5 SOC 2 Trust Services Criteria

SOC 2 audits are structured around the Trust Services Criteria, a framework developed by the AICPA. These criteria outline expectations for managing data securely and responsibly. The core criteria, established in 2017, remain unchanged. However, in 2022, the AICPA issued revised points of focus to address evolving technologies, threats, and regulatory requirements .

The Trust Services Criteria guide service organizations in shaping their cybersecurity programs. They serve as reference points during audits, with organizations responsible for designing their own controls. Security is mandatory in every SOC 2 audit, while the inclusion of Availability, Processing Integrity, Confidentiality, and Privacy depends on the services provided and the nature of the data handled.

Organizations often start with criteria already addressed in their operations and may incorporate additional criteria over time as risks and customer needs evolve.

What Are the Five AICPA Trust Services Criteria for SOC 2?

The AICPA Trust Services Criteria (TSC) form the foundation of SOC 2 audits. These criteria define the areas organizations must address to demonstrate sound practices in data security, system reliability, and privacy. Each criterion outlines specific control objectives and can be selected based on the services a company provides.

Here’s a detailed explanation of each one: 

1. Security

The Security Trust Services Criterion focuses on protecting systems and data from unauthorized access, disclosure, or modification.

Also referred to as the Common Criteria, this area confirms that a service organization has safeguards in place to prevent intrusion, misuse, and operational disruption. Controls under this criterion typically include access management, firewalls, encryption, and intrusion detection.

Security is mandatory in every SOC 2 audit. The remaining four criteria are optional and can be included depending on your organization’s services and risk profile.

Common Criteria (CC1–CC9):

• CC1: Control Environment – Establishes the foundation for internal control through integrity and ethical values.
• CC2: Communication and Information – Ensures relevant information is identified, captured, and communicated timely.
• CC3: Risk Assessment – Identifies and analyzes risks to achieving objectives.
• CC4: Monitoring Activities – Ongoing evaluations to ascertain whether controls are present and functioning.
• CC5: Control Activities – Policies and procedures that help ensure management directives are carried out.
• CC6: Logical and Physical Access Controls – Restricts access to systems and data to authorized individuals.
• CC7: System Operations – Ensures system operations are managed to achieve objectives.
• CC8: Change Management – Manages changes to system components to prevent unauthorized alterations.
• CC9: Risk Mitigation – Identifies and mitigates risks from business disruptions and vendor relationships.

Legal Considerations:

Compliance with regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) is essential, as they mandate stringent security measures to protect personal and sensitive data.

2. Availability

Availability evaluates whether systems remain accessible and operational when needed, both for internal users and external customers.

This includes mechanisms like data replication, disaster recovery solutions, failover strategies, and uptime monitoring. If a natural disaster impacts a facility, resilient design—such as backup power systems and redundant infrastructure—should keep services online.

Consider including Availability in your SOC 2 scope if:

• You provide continuous integration or delivery services.
• Downtime would prevent clients from maintaining or deploying their products (e.g., SaaS platforms, cloud infrastructure providers).

Additional Criteria (A-series):

• A1: Current Processing Capacity – Systems maintain current processing capacity to meet demands.
• A2: Data Backup Procedures – Regular backups are performed to prevent data loss.
• A3: Disaster Recovery Planning – Plans are in place to recover from system disruptions.

Legal Considerations:

Regulations like the Sarbanes-Oxley Act (SOX) require organizations to have controls ensuring system availability to maintain accurate financial reporting.

3. Processing Integrity

Processing Integrity reviews whether systems deliver accurate and timely processing of data, without unintended delays, errors, or manipulation.

It focuses on whether a system operates correctly rather than whether the data input is accurate. For example, if an online order system lets a customer complete a purchase and sends the item to the address provided—even if that address was typed incorrectly—the system still meets the Processing Integrity requirement.

Consider including this criterion if:

• You manage transactional platforms such as e-commerce or financial systems.
• Your services require dependable execution to detect anomalies and reduce fraud.

Additional Criteria (PI-series):

• PI1: Data Processing Accuracy – Systems process data accurately and completely.
• PI2: Processing Timeliness – Transactions are processed in a timely manner.
• PI3: Authorization of Processing – Processing is authorized and in accordance with policies.

Legal Considerations:

Compliance with financial regulations, such as those enforced by the Securities and Exchange Commission (SEC), necessitates accurate and authorized data processing to ensure reliable financial statements.

4. Confidentiality

Confidentiality addresses how sensitive information is stored, accessed, and shared within the organization.

This includes implementing policies for data classification, restricting access to authorized personnel, and encrypting confidential records. Examples of protected information include contracts, financial statements, business strategies, and proprietary designs.

Consider including Confidentiality if:

• Your business handles sensitive material such as intellectual property, trade secrets, or client-specific plans.

Additional Criteria (C-series):

• C1: Confidentiality Agreements – Agreements are in place to protect confidential information.
• C2: Access Controls for Confidential Data – Access to confidential data is restricted to authorized personnel.
• C3: Encryption of Confidential Information – Confidential data is encrypted during storage and transmission.

Legal Considerations:

Laws like the Trade Secrets Act and contractual obligations require organizations to implement measures safeguarding confidential information.

5. Privacy

The Privacy criterion assesses how personal data is collected, stored, used, and shared in line with the AICPA’s Generally Accepted Privacy Principles (GAPP).

It focuses specifically on personally identifiable information (PII) such as names, email addresses, home addresses, and Social Security numbers. For some sectors, this also extends to data about health, biometric identifiers, or demographic attributes.

Consider including Privacy if:

• Your platform collects or processes customer PII, especially in regulated sectors like healthcare, finance, or education.

Additional Criteria (P-series):

• P1: Notice and Communication of Objectives – Individuals are informed about privacy policies and practices.
• P2: Choice and Consent – Individuals have the opportunity to consent to the collection and use of their personal information.
• P3: Collection Limitation – Personal information collected is limited to what is necessary.
• P4: Use, Retention, and Disposal – Personal information is used, retained, and disposed of appropriately.
• P5: Access – Individuals have access to their personal information and can correct inaccuracies.
• P6: Disclosure to Third Parties – Personal information is disclosed to third parties only as permitted.
• P7: Security for Privacy – Measures are in place to protect personal information.
• P8: Quality – Personal information is accurate, complete, and relevant.
• P9: Monitoring and Enforcement – Compliance with privacy policies is monitored, and violations are addressed.

Legal Considerations:

Regulations such as GDPR and the California Consumer Privacy Act (CCPA) impose strict requirements on how personal information is handled, granting individuals rights over their data and mandating organizations to implement robust privacy controls.

Which Criteria Do You Include in Your SOC 2?

Choosing which Trust Services Criteria to include in your SOC 2 audit is a critical part of the planning phase. A service organization should take time to understand the criteria and assess how each one relates to their systems and services. Security is always required, but the other four—Availability, Processing Integrity, Confidentiality, and Privacy—should only be included if they apply to the organization’s offerings and data practices.

Consulting with an experienced CPA firm is highly recommended. Their expertise can help clarify the relevance of each criterion and prevent unnecessary complexity or gaps in the audit scope.

What if a Client Is Asking for All Criteria to Be Included?

Some clients or prospects request that all five criteria be included in a SOC 2 report—even when not all of them apply. This usually stems from a lack of clarity on what each criterion represents. Rather than defaulting to a full-scope audit, it’s best to have a direct conversation with the client.

Service providers often find that bringing the auditor into the conversation helps resolve confusion. This discussion helps explain each criterion’s intent and allows both parties to agree on a relevant and efficient scope for the audit.

Can Testing Occur in a SOC 2 Outside of the SOC 2 Criteria?

Yes, SOC 2 audits allow flexibility through a structure known as SOC 2+. This format permits organizations to map their controls against other frameworks, certifications, or regulatory standards.

Common examples include:

• HITRUST CSF
• NIST Cybersecurity Framework (CSF)
• HIPAA Security Rule

SOC 2+ helps organizations meet multiple assurance requirements within a single examination. This is especially useful for service providers who need to demonstrate compliance across several regulatory domains without running redundant audits.

Points of Focus in a SOC 2

The concept of “points of focus” became part of SOC 2 reporting with the release of the 2017 Trust Services Criteria. While new to SOC 2 at the time, points of focus had already been part of the COSO internal control framework. Each Trust Services Criterion includes an associated set of points of focus. These are not mandatory requirements but serve as guidance that helps shape the design, implementation, and ongoing operation of the controls tied to each criterion.

The 2017 Trust Services Criteria include over 200 points of focus just under the Security (or Common Criteria) category. When expanded to cover all five criteria—Security, Availability, Processing Integrity, Confidentiality, and Privacy—the list grows to 61 criteria with nearly 300 points of focus in total.

These numbers can seem overwhelming, but they largely reflect best practices that SOC 2 auditors already expect. The 2017 update simply documented them more explicitly. According to AICPA guidance (TSP 100.07), a service organization is not required to meet every point of focus. Instead, they serve as examples or suggestions of how organizations might meet the criteria.

Frequently Asked Questions 

1. What is the purpose of the Trust Services Criteria in SOC 2?

The Trust Services Criteria serve as a framework for evaluating an organization’s controls related to security, availability, processing integrity, confidentiality, and privacy. These defined trust services criteria support system reliability and protect against unauthorized disclosure or misuse of sensitive information. The criteria also help assess the design and operating effectiveness of internal controls.

2. Are all five Trust Services Criteria required for a SOC 2 report?

No. Only the Security criterion is mandatory. The other four—Availability, Processing Integrity, Confidentiality, and Privacy—are optional and selected based on the organization seeking the report and its service commitments. A company may include certain trust services criteria that are most relevant to its services and client requirements.

3. How do organizations decide which additional criteria to include in their SOC 2 report?

They review the services offered, client expectations, regulatory compliance, and contractual obligations. If, for example, a company handles personal or consumer data, it may include the privacy category. If real-time uptime is critical, then the availability criteria become relevant. This process helps focus the report on controls relevant to the risks associated with the services provided.

4. How do SOC 2 Type 1 and Type 2 reports differ?

A SOC 2 Type 1 report addresses whether controls are suitably designed and implemented at a specific point in time. A SOC 2 Type 2 report evaluates how well those controls perform over a period—typically three to twelve months—giving insight into their operating effectiveness. This includes whether the existing controls met the objectives for reliability, privacy, and system processing accuracy.

5. Can SOC 2 reports be customized to include other compliance frameworks?

Yes. A service organization can request a SOC 2+ report, which maps its security controls to standards such as HIPAA, ISO 27001, or NIST. This allows for multiple associated criteria to be examined in one engagement, which can support a unified compliance program across requirements.

6. How often should an organization undergo a SOC 2 audit?

Most undergo the audit annually. Regular reviews help detect identified risks and validate that it general controls and operational safeguards are functioning properly. If the report scope or system changes, more frequent evaluations may be necessary.

7. Who can perform a SOC 2 audit?

Only Certified Public Accountants (CPAs) or CPA firms affiliated with the AICPA can conduct SOC 2 audits. These professionals assess a service organization’s controls using the trust services principles and must document both the design and operating effectiveness of controls across selected categories.

8. What industries commonly require SOC 2 compliance?

SOC 2 is common among technology, SaaS, finance, and healthcare companies—especially those that process consumer data or host applications in the cloud. These industries often require strong risk management practices and independent verification of business continuity planning, backup processes, and other security practices.

9. How does SOC 2 compliance benefit an organization?

SOC 2 compliance demonstrates the organization has implemented controls relevant to data protection and service reliability. It also highlights readiness for threats involving unauthorized disclosure, downtime, and poor system processing. Clients gain confidence that the company maintains proper safeguards and is committed to regulatory compliance.

10. What is the role of the AICPA in SOC 2?

The AICPA created and maintains the SOC reporting framework, including the Trust Services Criteria. It defines the specific criteria and supporting materials auditors use to evaluate whether systems meet defined trust services criteria.

11. Can a SOC 2 report be shared publicly?

SOC 2 reports are considered confidential and typically shared under NDA. Public distribution is discouraged because the report contains details about existing controls, audit report findings, and sensitive service organization relevant infrastructure. A SOC 3 report, which is general-use, may be published instead.

12. How does SOC 2 differ from SOC 1 and SOC 3?

SOC 1 addresses controls relevant to financial reporting. SOC 2 evaluates the five trust services principles across areas like availability criteria and confidentiality category. SOC 3 provides a high-level summary of a SOC 2 without detailed findings and is intended for a broader audience.

13. What are the “points of focus” in the Trust Services Criteria?

These are suggestions that help auditors and organizations interpret the specific criteria. While not mandatory, they guide decisions about controls relevant to areas like data center management, system inputs, and user authentication. They support an organization’s effort to meet entity’s objectives for secure service delivery.

14. How many Trust Services Criteria are defined in SOC 2?

SOC 2 defines five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Each one has its own processing integrity criteria, confidentiality criteria, or privacy category, depending on which is applicable to the entire organization or specific services.

15. What is the total number of criteria and points of focus in the 2017 Trust Services Criteria?

The 2017 version includes 61 specific criteria and roughly 300 points of focus. These elements cover areas like incident response, network performance monitoring, and disaster recovery procedures, helping auditors assess both the control environment and risk handling.

16. How many common criteria (CC) are there in the Security category?

There are 9, labeled CC1 through CC9. These address the entity’s objectives for policies, procedures, access control, and monitoring, which are foundational even if other certain trust services criteria are not included.

17. What percentage of organizations include the Security criterion in their SOC 2 reports?

All SOC 2 reports include the Security category. Since this is a core requirement, it always applies regardless of whether the organization seeking the report selects any of the other five categories.

18. How many additional criteria are there across the other four Trust Services Criteria?

Beyond the common criteria in Security, there are 28 additional criteria spread across availability criteria, processing integrity category, confidentiality category, and privacy category. These support the inclusion of relevant protections for different kinds of services and data.

19. What is the typical duration of a SOC 2 Type 2 audit?

It usually spans 3 to 12 months. This gives auditors time to observe whether system processing is consistent and that operating effectiveness has been maintained over time. They also assess responses to identified risks and test how well policies are followed during day-to-day operations.

20. How many points of focus are associated with the Privacy criterion?

There are 18. They support effective control design for consumer data protection, including collection, use, disclosure, retention, and disposal. These focus areas reflect the associated criteria used when reporting under the privacy category.