SOC 2 Trust Services Criteria Explained
SOC 2 is built around five Trust Services Criteria (TSC). Security is mandatory. The other four are optional and are selected based on your business model and customer requirements. Adding more criteria increases audit scope, preparation time, and cost.
Security
The mandatory criterion covering protection against unauthorised access.
The Security criterion (also called the Common Criteria) is mandatory for every SOC 2 report. It covers controls across nine categories: control environment, communication and information, risk assessment, monitoring activities, control activities, logical and physical access, system operations, change management, and risk mitigation.
Key controls
- Multi-factor authentication for all critical systems
- Logical access controls and least-privilege provisioning
- Vulnerability management and patch processes
- Change management controls and approval workflows
- Incident response plan and testing
- Employee background checks and security training
- Encryption of data at rest and in transit
- Vendor risk management programme
Who needs this criterion
Every SOC 2 report. Non-negotiable regardless of business type or customer base.
Availability
Controls ensuring the system is available for operation and use as committed.
The Availability criterion covers the system's ability to meet its availability commitments to customers. This includes uptime SLAs, capacity planning, infrastructure redundancy, backup and recovery procedures, and disaster recovery capabilities.
Key controls
- Documented SLAs with measurement and reporting
- Infrastructure redundancy and failover testing
- Backup procedures with restoration testing
- Disaster recovery plan with documented RTO and RPO
- Capacity monitoring and forecasting
- Incident management with escalation procedures
Who needs this criterion
SaaS platforms, infrastructure providers, and any company with uptime commitments in customer contracts.
Processing Integrity
System processing is complete, valid, accurate, timely, and authorised.
Processing Integrity covers the completeness and accuracy of data processing. It is most relevant for systems where processing errors would have significant financial or operational consequences, such as payment processors, billing systems, and healthcare data workflows.
Key controls
- Input validation and output verification controls
- Error detection and correction procedures
- Processing monitoring and exception reporting
- Reconciliation procedures for data processing
- Quality assurance controls for critical processes
- Documentation of processing procedures and responsibilities
Who needs this criterion
Payment processors, billing platforms, healthcare data systems, financial data services, and any system where processing accuracy is mission-critical.
Confidentiality
Information designated as confidential is protected as committed.
The Confidentiality criterion covers the protection of information that is designated as confidential throughout its lifecycle. This includes identification, handling, protection, and disposal of confidential information including trade secrets, business plans, financial data, and sensitive customer information.
Key controls
- Data classification policy with confidentiality tiers
- Encryption of confidential data in storage and transit
- Access controls limiting confidential data to authorised users
- Non-disclosure agreement processes with employees and vendors
- Secure deletion and destruction procedures
- Monitoring for unauthorised confidential data access or transfer
Who needs this criterion
Companies handling trade secrets, business plans, M&A information, competitive intelligence, or any data subject to confidentiality agreements with clients.
Privacy
Personal information is collected, used, retained, and disclosed in conformity with commitments.
The Privacy criterion is the most extensive optional criterion. It covers the full lifecycle of personal information aligned to the AICPA Privacy Management Framework and overlaps significantly with GDPR and CCPA obligations. It addresses notice, choice, collection, use, retention, access, and disclosure of personal information.
Key controls
- Privacy notice and consent management
- Data minimisation and purpose limitation controls
- Documented data retention and deletion schedules
- Data subject rights fulfilment procedures (access, deletion, portability)
- Privacy impact assessments for new data processing activities
- Cross-border data transfer controls and mechanisms
- Third-party data processing agreements and oversight
Who needs this criterion
Companies processing significant volumes of consumer personal data, companies subject to GDPR or CCPA, healthcare organisations, and companies marketing to consumers.