Home / Compliance / Why SOC 2 Security & Privacy is separatly mentioned with CIA

Why SOC 2 Security & Privacy is separatly mentioned with CIA

Security & Privacy 

We have noticed people having discussion why Security & Privacy is separatly mentioned as a principle in SOC2 if the "Availability," "Processing Integrity," and "Confidentiality" (also referred as CIA triad ) is already there

Since security and privacy cover different facets of data protection under the AICPA Trust Services Criteria, they are covered separately in SOC 2:

1. Security (Common Criteria)

Focus: Preventing unwanted access to data and systems.
Covered measures include encryption, firewalls, intrusion detection, and access controls.
Objective: Make sure the system is safe from attacks that might jeopardize its confidentiality, availability, or integrity.

2. Confidentiality

Focus: The procedures for gathering, using, storing, disclosing, and discarding personal data.
Scope: Addresses adherence to corporate privacy pledges and privacy regulations (such as the CCPA and GDPR).
The objective is to safeguard people's personal information and make sure it is managed in compliance with established guidelines.

Why Split Up?

Security    The goal of security is to prevent unwanted access to all systems and data.
Privacy     The responsible handling of personal data in accordance with privacy

See Also Why Active Directory Needs Protection


AICPA

SECURITY VS CIA 

Availability, Confidentiality and Integrity discusses information / data-specific topics, whereas the SOC 2 Security principle discusses topics more broadly, including for example Data Center Security, Network or Physical security. A small margin to separate both i.e, Security and CIA

PRIVACY VS CIA

You may also include the Privacy inside cia triad. But keeping it isolated means specific to user personal details unlike the CIA triad Confidentiality talks about like the application specific rights for example, multiple users may authorized to the same data where as Social Security or medical record are specific to a person. Privacy more narrow down the Confidentiality   




#SOC2SecurityvsCIA #SOC2TrustServiceCriteria #CIAtriadandSOC2compliance #WhySecurityisseparateinSOC2 #SOC2Securityprincipleexplained #WhySOC2Securityisseparatly mentionedwithCIA


Why SOC 2 Security & Privacy is separatly mentioned with CIA Why SOC 2 Security & Privacy is separatly mentioned with CIA Reviewed by All About Security on September 12, 2025 Rating: 5

You May Also Like

No comments:

Subscribe to: Post Comments ( Atom )
Powered by Blogger.