Trust Services Criteria
The five principles defined by the AICPA that form the basis for SOC 2 audits: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Organizations select which criteria to include in their SOC 2 scope based on their services and customer requirements.
The Trust Services Criteria (TSC) are the framework against which SOC 2 audits are conducted. Developed by the American Institute of Certified Public Accountants (AICPA), they define five broad categories of controls that service organizations should consider.
Security (also called the Common Criteria) is the only mandatory criterion and covers protection of information and systems against unauthorized access. Availability addresses whether systems are operational and accessible as committed in service level agreements. Processing Integrity covers the completeness, validity, accuracy, and timeliness of system processing. Confidentiality addresses the protection of information designated as confidential. Privacy covers the collection, use, retention, disclosure, and disposal of personal information.
Most organizations start their SOC 2 journey by including Security alone, or Security plus Availability. Adding more criteria increases the scope of the audit and the number of controls that must be implemented and tested. The choice depends on customer requirements and the nature of the service — a payment processing platform might include Processing Integrity, while a healthcare SaaS product might include Privacy. Each additional criterion adds controls and evidence requirements, so organizations should be strategic about which criteria they include.
Related frameworks
Related terms
Access Control
The set of policies, procedures, and technical mechanisms that govern who can access which information assets, systems, and resources. Access control ensures that only authorized individuals can view, modify, or interact with sensitive data and systems.
Control Objective
A statement describing what a specific security control is intended to achieve. Control objectives define the desired outcome — such as preventing unauthorized access or ensuring data integrity — while allowing organizations flexibility in how they implement the control to meet that objective.
SOC 2 Type 1
A SOC 2 audit report that evaluates whether an organization's security controls are suitably designed at a specific point in time. Type 1 provides a snapshot of control design without testing whether controls operate effectively over a period.
SOC 2 Type 2
A SOC 2 audit report that evaluates whether an organization's security controls are both suitably designed and operating effectively over a defined observation period, typically 3 to 12 months. Type 2 is the gold standard for third-party assurance in the US market.
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment