Trust Service Criteria

The Trust Service Criteria (TSC), defined by the AICPA, are the framework of principles and requirements that underpin SOC 2 audits. They are organized into five categories, with Security (also called the Common Criteria) required for every SOC 2 engagement and the remaining four selected based on the organization's services and customer expectations.

The Five Categories

• Security (Common Criteria) — Required for all SOC 2 reports. Addresses protection against unauthorized access, both logical and physical. Covers governance, risk management, access controls, system operations, change management, and incident response.

• Availability — Evaluates whether the system is available for operation and use as committed. Relevant for SaaS companies with uptime commitments and service level agreements.

• Processing Integrity — Assesses whether system processing is complete, valid, accurate, timely, and authorized. Important for organizations that process transactions, calculations, or data transformations.

• Confidentiality — Addresses protection of information designated as confidential. Applies to organizations that handle sensitive business information beyond personal data.

• Privacy — Covers the collection, use, retention, disclosure, and disposal of personal information. Relevant when the organization collects personal data from consumers or users.

Choosing Your Criteria

Most first-time SOC 2 organizations include Security only, or Security plus Availability. Adding more criteria increases audit scope, cost, and complexity. The right selection depends on customer requirements and the nature of your services:

• SaaS companies typically include Security and Availability
• Data analytics companies often add Processing Integrity
• Companies handling sensitive client data may add Confidentiality
• Consumer-facing companies collecting personal data may add Privacy

How TSC Relates to Other Frameworks

The Trust Service Criteria map closely to other frameworks. The Common Criteria align with ISO 27001 Annex A controls in many areas. The AICPA provides mapping documents showing how TSC requirements correspond to NIST CSF, COSO, and other frameworks. This mapping enables organizations pursuing multiple frameworks to leverage shared controls.

Working with Your Auditor

Discuss criteria selection with your auditor early in the engagement. They can advise which criteria your customers typically expect and help you understand the incremental effort of each additional category.