To illustrate the linkage between criteria, risks, and controls, appendix B, “Illustrative Risks and Controls,” was developed to provide examples of risks that may prevent the criteria from being met, as well as examples of controls that would address those risks.
The trust services principles and criteria are effective for periods ending on or after December 15, 2014. Early implementation is permitted.