Trust Service Criteria

Trust Service Criteria (TSC) are the five categories used in SOC 2 audits: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Trust Service Criteria are the framework used in SOC 2 attestations, developed by AICPA.

The five criteria: 1. Security (Common Criteria): Protection against unauthorized access. Required for all SOC 2 reports. 2. Availability: System is available as committed. Addresses uptime, DR, BC. 3. Processing Integrity: Processing is complete, valid, accurate, timely. 4. Confidentiality: Confidential information is protected. 5. Privacy: Personal information is handled appropriately.

Organizations choose criteria based on services and customer requirements. Security is always required; others are optional.

Why It Matters

Choosing the right Trust Service Criteria determines the scope and value of your SOC 2 report. Including only Security is the minimum, but most enterprise customers expect Availability and Confidentiality as well. Understanding each criterion helps organizations focus their compliance efforts on what matters most to their customers while avoiding unnecessary scope expansion that increases audit costs.

Key Points

Five categories: Security, Availability, Processing Integrity, Confidentiality, Privacy

Security (Common Criteria) is mandatory

Other criteria are optional based on business needs

Each criterion has specific points of focus

Aligns with COSO framework principles

Applicable Compliance Frameworks

SOC 2

Related Terms

SOC 2

SOC 2 is an auditing framework developed by AICPA that evaluates how service organizations manage customer data based on five Trust Service Criteria.

Controls Testing

Controls testing is the process of evaluating whether security and compliance controls are properly designed and operating effectively to achieve their intended objectives.