AICPA SOC 3

United States

v2023

18 domains

22 controls

Trust Services Criteria for general use reporting

Unverified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (18)

AICPA SOC 3: Cybersecurity Controls

0 controls

Technical cybersecurity measures (AICPA SOC 3)

AICPA SOC 3: Incident Management & Reporting

0 controls

Incident handling for financial services (AICPA SOC 3)

AICPA SOC 3: Information Security Governance

0 controls

IT governance for financial institutions (AICPA SOC 3)

AICPA SOC 3: Operational Resilience

0 controls

Business continuity and resilience (AICPA SOC 3)

AICPA SOC 3: Third-Party Risk Management

0 controls

Managing vendor and supplier risks (AICPA SOC 3)

Assertion

1 controls

Controls in the Assertion domain of AICPA SOC 3 — 1 controls
Code	Title	Description
SOC3-MGMT-ASSERT	Management Assertion	Management asserts that controls were effective to meet applicable Trust Services Criteria.

Common Criteria

9 controls

Controls in the Common Criteria domain of AICPA SOC 3 — 9 controls
Code	Title	Description
SOC3-CHANGE-MGT	Change Management	Changes to infrastructure and applications follow authorized, tested, approved processes.
SOC3-COMMS	Communication	Communicate commitments, requirements, and responsibilities to internal and external parties.
SOC3-CONTROL-ENV	Control Environment	Governance, integrity, ethics, board oversight, and accountability establish the control environment.
SOC3-INCIDENT-MGT	Incident Response	Identify, respond to, communicate, and recover from security incidents impacting Trust Services commitments.
SOC3-LOGICAL-ACCESS	Logical Access	Access provisioning, authentication, authorization, and review controls protect system resources.
SOC3-MONITORING	Monitoring Controls	Ongoing monitoring activities detect control deficiencies and trigger remediation.
SOC3-RISK-ASSESS	Risk Assessment Process	Service organization identifies and evaluates risks impacting Trust Services Criteria objectives.
SOC3-VENDOR	Vendor and Subservice Management	Manage third-party risks through due diligence, contracts, and ongoing monitoring of subservice organizations.
SOC3-VULN-MGT	Vulnerability Management	Identify, prioritize, and remediate vulnerabilities through scanning, patching, and threat intelligence.

Confidentiality

1 controls

Controls in the Confidentiality domain of AICPA SOC 3 — 1 controls
Code	Title	Description
SOC3-DATA-PROTECT	Data Protection	Encryption in transit and at rest with key management protects confidential and personal data.

Criteria

1 controls

Controls in the Criteria domain of AICPA SOC 3 — 1 controls
Code	Title	Description
SOC3-TSC	Trust Services Criteria Coverage	SOC 3 uses Trust Services Criteria covering Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Distribution

1 controls

Controls in the Distribution domain of AICPA SOC 3 — 1 controls
Code	Title	Description
SOC3-MARKETING-USE	Marketing and Distribution	SOC 3 reports may be freely distributed and used in marketing materials with appropriate logo guidelines.

Report Purpose

1 controls

Controls in the Report Purpose domain of AICPA SOC 3 — 1 controls
Code	Title	Description
SOC3-PURPOSE	General Use Trust Services Report	SOC 3 reports provide general-use assurance on Trust Services Criteria suitable for unrestricted distribution.

Reporting

1 controls

Controls in the Reporting domain of AICPA SOC 3 — 1 controls
Code	Title	Description
SOC3-AUDITOR-OPINION	Auditor Opinion	Service auditor opinion confirms whether controls operated effectively to meet TSC during the period.

Scope

2 controls

Controls in the Scope domain of AICPA SOC 3 — 2 controls
Code	Title	Description
SOC3-BOUNDARY	System Boundary	Define infrastructure, software, people, procedures, and data within the SOC 3 reporting scope.
SOC3-PERIOD	Reporting Period	SOC 3 covers a defined examination period typically aligning with calendar or fiscal year quarters.

TSC Availability

1 controls

Controls in the TSC Availability domain of AICPA SOC 3 — 1 controls
Code	Title	Description
SOC3-AVAILABILITY	Availability Criteria	Availability criteria address system uptime commitments, capacity, monitoring, backup, and recovery.

TSC Confidentiality

1 controls

Controls in the TSC Confidentiality domain of AICPA SOC 3 — 1 controls
Code	Title	Description
SOC3-CONFID	Confidentiality	Confidentiality criteria address protection of information designated confidential through retention, disposal, and acce...

TSC PI

1 controls

Controls in the TSC PI domain of AICPA SOC 3 — 1 controls
Code	Title	Description
SOC3-PROC-INTEG	Processing Integrity	Processing integrity criteria address completeness, accuracy, timeliness, and authorization of system processing.

TSC Privacy

1 controls

Controls in the TSC Privacy domain of AICPA SOC 3 — 1 controls
Code	Title	Description
SOC3-PRIVACY	Privacy Criteria	Privacy criteria cover notice, choice, collection, use, retention, disclosure, quality, monitoring, and access for perso...

TSC Security

1 controls

Controls in the TSC Security domain of AICPA SOC 3 — 1 controls
Code	Title	Description
SOC3-SECURITY	Common Criteria Security	Common Criteria 1 to 9 establish baseline security covering control environment, communication, risk, monitoring, and op...

Maps to 1 other framework

22 total controls

SOC 2

13 source controls mapped|31 target controls covered

59%

Compare AICPA SOC 3 with SOC 2

Frequently Asked Questions

What is AICPA SOC 3?

AICPA SOC 3 is a compliance framework from United States with 18 domains and 22 controls. Trust Services Criteria for general use reporting It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does AICPA SOC 3 have?

AICPA SOC 3 has 22 controls organised across 18 domains. The largest domains are Common Criteria (9 controls), Scope (2 controls), Assertion (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does AICPA SOC 3 map to?

AICPA SOC 3 maps to 1 other compliance frameworks. The top mapping partners are SOC 2 (59% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with AICPA SOC 3 compliance?

Start your AICPA SOC 3 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about AICPA SOC 3 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 22 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required