What are SOC 2 Trust Services Criteria and why do they matter?

When you’re building toward SOC 2, one question quickly comes up: what exactly gets tested in the audit? It’s not just your policies or tools. It’s whether your systems actually live up to what your customers expect: security, reliability, and responsible handling of their data.

That’s where the Trust Services Criteria come in. They’re not a checklist or a set of controls; they’re the guardrails that help define what trust looks like in practice. Instead of every company interpreting “security” or “availability” differently, the TSCs bring a shared language. Auditors use them to assess how your internal practices map to those broader expectations.

In the sections ahead, we’ll break down the five criteria, help you choose the right ones for your SOC 2 scope, and share how platforms like Scrut help you stay aligned.

What are the Trust Services Criteria (TSCs)?

The Trust Services Criteria (TSCs) are a set of five principles defined by the American Institute of Certified Public Accountants (AICPA) that guide how your organization should protect customer data and maintain system reliability. These criteria form the basis of a SOC 2 audit. They define what the auditor will evaluate and what your business needs to prove.

Let’s say you’re a SaaS company handling financial data. Your customers expect their information to be secure, always available, processed accurately, kept confidential, and, if it includes personal details, handled with privacy in mind. The TSCs take those expectations and turn them into clear, testable standards. That way, your team, your customers, and your auditor are all on the same page about what “trustworthy” actually means.

The five Trust Services Criteria are:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

How the Trust Services Criteria have evolved over time

The TSCs, first introduced as the Trust Services Principles, were initially used for WebTrust and SysTrust reports to evaluate controls around security, availability, integrity, confidentiality, and privacy. These early versions were loosely structured.

In 2017, the AICPA aligned the TSCs with the COSO framework, making them more risk-focused and modular. “Security” became the required baseline for all SOC 2 audits, supported by nine standardized control categories (CC1 to CC9) that now apply across all criteria. The other four, Availability, Processing Integrity, Confidentiality, and Privacy, are optional based on business needs.

The 2022 update didn’t change the structure but clarified expectations, especially around system monitoring, incident response, third-party risk, and change management. These refinements reflect today’s cloud-first, API-driven environments.

TSCs continue to evolve in response to new threats, emerging tech, regulatory changes like GDPR and CCPA, and the need for audit consistency.

The 5 TSCs and what each one covers

SOC 2 reports are built around one or more of the five Trust Services Criteria. Every organization getting audited must include Security, while the rest are optional, depending on your services and the promises you make to customers.

Here’s a closer look at what each criterion covers and when it becomes essential:

1. Security (mandatory)

Security is the backbone of any SOC 2 audit. It deals with protecting your systems and data from unauthorized access using tools like firewalls, role-based access, encryption, and multi-factor authentication. It also includes how you detect and respond to threats, manage system changes, and monitor day-to-day operations. Without this layer, even the most advanced compliance programs fall short, which is why every SOC 2 report starts here.

Choose Security because you have to. Every SOC 2 report includes Security.

2. Availability

Availability focuses on whether your systems remain accessible and operational as promised. It looks at uptime monitoring, disaster recovery, and incident handling. 

Choose Availability if your business promises high uptime or system reliability, like SaaS platforms, infrastructure providers, or anything with an SLA.

3. Processing Integrity

This criterion ensures that your systems process data the way they should: completely, accurately, and in a timely manner. It’s relevant if your product deals with transactions, workflow automation, or data transformations.

Choose Processing Integrity if your customers rely on your system to deliver accurate results, such as in billing platforms, data pipelines, or order fulfillment tools.

4. Confidentiality

Confidentiality deals with how you safeguard sensitive information like contracts, internal financials, customer intellectual property, or source code. It covers access controls, encryption, and secure deletion practices. 

Choose Confidentiality if your customers trust you with sensitive business information that isn’t meant to be public.

5. Privacy

Privacy covers how you collect, store, use, and delete personally identifiable information (PII). It’s deeply tied to regulatory requirements and best practices in data ethics.

Choose Privacy if your product handles user data, especially if you operate in regulated markets or deal with end-user PII under laws like GDPR, CCPA, or DPDPA.

Which criteria should you choose for your SOC 2 audit?

Choosing the right criteria isn’t about doing more; it’s about aligning your audit scope with the promises you make and the risks you manage. If you’re not sure which ones apply, start with a risk assessment or speak with your auditor. They’ll help you decide based on what your systems do, who your customers are, and what’s expected in your industry.

Over-scoping your audit by including all five criteria when only one or two are relevant can lead to unnecessary cost, complexity, and evidence collection. The goal should be clarity and relevance, not volume.

Which of the 5 Trust Services Criteria is required for every SOC 2 audit?

The Security criterion, also known as the Common Criteria, is the only one required for every SOC 2 audit. It forms the foundation of the audit and evaluates how well your systems are protected against unauthorized access, breaches, and other security threats. The other four criteria (Availability, Processing Integrity, Confidentiality, and Privacy) are optional and can be added based on your business needs and customer expectations.

Do all SOC 2 audits require the Trust Services Criteria?

Yes, every SOC 2 audit, whether Type I or Type II, is built around the TSCs. They are central to SOC 2, and your audit scope is shaped by which ones you choose to include, no matter the audit type. These criteria define the principles your systems and controls are measured against.

• For SOC 2 Type I, the TSCs are used to evaluate whether your controls are designed effectively at a specific point in time.
  
• For SOC 2 Type II, the TSCs go a step further. They’re used to assess whether your controls are both designed and operating effectively over a review period (typically 3 to 12 months).

Which organizational systems should follow SOC 2 Trust Services Criteria?

SOC 2 is often seen as a technical audit, but it reaches far beyond just your codebase or cloud setup. The Trust Services Criteria are designed to assess how your entire organization handles customer data, not just where it lives.

Here’s a breakdown of the areas that typically come into play during a SOC 2 audit:

1. Physical infrastructure 

This includes your data centers, server rooms, or anywhere physical hardware is located. Auditors will look at things like badge access, surveillance, and even how temperature and humidity are controlled, all to make sure the physical side of your systems isn’t a weak link.

2. Digital infrastructure

Your networks, servers, databases, and applications are front and center. These are the systems that store and move data, and they need to be protected with controls like firewalls, intrusion detection, encryption, and secure configurations.

3. Third-party vendors

If you use tools or services that touch customer data, whether it’s cloud hosting, ticketing software, or analytics platforms, they’re in scope too. You’ll be expected to evaluate and manage vendor risks, even if you don’t control the tools directly.

4. Internal operations

SOC 2 isn’t just about systems; it’s also about how your team runs things. Your day-to-day processes, documentation, and workflows should reflect sound security practices, from access reviews to how changes are approved and tracked.

5. Personnel practices

This covers how you hire, train, and offboard employees and contractors. Think background checks, role-based access, security awareness training, and making sure people only have access to what they actually need.

6. Leadership and governance

Finally, SOC 2 looks at how your leadership sets the tone for security. That includes having clear policies, assigning ownership, and regularly reviewing whether controls are still effective. Without strong leadership, even good systems can fall short.

In essence, SOC 2’s Trust Services Criteria require a holistic approach, ensuring that both technical systems and organizational processes work in tandem to protect data and maintain trust with stakeholders.

Common mistakes businesses make when implementing TSCs

The Trust Services Criteria are meant to bring clarity to your SOC 2 prep, but when misunderstood, they can slow you down or steer your efforts in the wrong direction. Here are a few common pitfalls to watch out for:

1. Fitting the TSCs into a checklist

The TSCs aren’t tasks you can just tick off. They’re principles that guide how your systems should behave. If you treat them like a to-do list without thinking about how they apply to your environment, you’ll end up with surface-level controls that don’t really protect anything or satisfy your auditor.

2. Including every TSC “just in case”

It’s tempting to add all five criteria to look more comprehensive, but unless you have a clear reason to include things like Processing Integrity or Privacy, you’re just making your audit harder. More criteria means more controls, more evidence, and more questions. Stick to what’s relevant.

3. Forgetting what’s actually in scope

Many teams focus only on customer-facing products and forget about internal tools, support dashboards, or third-party systems that also handle sensitive data. If these systems aren’t covered, your audit will have blind spots, and that’s risky.

4. Thinking technical tools are enough

Buying the right software helps, but tools alone don’t meet the criteria. Auditors also look for policies, employee training, access reviews, and documented processes. Missing the human side of compliance is one of the easiest ways to fall short.

5. Using outdated assumptions

The 2022 update to the TSCs clarified how auditors look at vendor risk, system changes, and incident response. If your controls haven’t been reviewed since then, you might be missing areas your auditor now expects to see covered.

How Scrut helps you get the Trust Services Criteria right

If the TSCs feel abstract or hard to operationalize, you’re not alone. Translating principles like “risk mitigation” or “system operations” into actual, auditable controls isn’t always straightforward. That’s where Scrut comes in.

Scrut makes it easier to go from trust principles to real, working systems. Here’s how:

• 1400+ pre-mapped controls: Each TSC, from Security to Privacy, is already broken down into actionable controls, so you don’t have to figure out what “evaluate risk” or “protect confidentiality” means in practice.
  
• Modular scoping: Whether you’re going for just Security or layering on other criteria like Availability or Processing Integrity, Scrut helps you select the right TSCs and build your audit around them, without bloating the scope.
  
• Continuous control monitoring: With 100+ integrations, Scrut pulls real-time data from your cloud infrastructure, HR tools, ticketing systems, and more to validate controls against your chosen TSCs, so you’re not scrambling for evidence come audit time.
  
• 75+ built-in policy templates and task ownership: From access reviews to change management, Scrut helps assign and track the operational pieces tied to TSC requirements, so nothing slips through the cracks.

Getting the TSCs right isn’t about chasing perfection. It’s about making sure your controls match what your customers expect. Scrut gives you the structure, automation, and visibility to make that happen, without guesswork.

FAQs

Are the Trust Services Criteria important SOC 2 requirements?

Yes, the Trust Services Criteria are central to the Trust Services Framework, which forms the basis of every SOC 2 audit. For any SOC 2 service provider, these criteria define what’s being evaluated, making them essential for demonstrating compliance and earning trust.

Are all Trust Service Principles in SOC 2 mandatory?

No, only Security (the Common Criteria) is mandatory for every SOC 2 audit. The other Trust Service Principles, Availability, Processing Integrity, Confidentiality, and Privacy, are optional. You can include them based on your business model, customer commitments, and the type of data you handle.

Is the Trust Services Criteria (TSC) applicable to SOC 1?

No, the TSC is not applicable to SOC 1. SOC 1 reports are based on ICFR (Internal Control over Financial Reporting), not the Trust Services Criteria. The TSC is specific to SOC 2 and SOC 3, which focus on controls related to security, availability, confidentiality, privacy, and processing integrity.

What is the main difference between SOC 1 and SOC 2?

The main difference lies in what they assess. SOC 1 focuses on controls that impact a customer’s financial reporting (ICFR), while SOC 2 evaluates controls related to security, availability, processing integrity, confidentiality, and privacy using the Trust Services Criteria. In short: SOC 1 is about financial data; SOC 2 is about system and data security.

When was the AICPA Trust Services Criteria updated, and what changed?

The Trust Services Criteria were significantly updated in 2017 to align with the COSO 2013 framework, introducing a more risk-based structure and making Security the mandatory baseline. The other four criteria, Availability, Processing Integrity, Confidentiality, and Privacy, became optional.

In 2022, the AICPA issued revised points of focus (not structural changes) to clarify how the TSCs should be applied in areas like access control, configuration management, and data lifecycle. These refinements helped organizations and auditors better evaluate whether controls are effectively designed and operating as intended.

While there’s no fixed update schedule, major overhauls are rare. Guidance updates like in 2022 happen as needed to reflect new risks and tech practices.