Trust Services Principles | Overview | AICPA | CICA | Why Policies and Procedures are Important for TSP compliance | SOC 2 | SOC 3 | SysTrust | WebTrust
28. What are the Trust Services Principles (TSP), and why are policies and procedures so important regarding the TSP and do you offer such documentation?
The Trust Services Principles (TSP) essentially are criteria established jointly the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) for use by practitioners when providing attest and assurance services on specified systems relating to (1). Security (2). Availability (3). Processing Integrity (4). Confidentiality, and (5). Privacy. In simpler terms, the five (5) aforementioned TSP consist of a set of predefined criteria relating to best practices for each of the respective areas. For example, criteria for the “security” TSP calls for “defining and documenting” its policies, “communicating its system policies”, along with many other provisions and mandates.
Compliance with the Trust Services Principles Requires Policies
What’s very important to grasp from this is two-fold: (1). The Trust Services Principles are a core component of SOC 2 and SOC 3 reporting under the AICPA Service Organization Control reporting framework. (2). Documented policies and procedures are required for many areas within the Trust Services Principles. In short, achieving SOC 2 and SOC 3 compliance means having documented policies and procedures in place. Tall order for most service organizations –as writing policies is never high on anyone’s list – that’s why the FLANK21 set of operational, business specific, and information security policies, procedures – and more – from FLANK is a must-have for SOC 2 and SOC 3 reporting.
Hundreds of Policies and Templates Available for SOC 2 and SOC 3
Regulatory compliance is a big and growing component for any organization today – it’s just a fact of life – stop and think about the industry you’re in, and chances are that SOC compliance (SOC 1, SOC 2, and SOC 3) is a part of it. If not SOC reporting, then more than likely some other type of industry specific requirement, which will ultimately mandate documented policies and procedures to be in place. And remember, when it comes to regulatory compliance, policies and procedures are always at the very top of the list for auditors to validate. No need to spend precious time developing them on your own – trust the experts at FLANK and the FLANK21 set of operational, business specific, and information security policies, procedures, and other supporting templates.