AICPA TSC 2017 (with 2022 revised POF)

Overview

AICPA TSC 2017(with 2022 revised Points of Focus) is a control criteria frameworkthat supports organizations in establishing, evaluating, andreporting on controls related to security, availability, processingintegrity, confidentiality, and privacy. It sets the foundationalcriteria for assessing the effectiveness of internal controls overinformation systems, critical for data protection and riskmanagement.

Developed andmaintained by the American Institute of Certified Public Accountants(AICPA), the Trust Services Criteria are primarily applied by serviceorganizations, independent auditors, and compliance teams within SOC2 and SOC 3 engagements. The framework outlines control objectivesand Points of Focus, guiding organizations in implementingcybersecurity controls, privacy governance, operational resilience,and compliance oversight in line with recognized assurance standards.

Organizationsoperationalize the AICPA TSC by mapping existing policies andcontrols to the criteria, addressing gaps, and producingdocumentation for audit readiness. The framework is frequentlyintegrated with broader compliance, cybersecurity, and riskmanagement programs—enabling organizations to support third-partydue diligence, maintain regulatory compliance, and build trust withinSOC reporting and similar assurance ecosystems.

Why it Matters

The AICPA TrustServices Criteria provide a comprehensive foundation for evaluatingand enhancing controls that safeguard critical systems and sensitivedata.

Key benefits include:

• Strengthen cybersecurity governance

Establish clearcriteria and controls to ensure continuous oversight andaccountability for information security practic

• Enhance audit readiness

Enable robustdocumentation and evidence-gathering to streamline external auditprocesses and support SOC attestation requirements

• Increase regulatory alignment

Supportcompliance with multiple assurance standards and regulations throughconsistent control objectives and recognized Points of Focus

• Promote operational resilience

Identify andaddress control gaps that could impact system availability,reliability, and business continuity across organizationalenvironment

• Protect sensitive and confidential data

Reduce the riskof unauthorized access and disclosure by implementing controlstailored to privacy and confidentiality requirements.

How it Works

The AICPA TrustServices Criteria (TSC) 2017, with the 2022 revised Points of Focus(POF), organizes cybersecurity into defined criteria and controlfamilies—security, availability, processing integrity,confidentiality, and privacy. Each criterion is accompanied by Pointsof Focus that outline considerations and expected behaviors, enablinga control catalog approach that ties to risk management processes andgovernance domains.

Organizationsimplement the TSC by conducting risk assessments, selecting andimplementing security controls mapped to the criteria, andestablishing policies and monitoring to demonstrate compliance.Typical activities include control design and testing, evidencecollection for assessments, continuous monitoring of securitypractices, incident response integration, and mapping controls toregulatory requirements and audit programs.

WithinSmartSuite, teams can operationalize the AICPA TSC by buildingcontrol libraries mapped to the POF, maintaining a risk register,governing policies, and collecting evidence against control tests.SmartSuite supports compliance tracking, remediation workflows, auditreadiness, and dashboards for monitoring control effectiveness andreporting to governance stakeholders.

Key Elements

• Security, Availability, and Confidentiality Criteria

Specifiesstructural categories for controls protecting systems againstunauthorized access, disruptions, and data disclosure risks.

• Processing Integrity Controls

Describescriteria ensuring accurate, timely, and authorized processing ofinformation in core business systems.

• Privacy Requirements

Outlines datagovernance and programmatic controls for managing personalinformation collection, use, retention, and disposal

• Points of Focus Guidance

Establishesspecific considerations within each criterion to clarify intent andassist in consistent application.

• Risk and Governance Structure

Definesmechanisms for oversight, accountability, and management of risksassociated with information systems and data handling.

• Control Objective Organization

Groupsmeasurable statements that underpin the design, implementation, andoperation of effective internal controls.

Framework Scope

AICPA TSC 2017 (with 2022 revised Points of Focus) is adopted by serviceorganizations, technology providers, and entities overseeing customerdata or outsourced information systems. It guides the establishmentand evaluation of controls over security, availability, processingintegrity, confidentiality, and privacy, often when preparing for SOCattestations or demonstrating control effectiveness in assuranceengagements.

Framework Objectives

AICPA TrustServices Criteria 2017 (with 2022 revised Points of Focus) provides acomprehensive foundation for evaluating and enhancing organizationalsecurity, privacy, and compliance programs

• Safeguard sensitive data through robust security controls and risk management practices
• Strengthen cybersecurity governance to promote accountability and oversight
• Enable ongoing compliance with regulatory, contractual, and assurance requirements
• Enhance operational resilience to minimize disruption from cyber threats
• Support effective privacy governance and responsible data protection
• Demonstrate audit readiness and transparency in internal control environments

The AICPA Trust Services Criteria (TSC) 2017 with the 2022 revised. Point of Focus for cybersecurity aligns with and is commonly mapped to NIST CSF, ISO/IEC 27001, and NIST SP 800-53. Organizations implement it for SOC reporting, third party assurance, regulatory compliance, and to formalize security governance and operational controls.

Common Framework Mappings

AICPA TSC 2017is commonly mapped to other cybersecurity and privacy frameworks tostreamline audit processes, demonstrate compliance, and ensurecomprehensive risk management across diverse security and regulatoryenvironments.

Mappedframeworks include:

CIS CriticalSecurity Controls

ISO/IEC 27001

ISO/IEC 27002

ISO/IEC 27018

ISO/IEC 27701

MITRE ATT&CK

NISTCybersecurity Framework

NIST SP 800-53