SOC 2 Academy: Classifying Confidential Information

Author: kirkpatrickprice00

Description: Learn more at

Often times when clients use an organization’s services, they’ll have data that requires various levels of classification. This might mean that you have to classify the data you hold as “secret,” “confidential,” or “public.” So, why is classifying confidential information necessary for SOC 2 compliance? It all comes down to understanding which type of internal controls need to be implemented in order to ensure that confidential data remains protected as agreed upon. If your organization classifies data as “confidential” but fails to implement internal controls to properly secure that information, why would a client trust you with their information?
Complying with confidentiality criteria 1.1 then comes down to two key points of focus. The first is simple: auditors want to verify that the organization is in fact classifying confidential information and is doing so accurately. Secondly, auditors want to verify that an organization has procedures to destroy confidential information after the organization has held the information for the required time period. Many legal regulations and agreements have stipulations that require organizations to hold onto data for a specified period of time. For example, Article 5(e) under GDPR requires those organizations who process the personal data of EU data subjects to hold data for no longer than is necessary for the purposes for which it is being processed. While not an explicit time period, once the time it takes to process that personal data is up, the organization needs to have procedures in place to secure destroy that confidential data.

Stay Connected

More Free Resources
White Papers:

About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks.

For more about KirkpatrickPrice:
Contact us today: 800-770-2701