My company completes SOC 2 audits annually, and have for the last several years based on the old trust criteria. Our processes and our customer prefer the old criteria. Can we continue to have the audits under the old criteria?
In order to complete another SOC 2 examination and receive a SOC 2 report this year, the report will need to include the new Trust Services Principles (TSP) criteria. However, an AT 101 examination is a potential alternative report. The AT 101 examination is an attestation against any criteria, which could be the old TSPs in this case. The AT 101 examination could also be a Type 1 or a Type 2 examination.