SOC 2 Trust Services Criteria: A Practical View for Security Teams

SOC 2 audits are structured around the Trust Services Criteria, a framework developed by the AICPA. These criteria outline expectations for managing data securely and responsibly. The core criteria, established in 2017, remain unchanged. However, in 2022, the AICPA issued revised points of focus to address evolving technologies, threats, and regulatory requirements .

The Trust Services Criteria guide service organizations in shaping their cybersecurity programs. They serve as reference points during audits, with organizations responsible for designing their own controls. Security is mandatory in every SOC 2 audit, while the inclusion of Availability, Processing Integrity, Confidentiality, and Privacy depends on the services provided and the nature of the data handled.

Organizations often start with criteria already addressed in their operations and may incorporate additional criteria over time as risks and customer needs evolve.

Key Takeaways

• SOC 2 uses the AICPA Trust Services Criteria; Security is required, the other four are optional.
• Criteria stayed stable since 2017; points of focus were updated in 2022 for newer risks and tech.
• Companies design their own controls to meet the criteria and can expand scope over time.
• Security (CC1–CC9) covers governance, risk, access, operations, change, monitoring, and mitigation.
• The optional criteria address uptime, correct processing, confidential data protection, and privacy for PII.
• SOC 2+ can map controls to frameworks like NIST, HIPAA, HITRUST, or similar standards.

What Are the Five AICPA Trust Services Criteria for SOC 2?

The AICPA Trust Services Criteria (TSC) form the foundation of SOC 2 audits. These criteria define the areas organizations must address to demonstrate sound practices in data security, system reliability, and privacy. Each criterion outlines specific control objectives and can be selected based on the services a company provides.

Here’s a detailed explanation of each one: 

1. Security

The Security Trust Services Criterion focuses on protecting systems and data from unauthorized access, disclosure, or modification.

Also referred to as the Common Criteria, this area confirms that a service organization has safeguards in place to prevent intrusion, misuse, and operational disruption. Controls under this criterion typically include access management, firewalls, encryption, and intrusion detection.

Security is mandatory in every SOC 2 audit. The remaining four criteria are optional and can be included depending on your organization’s services and risk profile.

Common Criteria (CC1–CC9):

• CC1: Control Environment – Establishes the foundation for internal control through integrity and ethical values.
• CC2: Communication and Information – Ensures relevant information is identified, captured, and communicated timely.
• CC3: Risk Assessment – Identifies and analyzes risks to achieving objectives.
• CC4: Monitoring Activities – Ongoing evaluations to ascertain whether controls are present and functioning.
• CC5: Control Activities – Policies and procedures that help ensure management directives are carried out.
• CC6: Logical and Physical Access Controls – Restricts access to systems and data to authorized individuals.
• CC7: System Operations – Ensures system operations are managed to achieve objectives.
• CC8: Change Management – Manages changes to system components to prevent unauthorized alterations.
• CC9: Risk Mitigation – Identifies and mitigates risks from business disruptions and vendor relationships.

Legal Considerations:

Compliance with regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) is essential, as they mandate stringent security measures to protect personal and sensitive data.

2. Availability

Availability evaluates whether systems remain accessible and operational when needed, both for internal users and external customers.

This includes mechanisms like data replication, disaster recovery solutions, failover strategies, and uptime monitoring. If a natural disaster impacts a facility, resilient design—such as backup power systems and redundant infrastructure—should keep services online.

Consider including Availability in your SOC 2 scope if:

• You provide continuous integration or delivery services.
• Downtime would prevent clients from maintaining or deploying their products (e.g., SaaS platforms, cloud infrastructure providers).

Additional Criteria (A-series):

• A1: Current Processing Capacity – Systems maintain current processing capacity to meet demands.
• A2: Data Backup Procedures – Regular backups are performed to prevent data loss.
• A3: Disaster Recovery Planning – Plans are in place to recover from system disruptions.

Legal Considerations:

Regulations like the Sarbanes-Oxley Act (SOX) require organizations to have controls ensuring system availability to maintain accurate financial reporting.

3. Processing Integrity

Processing Integrity reviews whether systems deliver accurate and timely processing of data, without unintended delays, errors, or manipulation.

It focuses on whether a system operates correctly rather than whether the data input is accurate. For example, if an online order system lets a customer complete a purchase and sends the item to the address provided—even if that address was typed incorrectly—the system still meets the Processing Integrity requirement.

Consider including this criterion if:

• You manage transactional platforms such as e-commerce or financial systems.
• Your services require dependable execution to detect anomalies and reduce fraud.

Additional Criteria (PI-series):

• PI1: Data Processing Accuracy – Systems process data accurately and completely.
• PI2: Processing Timeliness – Transactions are processed in a timely manner.
• PI3: Authorization of Processing – Processing is authorized and in accordance with policies.

Legal Considerations:

Compliance with financial regulations, such as those enforced by the Securities and Exchange Commission (SEC), necessitates accurate and authorized data processing to ensure reliable financial statements.

4. Confidentiality

Confidentiality addresses how sensitive information is stored, accessed, and shared within the organization.

This includes implementing policies for data classification, restricting access to authorized personnel, and encrypting confidential records. Examples of protected information include contracts, financial statements, business strategies, and proprietary designs.

Consider including Confidentiality if:

• Your business handles sensitive material such as intellectual property, trade secrets, or client-specific plans.

Additional Criteria (C-series):

• C1: Confidentiality Agreements – Agreements are in place to protect confidential information.
• C2: Access Controls for Confidential Data – Access to confidential data is restricted to authorized personnel.
• C3: Encryption of Confidential Information – Confidential data is encrypted during storage and transmission.

Legal Considerations:

Laws like the Trade Secrets Act and contractual obligations require organizations to implement measures safeguarding confidential information.

5. Privacy

The Privacy criterion assesses how personal data is collected, stored, used, and shared in line with the AICPA’s Generally Accepted Privacy Principles (GAPP).

It focuses specifically on personally identifiable information (PII) such as names, email addresses, home addresses, and Social Security numbers. For some sectors, this also extends to data about health, biometric identifiers, or demographic attributes.

Consider including Privacy if:

• Your platform collects or processes customer PII, especially in regulated sectors like healthcare, finance, or education.

Additional Criteria (P-series):

• P1: Notice and Communication of Objectives – Individuals are informed about privacy policies and practices.
• P2: Choice and Consent – Individuals have the opportunity to consent to the collection and use of their personal information.
• P3: Collection Limitation – Personal information collected is limited to what is necessary.
• P4: Use, Retention, and Disposal – Personal information is used, retained, and disposed of appropriately.
• P5: Access – Individuals have access to their personal information and can correct inaccuracies.
• P6: Disclosure to Third Parties – Personal information is disclosed to third parties only as permitted.
• P7: Security for Privacy – Measures are in place to protect personal information.
• P8: Quality – Personal information is accurate, complete, and relevant.
• P9: Monitoring and Enforcement – Compliance with privacy policies is monitored, and violations are addressed.

Legal Considerations:

Regulations such as GDPR and the California Consumer Privacy Act (CCPA) impose strict requirements on how personal information is handled, granting individuals rights over their data and mandating organizations to implement robust privacy controls.

What Are SOC 2 Compliance Requirements?

SOC 2 requirements are risk based and depend on the Trust Services Criteria included in scope, with Security always required. You meet SOC 2 expectations when management defines the system boundary, selects applicable criteria, designs and implements controls that address those criteria, documents policies and evidence, and completes an independent CPA examination.

1. Define scope: system description, boundaries, services, locations, and third party dependencies.
2. Choose criteria: Security is required; add other criteria only if relevant to customer commitments and how your service works.
3. Implement controls: policies, technical safeguards, operational procedures, and governance that address the selected criteria.
4. Collect evidence: tickets, logs, access reviews, training records, incident records, vendor reviews, change records, and other artifacts that prove controls operate as described.
5. Complete the audit:
   1. Type 1: evaluates design of controls at a point in time.
   2. Type 2: evaluates operating effectiveness of controls over a defined period.

Which Criteria are Applicable to SOC 2 Engagements?

The applicable criteria in a SOC 2 engagement are the Trust Services Criteria categories that management selects for the report, with Security always included. Availability, Processing Integrity, Confidentiality, and Privacy are included only when they match what the service promises customers and what data the service handles.

• Security: required for every SOC 2 engagement.
• Availability: applicable when uptime, resilience, disaster recovery, and capacity commitments matter to customers.
• Processing Integrity: applicable when the service processes transactions or data and accuracy, completeness, and timeliness are part of the commitment.
• Confidentiality: applicable when the service stores or transmits sensitive non public business information that must be protected.
• Privacy: applicable when the service collects, uses, stores, discloses, or disposes of personal information.

What if a Client Is Asking for All Criteria to Be Included?

Some clients or prospects request that all five criteria be included in a SOC 2 report—even when not all of them apply. This usually stems from a lack of clarity on what each criterion represents. Rather than defaulting to a full-scope audit, it’s best to have a direct conversation with the client.

Service providers often find that bringing the auditor into the conversation helps resolve confusion. This discussion helps explain each criterion’s intent and allows both parties to agree on a relevant and efficient scope for the audit.

Can Testing Occur in a SOC 2 Outside of the SOC 2 Criteria?

Yes, SOC 2 audits allow flexibility through a structure known as SOC 2+. This format permits organizations to map their controls against other frameworks, certifications, or regulatory standards.

Common examples include:

• HITRUST CSF
• NIST Cybersecurity Framework (CSF)
• HIPAA Security Rule

SOC 2+ helps organizations meet multiple assurance requirements within a single examination. This is especially useful for service providers who need to demonstrate compliance across several regulatory domains without running redundant audits.

Points of Focus in a SOC 2

The concept of “points of focus” became part of SOC 2 reporting with the release of the 2017 Trust Services Criteria. While new to SOC 2 at the time, points of focus had already been part of the COSO internal control framework. Each Trust Services Criterion includes an associated set of points of focus. These are not mandatory requirements but serve as guidance that helps shape the design, implementation, and ongoing operation of the controls tied to each criterion.

The 2017 Trust Services Criteria include over 200 points of focus just under the Security (or Common Criteria) category. When expanded to cover all five criteria—Security, Availability, Processing Integrity, Confidentiality, and Privacy—the list grows to 61 criteria with nearly 300 points of focus in total.

These numbers can seem overwhelming, but they largely reflect best practices that SOC 2 auditors already expect. The 2017 update simply documented them more explicitly. According to AICPA guidance (TSP 100.07), a service organization is not required to meet every point of focus. Instead, they serve as examples or suggestions of how organizations might meet the criteria.

Frequently Asked Questions