SOC 2 Trust Services Criteria Explained
Quick Answer
The SOC 2 Trust Services Criteria are five categories — Security, Availability, Processing Integrity, Confidentiality, and Privacy — that define what controls a service organization must implement. Only Security (Common Criteria) is mandatory; the rest are selected based on your services.
What Are the Trust Services Criteria?
The Trust Services Criteria (TSC) are the foundation of every SOC 2 audit. Developed by the AICPA, they define five categories of controls that service organizations should implement to protect customer data. Think of them as the "what" you need to achieve — the specific how is up to you.
Key Takeaways
- Five criteria: Security (CC), Availability, Processing Integrity, Confidentiality, Privacy
- Security (Common Criteria) is mandatory for every SOC 2 audit — the other four are optional
- Most SaaS companies include Security + Availability (and sometimes Confidentiality)
- Each criterion has specific control points that map to real security practices
- Your customers' requirements should drive which criteria you include
The Five Trust Services Criteria
1. Security (Common Criteria) — Required
Security is the foundation of SOC 2 and is required for every audit. The Common Criteria (CC) cover 9 categories with 33 control points. This criterion ensures your systems are protected against unauthorized access, both physical and logical.
Security (CC) Key Control Areas
- CC1: Control environment — Management commitment, organizational structure, accountability
- CC2: Communication — Internal and external communication of security policies
- CC3: Risk assessment — Identifying and analyzing risks to system security
- CC4: Monitoring — Ongoing evaluation of controls and security posture
- CC5: Control activities — Policies and procedures to mitigate risks
- CC6: Logical and physical access — Access control, authentication, authorization
- CC7: System operations — Detecting anomalies, managing incidents, recovering from events
- CC8: Change management — Managing changes to infrastructure, software, and processes
- CC9: Risk mitigation — Vendor management, business continuity, insurance
2. Availability
The Availability criterion ensures your system is available for operation and use as committed. If you offer SLAs, uptime guarantees, or your customers depend on your system being accessible, you should include Availability.
- System performance monitoring and capacity planning
- Disaster recovery and business continuity planning
- Incident response for availability events
- Backup procedures and data recovery testing
- Redundancy and failover mechanisms
- SLA measurement and reporting
3. Processing Integrity
Processing Integrity ensures that system processing is complete, valid, accurate, timely, and authorized. This criterion is most relevant for companies that process transactions, calculate results, or transform data where accuracy is critical.
- Data processing accuracy and completeness checks
- Input validation and error handling
- Output reconciliation and verification
- Quality assurance processes for data processing
- Processing error detection and correction
4. Confidentiality
Confidentiality focuses on protecting information designated as confidential — trade secrets, intellectual property, business plans, financial data, or any information restricted by contract (NDA) or regulation.
- Identification and classification of confidential information
- Encryption of confidential data at rest and in transit
- Access restrictions to confidential information
- Secure disposal of confidential data
- Confidentiality agreements with employees and vendors
5. Privacy
The Privacy criterion governs the collection, use, retention, disclosure, and disposal of personal information. It aligns with the AICPA's Generally Accepted Privacy Principles (GAPP) and is relevant if you collect personal data (PII) from end users.
ℹ️ Privacy vs Confidentiality
These two criteria are often confused. Confidentiality protects any information designated as confidential (could be business data, IP, etc.). Privacy specifically governs personal information (PII) and has additional requirements around consent, data subject rights, and purpose limitation.
Which Criteria Should You Include?
| Company Type | Recommended Criteria | Why |
|---|---|---|
| B2B SaaS (general) | Security + Availability | Customers care about uptime and security |
| SaaS processing financial data | Security + Availability + Processing Integrity | Accuracy of financial calculations is critical |
| Data analytics platform | Security + Confidentiality + Processing Integrity | Handling sensitive client data with accuracy requirements |
| Healthcare SaaS | Security + Availability + Privacy | Processing personal health information |
| Cloud infrastructure provider | Security + Availability + Confidentiality | Uptime and data isolation are critical |
| Payroll/HR SaaS | All five criteria | Handling PII, financial data, with high accuracy and uptime needs |
Common Criteria (CC) Deep Dive
SOC 2 Common Criteria Structure
The nine CC categories flow from governance and risk management to operational controls
CC1-CC2
Governance: Control environment & communication
CC3
Risk Assessment: Identify & analyze risks
CC4
Monitoring: Evaluate control effectiveness
CC5
Control Activities: Policies & procedures
CC6
Access Controls: Logical & physical access
CC7
Operations: Detection, incident response, recovery
CC8
Change Management: Infrastructure & code changes
CC9
Risk Mitigation: Vendors, BCP, insurance
Can I add Trust Services Criteria later?
Yes. Many companies start with Security (CC) only and add criteria in subsequent audits. Your auditor can expand the scope for your next annual audit.
Does adding criteria significantly increase audit cost?
Each additional criterion typically adds $5,000-$15,000 to audit fees and 1-4 weeks to the timeline. Availability and Confidentiality are the cheapest to add; Privacy is the most complex.
What if my customer requires all five criteria?
If a customer specifically requires all five, you'll need to comply. But in practice, most enterprise security teams are satisfied with Security + Availability + Confidentiality. Ask your customers which criteria they actually need.
How do Trust Services Criteria map to ISO 27001 controls?
There's significant overlap — about 80% of SOC 2 Common Criteria map to ISO 27001 Annex A controls. The AICPA provides an official mapping guide. Companies pursuing both frameworks can leverage shared controls.
Find SOC 2 Compliance Tools
Compare platforms that help you implement controls for all five Trust Services Criteria.
Browse SOC 2 Tools