AuditXYZ

Lesson 2 of 5

SOC 2 Trust Service Criteria Explained

12 min readIntermediate

SOC 2 Trust Service Criteria

SOC 2 is built around five Trust Service Criteria (TSC). Security is mandatory — every SOC 2 report includes it. The other four — availability, processing integrity, confidentiality, and privacy — are optional and selected based on your service and customer expectations.

Security (Common Criteria)

Security is the foundation of every SOC 2 report. It covers protection of information and systems against unauthorized access, both physical and logical. The security criteria include nine common criteria categories (CC1 through CC9) covering control environment, communication, risk assessment, monitoring, logical access, system operations, and change management.

Availability

Availability addresses whether your system is operational and usable as committed. Include this criterion if you have SLAs or if system uptime is critical to your customers. Controls cover monitoring, capacity planning, disaster recovery, incident response, and backup procedures.

Processing Integrity

Processing integrity ensures that system processing is complete, valid, accurate, timely, and authorized. Include this if your system performs transactions, calculations, or data transformations where accuracy matters. This is common for financial platforms, payment processors, and data analytics services.

Confidentiality

Confidentiality protects information designated as confidential — trade secrets, business plans, intellectual property, and other sensitive business information. Include this if you handle data that is confidential beyond just personal information. Controls cover encryption, access restrictions, and secure disposal.

Privacy

Privacy addresses the collection, use, retention, disclosure, and disposal of personal information. Include this if you handle significant amounts of personal data and your customers care specifically about privacy practices. Note that privacy under SOC 2 is distinct from GDPR or CCPA compliance.

Scoping Recommendations

Most first-time SOC 2 reports include Security only or Security plus Availability. Adding criteria increases audit scope, cost, and complexity. Start focused and expand in subsequent years based on customer demand. Consult with your auditor before finalizing scope.

In the next lesson, we will compare Type 1 and Type 2 reports.