What Are the SOC 2 Trust Services Criteria? An In-Depth Breakdown

Leave a Comment / SOC 2 / By

For organizations pursuing SOC 2 compliance, one of the most important, and often misunderstood, concepts is the Trust Services Criteria (TSC).

Many companies know they need a SOC 2 report to satisfy customer security requirements, but fewer understand what auditors are actually evaluating during the examination process. The Trust Services Criteria provide the foundation for every SOC 2 audit, shaping how organizations design, implement, monitor, and maintain their controls.

Understanding the TSC is essential not only for passing a SOC 2 examination, but for building a mature and defensible security program.

What Are the Trust Services Criteria?

The SOC 2 Trust Services Criteria are a set of control criteria established by the American Institute of Certified Public Accountants (AICPA). These criteria are used by CPA firms to evaluate whether a service organization has implemented appropriate controls related to security, availability, processing integrity, confidentiality, and privacy.

Importantly, SOC 2 is not a certification. It is an attestation report issued by an independent CPA based on the organization’s ability to meet the applicable Trust Services Criteria.

The criteria are designed to help organizations demonstrate that they:

  • Protect sensitive information
  • Manage cybersecurity risks appropriately
  • Maintain operational resilience
  • Establish effective governance and oversight
  • Operate controls consistently over time

The Five Trust Services Categories

SOC 2 includes five categories, commonly referred to as the Trust Services Criteria:

  1. Security
  2. Availability
  3. Processing Integrity
  4. Confidentiality
  5. Privacy

Of these, Security is mandatory for all SOC 2 reports. The remaining categories are optional and selected based on the organization’s services, customer expectations, and risk profile.

1. Security (Required)

Security, often called the Common Criteria, is the foundation of every SOC 2 report. This category evaluates whether systems are protected against unauthorized access, unauthorized disclosure, and other threats that could compromise the organization’s objectives.

Security controls typically address areas such as:

  • Access management
  • Multi-factor authentication (MFA)
  • Network security
  • Vulnerability management
  • Endpoint protection
  • Incident response
  • Change management
  • Risk assessments
  • Security awareness training

The Security category contains several major control domains, including:

  • Control Environment (CC1)
  • Communication and Information (CC2)
  • Risk Assessment (CC3)
  • Monitoring Activities (CC4)
  • Control Activities (CC5)
  • Logical and Physical Access Controls (CC6)
  • System Operations (CC7)
  • Change Management (CC8)
  • Risk Mitigation (CC9)

These domains collectively form the operational backbone of a SOC 2 examination.

Example Security Controls

Examples of controls auditors commonly evaluate include:

  • Quarterly user access reviews
  • MFA enforcement
  • Incident response testing
  • Annual penetration testing
  • Security training completion
  • Vendor risk assessments
  • Formal change approval procedures

Security is considered the most universally applicable category because every organization handling customer data must establish baseline protections.

2. Availability

The Availability category evaluates whether systems remain operational and accessible as committed or agreed upon. Availability does not guarantee zero downtime. Instead, it focuses on whether organizations have implemented controls to support system reliability, resilience, monitoring, and recovery capabilities.

Availability controls commonly include:

  • Disaster recovery planning
  • Business continuity procedures
  • Infrastructure redundancy
  • Backup management
  • System monitoring
  • Capacity planning
  • Recovery testing
Example Availability Controls

Organizations may demonstrate Availability through:

  • Redundant cloud infrastructure
  • Backup validation testing
  • Uptime monitoring
  • Failover testing
  • Incident escalation procedures

For SaaS providers and cloud platforms, Availability is often highly important because customers depend on continuous system access.

3. Processing Integrity

Processing Integrity evaluates whether systems process data completely, accurately, timely, and according to authorized specifications.

This category is particularly relevant for organizations whose platforms:

  • Process financial transactions
  • Handle automated workflows
  • Manage sensitive operational data
  • Deliver transaction-based services

Processing Integrity focuses on reducing risks such as:

  • Incomplete processing
  • Duplicate transactions
  • Data corruption
  • Unauthorized modifications
  • Processing delays
Example Processing Integrity Controls

Controls may include:

  • Input validation checks
  • Automated reconciliation processes
  • Error detection monitoring
  • Workflow approval mechanisms
  • Transaction logging
  • Quality assurance testing

Not every organization requires this category. Companies should evaluate whether customers rely on the accuracy and completeness of system processing outputs.

4. Confidentiality

Confidentiality focuses on protecting sensitive information from unauthorized disclosure. This category applies to confidential business information that is protected through contractual obligations, internal classifications, or regulatory requirements.

Confidentiality commonly applies to:

  • Proprietary business data
  • Intellectual property
  • Customer records
  • Internal financial data
  • Contractual information
  • Sensitive operational documentation
Example Confidentiality Controls

Organizations may implement controls such as:

  • Data classification standards
  • Encryption at rest and in transit
  • Data retention policies
  • Secure disposal procedures
  • Access restrictions
  • Data loss prevention (DLP)

Many organizations pursuing SOC 2 include Confidentiality because enterprise customers frequently expect assurance around sensitive information handling.

5. Privacy

Privacy focuses specifically on the collection, use, retention, disclosure, and disposal of personal information.

This category is broader than cybersecurity alone because it addresses how organizations manage personal data throughout its lifecycle.

Privacy controls often align with regulatory frameworks such as:

  • GDPR
  • CCPA
  • HIPAA
  • State privacy laws
Example Privacy Controls

Organizations may implement:

  • Privacy notices
  • Consent management
  • Data subject request handling
  • Data minimization practices
  • Privacy impact assessments
  • Personal data retention schedules

Privacy is especially important for organizations handling consumer information, healthcare records, or regulated personal data.

Understanding the Common Criteria (CC1–CC9)

One of the most important aspects of SOC 2 is the Common Criteria structure that underpins the Security category.

The Common Criteria represent core governance and operational control areas auditors evaluate across the environment.

CC1 – Control Environment

Evaluates organizational governance, ethics, accountability, and management oversight.

Examples include:

  • Organizational structure
  • Employee conduct policies
  • Security governance
  • Leadership oversight
CC2 – Communication and Information

Focuses on how organizations communicate security responsibilities internally and externally.

Examples include:

  • Information security policies
  • Internal reporting processes
  • Customer communication procedures
CC3 – Risk Assessment

Evaluates how organizations identify, assess, and mitigate risk.

Examples include:

  • Risk assessments
  • Threat analysis
  • Vendor evaluations
  • Change risk reviews
CC4 – Monitoring Activities

Assesses whether organizations continuously monitor control effectiveness.

Examples include:

  • Penetration testing
  • Internal reviews
  • KPI monitoring
  • Audit activities
CC5 – Control Activities

Evaluates whether operational controls are formally established and implemented.

Examples include:

  • Security procedures
  • Operational workflows
  • Policy enforcement
CC6 – Logical and Physical Access Controls

Focuses on restricting unauthorized access to systems and data.

Examples include:

  • MFA
  • User provisioning
  • Least privilege access
  • Remote access controls
CC7 – System Operations

Evaluates monitoring, vulnerability management, and incident response activities.

Examples include:

  • Vulnerability scans
  • Incident response plans
  • Security event monitoring
CC8 – Change Management

Assesses how organizations manage infrastructure and software changes securely.

Examples include:

  • Change approvals
  • Testing procedures
  • Deployment controls
CC9 – Risk Mitigation

Evaluates how organizations address business disruption and third-party risks.

Examples include:

  • Vendor risk management
  • Business continuity planning
  • Disaster recovery strategies

How Organizations Choose Applicable Criteria

Not every Trust Services Category applies to every organization.

Selection depends on:

  • Industry expectations
  • Customer contractual requirements
  • Types of data processed
  • Operational risks
  • Service commitments

For example:

  • SaaS companies often prioritize Security, Availability, and Confidentiality.
  • Healthcare organizations may include Privacy.
  • Financial transaction processors may include Processing Integrity.

A readiness assessment can help organizations determine the appropriate scope and criteria before beginning the audit process.

Why the Trust Services Criteria Matter

The Trust Services Criteria are more than audit requirements. They represent operational best practices for governance, cybersecurity, and risk management.

Strong alignment with the TSC helps organizations:

  • Improve security maturity
  • Strengthen customer trust
  • Reduce operational risk
  • Accelerate enterprise sales cycles
  • Improve incident preparedness
  • Demonstrate accountability

Organizations that understand the intent behind the criteria — rather than simply checking boxes — tend to build more resilient and scalable compliance programs.

Final Thoughts

The SOC 2 Trust Services Criteria form the foundation of every SOC 2 examination. Understanding how these criteria work, and how they map to real-world operational controls, is essential for organizations pursuing compliance maturity and customer trust. Rather than viewing the TSC as abstract audit language, organizations should treat them as a framework for building stronger governance, more effective cybersecurity controls, and long-term operational resilience.

At RS Assurance & Advisory (RSAA), we help organizations navigate SOC 2 readiness, control implementation, risk assessments, and CPA-attested examinations with practical guidance tailored to each organization’s operational environment.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top