SkarpSkarp
Get the App

Chapter 2 of 8

Trust Services Criteria: The Backbone of SOC 2

Covers the AICPA Trust Services Criteria (TSC) that underpin SOC 2 examinations and how they relate to security, availability, processing integrity, confidentiality, and privacy.

15 min readen

1. From SOC 2 to Trust Services Criteria (TSC)

You already know from the previous module that SOC 2 is an attestation report used by service organizations to show how they protect customer data.

Now we zoom in on the Trust Services Criteria (TSC)—the detailed requirements that SOC 2 audits are based on.

What are the Trust Services Criteria?

  • Published and maintained by the AICPA (American Institute of Certified Public Accountants)
  • Last major structural update: 2017 TSC, aligned with the COSO 2013 internal control framework (still current as of late 2025)
  • Organized into five Trust Services Categories (TSCat):
  1. Security (also called "Common Criteria")
  2. Availability
  3. Processing Integrity
  4. Confidentiality
  5. Privacy

For each category, the AICPA defines criteria (high-level requirements). Your organization then designs controls (specific policies, processes, and technologies) to meet those criteria.

You can think of it like this:

  • TSC = the checklist of expectations
  • Controls = what the company actually does to meet those expectations

In this module, you’ll learn:

  • What each of the five categories means
  • How the criteria drive control requirements in SOC 2
  • Why Security (Common Criteria) is almost always in scope
  • How TSC maps to other frameworks like ISO 27001 and NIST CSF

2. The Five Trust Services Categories at a Glance

Here are the five Trust Services Categories and what they focus on:

  1. Security (Common Criteria – CC)
  • Focus: Protecting systems and data against unauthorized access, disclosure, or damage.
  • Includes: Access controls, authentication, logging, change management, risk assessment, vendor management, etc.
  1. Availability (A criteria)
  • Focus: Systems are available for operation and use as committed or agreed.
  • Includes: Uptime commitments, capacity planning, backups, disaster recovery, incident response.
  1. Processing Integrity (PI criteria)
  • Focus: System processing is complete, valid, accurate, timely, and authorized.
  • Includes: Data validation, error handling, reconciliation, quality checks.
  1. Confidentiality (C criteria)
  • Focus: Protecting confidential information (e.g., trade secrets, internal documents, non-public financial data) from unauthorized access and disclosure.
  • Includes: Data classification, encryption, access restrictions, secure disposal.
  1. Privacy (P criteria)
  • Focus: How the organization collects, uses, retains, discloses, and disposes of personal information in line with its privacy notice and laws (e.g., GDPR, CCPA/CPRA).
  • Includes: Consent, purpose limitation, data subject rights, notice, choice, breach response.

Key point:

  • A SOC 2 report can cover Security only, or Security + some combination of Availability, Processing Integrity, Confidentiality, and Privacy.
  • But Security (Common Criteria) is the foundation and is almost always included.

3. Quick Matching Exercise: Which Category Fits?

Match each scenario to the most relevant Trust Services Category. Think first, then check the suggested answers below.

Scenarios:

  1. A cloud provider promises 99.9% uptime and has data centers in multiple regions with automatic failover.
  2. A payroll system must ensure that employee salaries are calculated correctly and paid to the right people on the right date.
  3. A startup encrypts source code and financial projections stored in its document system and limits access to executives only.
  4. A web app uses MFA, role-based access control, and logs all admin actions.
  5. A company provides a clear privacy notice, allows users to request deletion of their personal data, and documents how it uses cookies.

Try to map them:

  • A. Security
  • B. Availability
  • C. Processing Integrity
  • D. Confidentiality
  • E. Privacy

Scroll down for suggested answers (no peeking first!).

Suggested answers:

1 → B. Availability

2 → C. Processing Integrity

3 → D. Confidentiality

4 → A. Security

5 → E. Privacy

Note that Security supports all of the others, but here we’re choosing the primary category.

4. Security as Common Criteria (CC): The Core of SOC 2

In the AICPA TSC structure, Security is implemented through the Common Criteria (CC). These are grouped into sections, such as:

  • CC1: Control Environment (tone at the top, ethics, roles & responsibilities)
  • CC2: Communication and Information
  • CC3: Risk Assessment
  • CC4: Monitoring of Controls
  • CC5: Control Activities (policies, procedures, approvals)
  • CC6: Logical and Physical Access Controls
  • CC7: System Operations (monitoring, incident response)
  • CC8: Change Management
  • CC9: Risk Mitigation / Vendor Management

These criteria are always relevant, because any system that processes customer data needs a basic security foundation.

Why Security is almost always in scope

  1. Baseline expectation from customers: If you’re handling their data, they want proof you protect it.
  2. Other categories depend on it: You can’t realistically have strong Availability, Confidentiality, or Privacy without good security.
  3. Market norm: In practice (as of 2025), most SOC 2 reports you see in the wild are:
  • Type II, covering Security, and often
  • Security + Availability or Security + Confidentiality for SaaS providers.

So when someone says, “We have a SOC 2,” they almost always mean at least Security (Common Criteria) is included.

5. From Criteria to Controls: A Simple SOC 2 Mapping

Let’s walk through how TSC criteria drive actual controls.

Imagine a small SaaS company that offers an online project management tool. They choose a SOC 2 scope of Security + Availability + Confidentiality.

Example 1: Security – CC6 (Logical Access Controls)

Criterion (simplified): Access to systems and data is restricted to authorized users.

Possible controls:

  • All user accounts are unique (no shared logins).
  • MFA is required for admin accounts.
  • Access to production databases is limited to the SRE/DevOps team.
  • Quarterly access reviews by the security team.

Example 2: Availability – A1 (Availability Commitments)

Criterion (simplified): The system is available as committed or agreed.

Possible controls:

  • Published SLA of 99.9% uptime.
  • Monitoring and alerting for CPU, memory, and error rates.
  • Documented disaster recovery plan with tested backups.
  • At least annual DR tests with documented results.

Example 3: Confidentiality – C1 (Confidential Data Protection)

Criterion (simplified): Confidential information is protected during collection, processing, and storage.

Possible controls:

  • Data classified as Public, Internal, Confidential, Restricted.
  • Encryption at rest for databases storing confidential customer data.
  • Encryption in transit (TLS 1.2+ or modern equivalent) for all web traffic.
  • Secure data disposal procedures (e.g., shredding, cryptographic erasure).

Notice the pattern:

  • TSC tells you what must be true (e.g., access is restricted, data is protected).
  • Your controls describe how your organization makes that true (e.g., MFA, encryption, reviews).

6. Quick Check: Criteria vs. Controls

Test your understanding of how criteria and controls relate.

Which statement best describes the relationship between Trust Services Criteria and controls in a SOC 2 engagement?

  1. The TSC are high-level requirements, and controls are the specific processes and technologies implemented to meet those requirements.
  2. Controls are high-level requirements, and the TSC are optional examples of how to implement them.
  3. The TSC and controls are the same thing and can be used interchangeably.
  4. Controls are only needed for Security; the other categories rely only on documented policies.
Show Answer

Answer: A) The TSC are high-level requirements, and controls are the specific processes and technologies implemented to meet those requirements.

The TSC define what must be achieved (high-level criteria). Controls are the concrete policies, procedures, and technical measures that satisfy those criteria. The other options misunderstand or oversimplify this relationship.

7. Additional Criteria for Availability, PI, Confidentiality, Privacy

Beyond the Common Criteria (Security), each additional category has its own add-on criteria. These are labeled in the AICPA framework (e.g., A1.x, PI1.x, C1.x, P1.x–P8.x).

Availability (A criteria)

Focus: Uptime and resilience.

  • Examples:
  • A1: The entity maintains commitments related to system availability.
  • Controls: SLA management, capacity planning, DR/BCP, backup testing.

Processing Integrity (PI criteria)

Focus: Correctness and completeness of processing.

  • Examples:
  • PI1: Inputs, processing, and outputs are complete, valid, accurate, timely, and authorized.
  • Controls: Input validation, reconciliation, exception handling, QA checks.

Confidentiality (C criteria)

Focus: Protecting confidential information.

  • Examples:
  • C1: Confidential information is identified and protected.
  • Controls: Data classification, encryption, DLP, secure data sharing.

Privacy (P criteria)

Focus: Handling of personal information, aligned with privacy principles and laws.

  • Examples (aligned with the AICPA privacy principles):
  • P1: Notice and communication of objectives.
  • P2: Choice and consent.
  • P3: Collection.
  • P4: Use, retention, and disposal.
  • P5: Access.
  • P6: Disclosure to third parties.
  • P7: Security for privacy.
  • P8: Quality, monitoring, and enforcement.

In practice:

  • Many SaaS companies choose Security + Availability + Confidentiality.
  • Processing Integrity is common for financial, billing, or transactional systems.
  • Privacy is in scope when personal data handling is a key part of the service or when customers want strong alignment with privacy laws (e.g., GDPR, CCPA/CPRA).

8. Design-Your-Scope Thought Exercise

Imagine you are helping three different companies decide which Trust Services Categories to include in their SOC 2 scope.

Company A – DevOps Tool

A CI/CD platform used by software teams. It stores code, build artifacts, and deployment configs. Uptime is critical, but it stores very little personal data.

Company B – Online Payroll Service

Handles salaries, tax calculations, and payments for thousands of employees. Stores sensitive personal and financial data.

Company C – Consumer Health App

Mobile app for tracking health metrics and sharing them with a doctor. Heavy on personal and health-related data, with strict privacy expectations.

Your task: For each company, choose a reasonable SOC 2 scope (pick from Security, Availability, Processing Integrity, Confidentiality, Privacy). Then compare with the suggested answer.

Think first, then scroll.

---

Suggested scopes (not the only possible answers, but reasonable ones):

  • Company A – DevOps Tool
  • Security (must have)
  • Availability (uptime is critical)
  • Confidentiality (protecting code and configs)
  • Company B – Online Payroll Service
  • Security (must have)
  • Availability (service must be up for payroll cycles)
  • Processing Integrity (accurate and timely salary/tax calculations)
  • Confidentiality (protecting salary and financial data)
  • Potentially Privacy (handling personal data at scale)
  • Company C – Consumer Health App
  • Security (must have)
  • Confidentiality (sensitive health information)
  • Privacy (personal health data, user rights, consent)

Reflect: How does the business model of each company influence which categories matter most?

9. Mapping TSC to Other Frameworks (ISO 27001, NIST, etc.)

Organizations rarely use SOC 2 alone. They often align with other frameworks like ISO/IEC 27001:2022, NIST CSF 2.0 (updated 2024), and NIST SP 800-53 Rev. 5.

High-level mapping examples

  • Security (Common Criteria)
  • ISO 27001: Maps broadly to Annex A controls (e.g., A.5–A.8 on organizational controls, A.8 on identity management, A.12 on operations security).
  • NIST CSF 2.0: Aligns with Identify, Protect, Detect, Respond, Recover functions.
  • NIST 800-53: Overlaps with families like AC (Access Control), AU (Audit), CM (Configuration Management), IR (Incident Response), etc.
  • Availability
  • ISO 27001: A.5.29 (Information security during disruption), A.8.16 (Monitoring activities), A.8.14 (Redundancy).
  • NIST CSF: Protect (PR), Recover (RC), especially PR.PS and RC.RP.
  • Processing Integrity
  • ISO 27001: A.8.32 (Change management), A.8.25 (Secure development lifecycle), A.8.31 (Test data).
  • NIST 800-53: Families like SI (System and Information Integrity), SA (System and Services Acquisition).
  • Confidentiality
  • ISO 27001: A.5.12 (Classification), A.8.24 (Use of cryptography), A.8.10 (Information deletion).
  • NIST CSF: Protect (PR.DS – Data Security).
  • Privacy
  • ISO/IEC 27701: Privacy extension to ISO 27001 (PIMS controls).
  • NIST Privacy Framework: Functions like Identify-P, Govern-P, Control-P, Communicate-P, Protect-P.

Why this matters:

  • If your org already follows ISO 27001 or NIST CSF, you can often reuse existing controls to satisfy SOC 2 TSC.
  • Many auditors and security teams use mapping tables to show how one set of controls satisfies multiple frameworks.

You don’t need to memorize exact mappings, but you should recognize that TSC is compatible with other modern security and privacy frameworks.

10. Key Term Flashcards

Flip through these flashcards (mentally) to reinforce key concepts.

Trust Services Criteria (TSC)
AICPA-defined criteria that form the basis for SOC 2 examinations, organized into five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Trust Services Categories
The five high-level areas covered by SOC 2: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Common Criteria (CC)
The core set of criteria that implement the Security category and apply across all SOC 2 engagements; they cover areas like control environment, risk assessment, access control, operations, and change management.
Control
A specific policy, process, or technical measure implemented by an organization to meet one or more Trust Services Criteria.
Availability (TSC)
Category focused on ensuring systems are available for operation and use as committed or agreed, including uptime, capacity, backups, and disaster recovery.
Processing Integrity (TSC)
Category focused on ensuring that system processing is complete, valid, accurate, timely, and authorized.
Confidentiality (TSC)
Category focused on protecting information designated as confidential from unauthorized access and disclosure throughout its lifecycle.
Privacy (TSC)
Category focused on how an organization collects, uses, retains, discloses, and disposes of personal information in accordance with its privacy notice and applicable laws.

11. Final Knowledge Check

One last question to tie everything together.

Why is the Security (Common Criteria) category usually included in all SOC 2 reports?

  1. Because the AICPA does not allow any other categories to be reported without Security.
  2. Because Security criteria form the foundational controls that support all other categories and are expected by customers in almost every service relationship.
  3. Because Security is only relevant for organizations that store payment card data.
  4. Because including Security automatically guarantees compliance with ISO 27001 and NIST standards.
Show Answer

Answer: B) Because Security criteria form the foundational controls that support all other categories and are expected by customers in almost every service relationship.

Security (Common Criteria) establishes the baseline controls (access control, logging, change management, etc.) that underpin Availability, Processing Integrity, Confidentiality, and Privacy. Customers expect at least this level of assurance, so it is almost always in scope, even though the AICPA technically allows other combinations.

Key Terms

SOC 2
A type of attestation report (per AICPA standards) that evaluates a service organization’s controls relevant to the Trust Services Criteria.
Control
A specific policy, procedure, or technical configuration implemented to satisfy one or more Trust Services Criteria.
Privacy
A TSC category focused on how an organization handles personal information throughout its lifecycle in line with its privacy notice and applicable laws.
Availability
A TSC category focused on ensuring that systems are available for operation and use as committed or agreed.
NIST CSF 2.0
The 2024 update of the NIST Cybersecurity Framework, providing a high-level structure for managing and reducing cybersecurity risk, often mapped to SOC 2 Security criteria.
ISO/IEC 27001
An international standard for information security management systems (ISMS), updated most recently in 2022, often mapped to SOC 2 controls.
Confidentiality
A TSC category focused on protecting information designated as confidential from unauthorized access and disclosure.
Common Criteria (CC)
The core criteria that implement the Security category and apply broadly across SOC 2 engagements, covering governance, risk management, access control, operations, and change management.
Processing Integrity
A TSC category focused on ensuring that system processing is complete, valid, accurate, timely, and authorized.
Trust Services Categories
The five areas covered by the TSC: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Trust Services Criteria (TSC)
A set of criteria developed by the AICPA that provides the basis for evaluating the controls of a service organization in SOC 2 and related reports.