SOC 2 Trust Services Criteria (TSC) Explained

What the Trust Services Criteria are

SOC 2 is built on five criteria. Only Security is mandatory; the other four are included based on the commitments you make to customers. The auditor evaluates the design (Type 1) and operating effectiveness (Type 2) of the controls you map to each in-scope criterion.

• Security (mandatory) — protection of systems and data against unauthorized access
• Availability — systems are available for operation and use as committed
• Processing Integrity — processing is complete, valid, accurate, timely, and authorized
• Confidentiality — information designated confidential is protected
• Privacy — personal information is collected, used, retained, and disposed of properly

Security: the Common Criteria (CC1-CC9)

Security is the baseline present in every SOC 2 and is organized as the Common Criteria, CC1 through CC9. These align with the COSO framework and cover the control environment, communication, risk assessment, monitoring, control activities, logical and physical access, system operations, change management, and risk mitigation. The other four criteria layer additional, category-specific requirements on top of this foundation.

Availability

Availability addresses whether your systems are accessible as committed in SLAs and contracts. It covers capacity planning, redundancy, backups, environmental protections, and disaster recovery. Include it if you make uptime commitments or run infrastructure your customers depend on operationally.

Processing Integrity

Processing Integrity asks whether your system processes data completely, accurately, and in a timely, authorized way. It matters when the correctness of what your system does is part of the service — payments, transactions, analytics, or billing. Controls focus on input validation, processing checks, and output reconciliation.

Confidentiality

Confidentiality concerns information designated as confidential — business IP, contracts, or data under NDA — and whether it is protected throughout its lifecycle. Controls include data classification, encryption, access restriction, retention, and secure disposal. It differs from Privacy, which is specifically about personal information.

Privacy

Privacy addresses personal information (PII) and whether it is handled per the AICPA privacy criteria and your privacy notice: notice and consent, collection limitation, use, retention, disclosure, and disposal, plus handling of data-subject requests. Include it if you process consumer personal data under privacy commitments.

How to choose your criteria

Start with Security. Add others only when your customer commitments require them, because each added criterion expands controls, evidence, and audit effort.

• Offer uptime SLAs or critical infrastructure - add Availability
• Process transactions, payments, or financial data - add Processing Integrity
• Handle sensitive business data or IP under NDA - add Confidentiality
• Process consumer PII under privacy commitments - add Privacy

Most SaaS companies begin with Security only, or Security plus Availability and Confidentiality, and expand scope in later annual reports as they grow.

How the criteria translate into real controls

The criteria describe outcomes; controls are how you achieve them. Mapping one to the other is what makes an abstract framework actionable:

• Security maps to access management, encryption, logging and monitoring, change management, and incident response
• Availability maps to capacity planning, redundancy, backups, and tested disaster recovery
• Processing Integrity maps to input validation, processing checks, and output reconciliation
• Confidentiality maps to data classification, encryption, access restriction, and secure disposal
• Privacy maps to consent, data-minimization, retention schedules, and data-subject request handling

A control matrix that ties each control to the criteria it supports is the artifact auditors rely on, and the one that makes your own maintenance straightforward.

Points of focus: how auditors interpret each criterion

Beneath each criterion the AICPA publishes points of focus - illustrative considerations that show what meeting the criterion can look like. They are guidance, not mandatory requirements, but they are invaluable for two reasons. First, they help you design controls that will actually satisfy the criterion rather than guessing. Second, they reveal how an auditor thinks when testing your environment, since the points of focus frame what good looks like. Reviewing your control set against the current points of focus - refreshed by the AICPA in 2022 - is a fast way to find and close gaps before an auditor does, without treating the points of focus as a rigid checklist.

How the criteria apply across different business models

Because SOC 2 is principles-based, the same five criteria express themselves very differently depending on what your company does, and seeing those patterns helps you scope confidently. A pure B2B SaaS platform that stores customer data but makes no specific uptime promises typically scopes to Security alone for its first report, since that is what its buyers' security teams ask about. As soon as that platform begins signing contracts with explicit uptime commitments, Availability becomes relevant, because customers now depend operationally on the service being reachable and the auditor will expect to see capacity planning, redundancy, and tested recovery.

Fintech and payments companies almost always add Processing Integrity, because the correctness and completeness of transaction processing is the heart of what they sell; an error that double-charges a customer or drops a payment is not just a bug but a control failure. Health-tech vendors frequently combine Confidentiality and Privacy, since they handle sensitive personal and health information under both contractual confidentiality terms and privacy commitments, and they often run SOC 2 alongside HIPAA. Infrastructure and hosting providers lean heavily on Availability and Security together, because their customers build on top of them and inherit their resilience.

The lesson is to read your own contracts and customer questionnaires rather than copying another company's scope. The criteria you genuinely commit to - not the ones that sound impressive - are the ones worth including, and you can always expand at the next annual report as your commitments grow.

Why Security is always the mandatory foundation

It is worth understanding why Security alone is required while the other four criteria are optional. Security - the Common Criteria, CC1 through CC9 - describes the baseline control environment that any other commitment depends on: governance, risk assessment, access control, monitoring, change management, and incident response. You cannot meaningfully promise availability, processing integrity, confidentiality, or privacy if the underlying systems are not protected against unauthorized access in the first place. That is why every SOC 2 report includes Security, and why the optional criteria are layered on top of it rather than standing alone. Practically, this means your first investment should always go into a solid Security foundation; the additional criteria then reuse much of that same control work, which is part of why expanding scope later is far less effort than building the foundation was.

Common scoping mistakes

The most expensive mistake is including all five criteria 'to be thorough.' It inflates cost and effort with no commercial benefit. Let your contracts and customer questionnaires — not caution — decide which criteria you genuinely need. These criteria define exactly what SOC 2 compliance is measured against.