What are the SOC 2 Trust Services Criteria?

The Trust Services Criteria (TSC) are the standards established by the AICPA against which a SOC 2 audit is conducted. There are five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security (the Common Criteria) is required for every SOC 2 report. The other four are optional and selected based on the nature of the services you provide and what your customers need you to demonstrate.

Which Trust Services Criteria are required for SOC 2?

Security is the only required category. It is covered by the Common Criteria (CC1 through CC9) and encompasses the full control environment: access controls, change management, risk assessment, monitoring, and system operations. All other categories (Availability, Processing Integrity, Confidentiality, and Privacy) are optional and included only when they are relevant to your service commitments.

How do I choose which Trust Services Criteria to include?

Start with what you are actually committing to customers. If your contracts include uptime SLAs, Availability may belong in scope. If you process financial transactions or time-sensitive data, consider Processing Integrity. If customers share confidential business information, Confidentiality may be relevant. If you collect or process personal information, Privacy may apply. The key constraint: each category you add means more controls to maintain, more evidence to collect, and more testing during the audit. Only include criteria you have the operational maturity to support.

SOC 2 Trust Services Criteria

What the five categories are, which ones are required, and how to choose the right scope for your audit.

Overview

A SOC 2 audit is not a single checklist. It is an evaluation of your controls against a set of criteria established by the AICPA called the Trust Services Criteria (TSC). There are five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is required for every SOC 2 engagement. The other four are optional and included only when relevant to what your organization actually does and commits to.

Choosing the right scope matters. Too narrow and your report does not address what customers actually care about. Too broad and you are maintaining controls and collecting evidence for criteria that add no real signal to the report.

I've seen organizations add Availability or Privacy to their scope because they assumed more categories would make the report look stronger. That is not how auditors or customers read it. Each category you include is a category that gets tested, sampled, and documented. The right scope is the one you can actually execute against, not the most impressive-sounding one on paper.

The Five Trust Services Criteria Categories

Security Required

The Security category is the foundation of every SOC 2 report. It is governed by the Common Criteria (CC1 through CC9) and covers the full control environment your auditor will evaluate: governance, risk assessment, access controls, change management, system operations, and monitoring. There is no SOC 2 report without Security in scope.

Relevant to: every organization seeking a SOC 2 report.

Availability Optional

Availability criteria address whether the system is available for operation and use as committed in your service agreements. If your customers depend on your system being up and you have made uptime commitments in your contracts or SLAs, Availability criteria demonstrate that you have the controls to back those commitments up.

Relevant to: SaaS platforms, hosted services, and any organization with contractual uptime obligations or business continuity requirements embedded in customer agreements.

Processing Integrity Optional

Processing Integrity criteria address whether system processing is complete, valid, accurate, timely, and authorized. This category is not about the security of the data itself. It is about whether the system does what it is supposed to do correctly, particularly in environments where errors or delays in processing have direct consequences for customers.

Relevant to: payment processors, financial platforms, order management systems, healthcare billing, and any service where the accuracy or timeliness of transactions is a customer commitment.

Confidentiality Optional

Confidentiality criteria address how information designated as confidential is collected, used, retained, disclosed, and disposed of. This is distinct from Privacy: Confidentiality covers sensitive business information (trade secrets, proprietary data, business plans) rather than personal information about individuals.

Relevant to: organizations that handle confidential client data, intellectual property, or sensitive business information under NDA or contractual confidentiality obligations.

Privacy Optional

Privacy criteria (P1 through P8) address the collection, use, retention, disclosure, and disposal of personal information in conformity with your privacy notice and applicable privacy frameworks. This is the most operationally demanding optional category: it requires a documented privacy notice, defined retention schedules, individual rights procedures, and controls across the full personal data lifecycle.

Relevant to: organizations collecting or processing personal information, companies subject to GDPR, CCPA, or other privacy regulations, and any service provider whose customers require formal privacy commitments from vendors.

Security (CC1-CC9) is the only required category. Every other category is a business decision based on what you are committing to and what your customers need to see.

What the Common Criteria (CC1-CC9) Actually Cover

The Common Criteria are the nine control groups that make up the Security category. Every SOC 2 auditor will test controls against all nine. Here is what each one addresses:

Criteria	Area	What auditors are evaluating
CC1	Control Environment	Whether leadership sets the right tone on security: organizational structure, accountability, competence of personnel, and commitment to integrity and ethics at the entity level.
CC2	Communication and Information	How security-relevant information flows internally and externally: whether employees understand their responsibilities, whether customers and partners receive relevant security disclosures, and whether information needed to operate controls is available to the right people.
CC3	Risk Assessment	Whether the organization has a defined process for identifying, analyzing, and responding to risks that could affect the security of the system. This includes how changes in the environment (new threats, new technologies, new business lines) are factored into the risk picture.
CC4	Monitoring Activities	Whether controls are being evaluated on an ongoing basis to confirm they are working. This includes internal reviews, management monitoring, and how deficiencies are identified and escalated when controls underperform or fail.
CC5	Control Activities	The specific policies and procedures that address identified risks: whether controls are documented, assigned to owners, and designed to achieve their stated objectives. This is where the "paper" meets execution.
CC6	Logical and Physical Access Controls	Who can access what, how access is granted and revoked, and whether physical access to systems and data is appropriately restricted. This is typically one of the most evidence-intensive categories: auditors will sample access provisioning, MFA enforcement, access reviews, and termination procedures.
CC7	System Operations	Whether the system is monitored for security events and anomalies in real time, how alerts are triaged, and how incidents are detected and responded to. Logging, monitoring, and documented incident response procedures are all tested here.
CC8	Change Management	How changes to the system (code deployments, infrastructure modifications, configuration changes) are authorized, tested, and approved before they reach production. Auditors want to see that changes follow a documented process and that unauthorized changes cannot reach production undetected.
CC9	Risk Mitigation	How the organization manages risks that arise from business disruption and from its relationships with third-party vendors. Business continuity planning and vendor risk management both live here.

How to Choose Your Scope

Selecting additional criteria beyond Security is a business decision, not a technical one. A few practical questions to work through:

What are you committing to customers? Your contracts, SLAs, and privacy notices signal which criteria belong in scope. If you have made uptime commitments, consider Availability. If you have privacy obligations, consider Privacy.
What are customers asking about in security questionnaires? If enterprise buyers are repeatedly asking about specific areas, those areas likely belong in your report scope.
Can you actually support the evidence requirements? Each additional category adds controls to maintain and evidence populations to collect throughout the year. Adding criteria without the operational discipline to back them up creates audit risk, not audit credibility.
Are you starting from scratch? Most early-stage organizations start with Security only. Adding optional criteria is a natural expansion as the business matures and customer requirements become more specific.

Scope decisions made at the start of an engagement are difficult to change mid-audit. Getting the criteria selection right before the audit period begins is one of the most important things a readiness engagement does.

SOC 2 Engagements

Nearest Solutions supports organizations through every stage of the SOC 2 process, from initial readiness through annual renewal.

SOC 2 Type I Readiness & Preparation (control design, scope definition, gap remediation, and report issuance)
SOC 2 Type II (12-Month) Operating Effectiveness (full-year engagement with quarterly health checks and continuous evidence review)
SOC 2 Type II (3-Month) Accelerated Coverage (compressed engagement for urgent deadlines and bridge letter requests)
SOC 2 Rescue (stepping in when a current engagement has stalled)

Ask A Question Book a Discovery Call