Trust Services are a set of professional attestation and advisory services based on a core set of principles and criteria that address the risks and opportunities of IT-enabled systems and privacy programs. The following principles and related criteria are used by practitioners in the performance of Trust Services engagements:
- Security. The system is protected against unauthorized access (both physical and logical).
- Availability. The system is available for operation and use as committed or agreed.
- Processing Integrity. System processing is complete, accurate, timely, and authorized.
- Confidentiality. Information designated as confidential is protected as committed or agreed.
- Privacy. Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA. The TSPC of security, availability and processing integrity are used to evaluate whether a system is reliable.
The TSPC can be found in the AICPA Technical Practice Aids Volume 1.
The AICPA has released the Trust Services Principals, Criteria and Illustrations resource. This resource presents measurement criteria for use when providing attestation or consulting services to evaluate controls relevant to the security, availability, and processing integrity of a system, and the confidentiality and privacy of the information processed by the system. The guidance was established by the Assurance Services Executive Committee (ASEC) of the AICPA, and is necessary when performing Service Organization Control, SOCSM 2 and SOCSM 3 engagements. This edition improves clarity and eliminates redundancy, and updates the criteria based on the changing technology and business environment.
Also, download the Trust Services Criteria Mapping 2014 to 2009.
SysTrust and WebTrust are two specific assurance services offerings developed by the AICPA and CPA Canada that are based on the Trust Services Principles and Criteria. Practitioners must be licensed by CPA Canada to use these registered service marks. For more information on licensure, visit the WebTrust website.