SOC 2 Trust Service Criteria Explained

The Trust Service Criteria (TSC) form the foundation of every SOC 2 examination. Originally defined by the AICPA, these criteria establish the benchmarks against which an organization's controls are evaluated. There are five categories:

Security (Common Criteria) The most fundamental criterion, required in every SOC 2 engagement. It addresses protection against unauthorized access — both physical and logical — to system resources. Controls typically cover access management, network security, change management, and risk assessment.

Availability Evaluates whether the system is operational and accessible as committed. This includes monitoring system performance, disaster recovery planning, business continuity procedures, and incident response capabilities.

Processing Integrity Assesses whether system processing is complete, valid, accurate, timely, and authorized. This criterion is particularly relevant for financial technology companies and organizations that process transactions.

Confidentiality Examines how the organization identifies, protects, and disposes of confidential information. This covers data classification, encryption practices, access controls specific to sensitive data, and secure disposal procedures.

Privacy Addresses the collection, use, retention, disclosure, and disposal of personal information. This criterion aligns with major privacy regulations including GDPR and CCPA.

Most organizations begin with Security (required) and add Availability and Confidentiality. Adding all five criteria increases audit scope and cost by approximately 40-60% compared to Security-only engagements.