In This Article
Trust Services Criteria Overview
The Trust Services Criteria (TSC) are the evaluation standards used in SOC 2 audits. Developed by the AICPA, they define what a service organization's controls should accomplish across five categories.
Security - Protection against unauthorized access (REQUIRED)
Availability - System is available for operation as committed
Processing Integrity - Processing is complete, valid, accurate, timely
Confidentiality - Confidential information is protected
Privacy - Personal information is collected, used, retained properly
Security is required for every SOC 2 report. The other four are optional - you choose which ones are relevant to your service and customer commitments.
How TSC Are Structured
Each criterion follows a consistent structure:
- Criteria: The objective your controls should achieve
- Points of Focus: Specific considerations to help design and evaluate controls
Your auditor will test your controls against each applicable criterion to determine if they're suitably designed (Type I) and operating effectively (Type II).
Security (Common Criteria)
The Security criterion, also called Common Criteria (CC), forms the foundation of every SOC 2 report. It contains nine control categories (CC1-CC9) with detailed criteria for each.
CC1: Control Environment
Focus: Organizational structure, integrity, and accountability
| Criterion | What It Requires |
|---|---|
| CC1.1 | Demonstrate commitment to integrity and ethical values |
| CC1.2 | Board of directors exercises oversight responsibility |
| CC1.3 | Management establishes structures, reporting lines, and authorities |
| CC1.4 | Demonstrate commitment to attract, develop, and retain competent individuals |
| CC1.5 | Hold individuals accountable for internal control responsibilities |
CC2: Communication and Information
Focus: How information flows internally and externally
| Criterion | What It Requires |
|---|---|
| CC2.1 | Obtain and generate relevant, quality information to support internal control |
| CC2.2 | Communicate internal control information internally |
| CC2.3 | Communicate with external parties about internal control |
CC3: Risk Assessment
Focus: Identifying and analyzing risks to objectives
| Criterion | What It Requires |
|---|---|
| CC3.1 | Specify objectives clearly to enable risk identification |
| CC3.2 | Identify risks to achieving objectives and analyze as basis for risk management |
| CC3.3 | Consider potential for fraud in assessing risks |
| CC3.4 | Identify and assess changes that could significantly impact internal control |
CC4: Monitoring Activities
Focus: Ongoing evaluation and remediation of control deficiencies
| Criterion | What It Requires |
|---|---|
| CC4.1 | Select, develop, and perform ongoing and/or separate evaluations |
| CC4.2 | Evaluate and communicate internal control deficiencies timely |
CC5: Control Activities
Focus: Selection and development of control activities
| Criterion | What It Requires |
|---|---|
| CC5.1 | Select and develop control activities that mitigate risks |
| CC5.2 | Select and develop general controls over technology |
| CC5.3 | Deploy control activities through policies and procedures |
CC6: Logical and Physical Access Controls
Focus: Restricting access to authorized users
| Criterion | What It Requires |
|---|---|
| CC6.1 | Implement logical access security software, infrastructure, and architectures |
| CC6.2 | Register and authorize users before granting system access |
| CC6.3 | Remove access when no longer required |
| CC6.4 | Restrict physical access to facilities and assets |
| CC6.5 | Protect and control physical access devices |
| CC6.6 | Implement controls against threats from outside system boundaries |
| CC6.7 | Restrict transmission, movement, and removal of information |
| CC6.8 | Prevent or detect unauthorized software |
CC7: System Operations
Focus: Detecting and responding to deviations and incidents
| Criterion | What It Requires |
|---|---|
| CC7.1 | Detect configuration changes that could introduce vulnerabilities |
| CC7.2 | Monitor system components for anomalies and security events |
| CC7.3 | Evaluate security events to determine if they're incidents |
| CC7.4 | Respond to identified security incidents |
| CC7.5 | Recover from identified security incidents |
CC8: Change Management
Focus: Controlling changes to systems
| Criterion | What It Requires |
|---|---|
| CC8.1 | Authorize, design, develop, configure, document, test, approve, and implement changes |
CC9: Risk Mitigation
Focus: Mitigating risks through business processes
| Criterion | What It Requires |
|---|---|
| CC9.1 | Identify, select, and develop risk mitigation activities |
| CC9.2 | Assess and manage risks from vendors and business partners |
Availability (A Series)
When to include: You make availability commitments (SLAs) to customers
The Availability criterion ensures systems are available for operation and use as committed in contracts or SLAs.
A1.1: Capacity Management
Maintain, monitor, and evaluate capacity to meet demands. This includes:
- Capacity planning and forecasting
- Performance monitoring and thresholds
- Scaling capabilities (manual or automatic)
A1.2: Environmental Protections
Protect systems from environmental threats:
- Power protection (UPS, generators)
- Climate control (HVAC, temperature monitoring)
- Fire detection and suppression
- Flood and water damage prevention
A1.3: Recovery Operations
Enable recovery from system failures:
- Backup procedures and testing
- Business continuity planning
- Disaster recovery capabilities
- Recovery testing and validation
Processing Integrity (PI Series)
When to include: Processing accuracy is critical to your service
Processing Integrity ensures system processing is complete, valid, accurate, timely, and authorized.
PI1.1: Processing Objectives
Define clear processing objectives and specifications.
PI1.2: Input Controls
Ensure data input is complete, accurate, and valid:
- Input validation rules
- Completeness checks
- Authorization of inputs
PI1.3: Processing Controls
Ensure processing meets specifications:
- Processing accuracy verification
- Exception handling
- Processing completeness checks
PI1.4: Output Controls
Ensure outputs meet specifications:
- Output accuracy verification
- Output completeness checks
- Distribution controls
PI1.5: Storage Controls
Maintain data integrity during storage:
- Data integrity verification
- Protection from unauthorized modification
Confidentiality (C Series)
When to include: You handle confidential business information
Confidentiality protects information designated as confidential - typically business information (not personal data, which falls under Privacy).
C1.1: Identification
Identify and classify confidential information:
- Classification schemes
- Labeling requirements
- Confidentiality agreements (NDAs)
C1.2: Protection
Protect confidential information:
- Encryption at rest and in transit
- Access controls specific to confidential data
- Secure storage
- Secure disposal when no longer needed
Privacy (P Series)
When to include: You collect and control personal information
Privacy criteria align with generally accepted privacy principles and apply when you're a data controller (not just a processor) for personal information.
Privacy Categories
| Category | Focus Area |
|---|---|
| P1: Notice | Provide privacy notice to data subjects about collection, use, retention, and disclosure |
| P2: Choice & Consent | Obtain consent for collection, use, and disclosure; provide opt-out mechanisms |
| P3: Collection | Collect personal information only for stated purposes; use fair means |
| P4: Use, Retention & Disposal | Limit use to disclosed purposes; retain only as needed; dispose securely |
| P5: Access | Provide data subjects access to their data; allow correction requests |
| P6: Disclosure | Disclose to third parties only as described in notice and with consent |
| P7: Quality | Maintain accurate, complete, and relevant personal information |
| P8: Monitoring | Address privacy complaints and inquiries |
Choosing Your Trust Services Criteria
Not every organization needs all five criteria. Choose based on your services and customer expectations.
Decision Framework
| Criterion | Include If... | Skip If... |
|---|---|---|
| Security | Always required | Cannot skip |
| Availability | You have SLAs, uptime guarantees | No availability commitments |
| Processing Integrity | You do calculations, transactions, transformations | Pure storage or passthrough |
| Confidentiality | You handle trade secrets, business confidential data | All data is non-sensitive |
| Privacy | You're a data controller for personal data | You're only a data processor |
Security only: Minimum viable SOC 2
Security + Availability: Most common for SaaS companies
Security + Availability + Confidentiality: B2B with sensitive business data
All five: B2C services handling personal data with uptime commitments
Points of Focus: The Detail Behind Criteria
Each criterion includes "points of focus" - specific considerations that help you understand what the criterion means in practice. Points of focus are not additional requirements; they're guidance.
Example: CC6.1 Points of Focus
For the criterion "implements logical access security software, infrastructure, and architectures":
- Identifies and manages network boundaries
- Restricts access through entry points
- Uses encryption technologies for data in transit
- Protects identification and authentication credentials
- Manages credentials for infrastructure and software
These points help you design controls that fully address the criterion's intent.
Understanding Trust Services Criteria at this level helps you prepare better controls and anticipate auditor questions. It's not about memorizing criteria - it's about understanding what security, availability, integrity, confidentiality, and privacy mean for your specific service.