Tick Tock: The Privacy TSP

June 21, 2016

Often times, service organizations ask:

"Why it is that the Privacy Trust Services Principle (TSP) for a SOC 2 examination takes so much more time and resources to attest against compared to other TSPs?"

The Privacy TSP attests to how a service organization handles personal information to meet the commitments defined within their privacy notice, including collection, use, retention, disclosure, and disposal.  This requires the auditor to fully understand the service organization and their environment, the role the service organization plays in the personal information lifecycle, including how the organization’s services are being used by user entities, and the commitments being made within the privacy notice.  This can only be achieved through conversations with management, inspection of policy and procedure documentation, review of the documented privacy policy, and the observation of processes in place at the service organization.

In addition, one of the most obvious answers as to why the Privacy TSP takes so much more time and resources is that the Privacy TSP includes a total of 73 criteria, in which the auditor must attest against.  The Privacy TSP contains nearly twice as many criteria as the other four TSPs combined:

  • Security – 28 criteria
  • Availability – 3 criteria
  • Processing integrity – 6 criteria
  • Confidentiality – 6 criteria
  • Privacy – 73 criteria

Something that service organizations should be aware and beginning planning for is the change to the criteria within the Privacy Principle.  The changes are effective December 15, 2016.  Updating the Privacy criteria not only reduces the total number of Privacy TSP criteria from 73 down to 20, but also emphasizes the privacy commitments and communication of those commitments.  It is not expected that the upcoming changes to the Privacy TSP will significantly reduce the amount of time and resources it will take to attest against because these changes require the inclusion of the Security Principle.  Therefore, the entire Privacy criteria will be comprised of the common criteria found in the Security Principle along with the unique Privacy criteria.

Previous Article
Cha-Ching: How Compliance Can Generate Revenue
Cha-Ching: How Compliance Can Generate Revenue

CIOs have a unique vantage point over their organization.  From where they sit, they see efficiencies, pain...

Next Article
The Truth About HITRUST’s Non-Applicable Controls
The Truth About HITRUST’s Non-Applicable Controls

CSF assessors for HITRUST often encounter situations with clients trying to determine if controls are not a...