Appendix D

Trust Services Criteria for Security, Availability, and Confidentiality for Use as Control Criteria in the Cybersecurity Risk Management Examination

This appendix is nonauthoritative and is included for informational purposes only.

The trust services criteria for security, availability, and confidentiality and the related points of focus in this appendix have been extracted from TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria), issued in April 2017 by the AICPA’s Assurance Services Executive Committee. The complete text may be found at

The following table presents the trust services criteria and the related points of focus for security, availability, and confidentiality, which are applicable to a cybersecurity risk management examination. In the table, criteria and related points of focus that come directly from the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 Internal Control—Integrated Framework (COSO framework)1 are presented using a normal font. In contrast, criteria and points of focus that apply to engagements using the trust services criteria are presented in italics.

TSP Ref. #





COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.


The following points of ...

Get Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.