SOC 2 Trust Services Criteria Explained

SOC 2 audits aren’t random security checks. They follow a structured framework designed to evaluate how well organizations protect data, manage systems, and maintain trust. At the center of this framework are the Trust Services Criteria — the standards auditors use to measure whether security controls actually work in practice.

For growing companies, SOC 2 is no longer just a compliance milestone. Customers, partners, and enterprise buyers increasingly expect proof that systems are secure and reliable. A SOC 2 report provides that assurance by showing controls have been independently evaluated against defined requirements.

Understanding these criteria changes how organizations approach compliance. Instead of treating SOC 2 as a checklist, businesses can use it as a blueprint for stronger operations and long-term security maturity. Before exploring each category, it’s important to understand what the Trust Services Criteria are and how they shape every SOC 2 audit.

What Are SOC 2 Trust Services Criteria?

SOC 2 Trust Services Criteria are the control categories auditors use to evaluate how securely an organization manages systems and protects data. Developed by the American Institute of Certified Public Accountants (AICPA), these criteria form the foundation of every SOC 2 audit, guiding how security practices, operational controls, and risk management processes are assessed in practice.

The framework consists of five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Each focuses on a different aspect of operational trust, helping organizations demonstrate that systems are protected, data is handled responsibly, and services operate reliably under real-world conditions.

Security is the only mandatory category for all SOC 2 audits, while the remaining criteria are chosen based on business commitments, customer expectations, and risk exposure. This flexibility allows organizations to align compliance efforts with actual operational needs instead of applying unnecessary controls.

Before 2018, these categories were called SOC 2 Trust Service Principles. The update clarified control structures and improved guidance while preserving the same core objectives.

Security: The Only Mandatory SOC 2 Trust Criteria

Security isn’t the only SOC 2 requirement — it’s the mandatory foundation of every audit. It focuses on protecting systems and data from unauthorized access, disclosure, or damage. Organizations must prove they actively manage risk, enforce access controls, and operate secure environments, not just maintain written policies.

CC1 to CC5: Control Environment and Risk Management

The first five Common Criteria establish the governance and risk foundation behind security:

• CC1 — Control Environment: Leadership accountability, ethical values, defined responsibilities, and enforceable security policies.

• CC2 — Communication and Information: Security expectations are communicated across teams, with reporting channels for employees and third parties.

• CC3 — Risk Assessment: Continuous identification of threats and vulnerabilities supported by documented mitigation plans.

• CC4 — Monitoring Activities: Ongoing oversight through logging, internal reviews, audits, and corrective actions.

• CC5 — Control Activities: Operational safeguards such as approvals, segregation of duties, and audit trails that enforce policies.

These controls ensure security is embedded into governance and daily decision-making, not treated as a standalone IT task.

CC6 to CC9: Access, Operations, and Change Management

The remaining criteria focus on operational execution and system protection:

• CC6 — Logical and Physical Access: User authentication, role-based access, encryption, and facility security safeguards.

• CC7 — System Operations: Security monitoring, vulnerability management, incident response, and disaster recovery readiness.

• CC8 — Change Management: Controlled updates with testing, approvals, and rollback procedures to prevent new risks.

• CC9 — Risk Mitigation: Management of third-party risks and remediation of known control gaps with defined ownership.

Together, these controls ensure security practices are consistently applied across systems and workflows.

Why Security Is Called the SOC 2 Common Criteria

Security is called the Common Criteria because every other Trust Services Criterion depends on it. Availability, Processing Integrity, Confidentiality, and Privacy all rely on shared controls like monitoring, governance, and access management. Without this baseline, additional criteria cannot function effectively. Strengthening Security first creates the operational maturity needed to expand into other SOC 2 categories.

How SOC 2 Criteria Are Structured

Each Common Criterion includes measurable expectations rather than broad guidance:

• Implement multiple supporting controls per requirement.
• Maintain documentation proving controls operate over time.
• Prioritize implementation based on real organizational risks.
• Keep audit-ready evidence demonstrating effectiveness.

A structured approach turns SOC 2 from a one-time audit into a sustainable security program.

Availability: Ensuring System Uptime and Resilience

Availability ensures your systems remain accessible and operational when users depend on them. For organizations delivering always-on services, uptime directly affects revenue, customer trust, and contractual commitments. This criterion evaluates whether businesses actively monitor performance, prepare for disruptions, and maintain resilience instead of reacting only after failures occur.

System Monitoring, Incident Response, and Uptime Controls

Availability begins with constant system monitoring. Organizations must show they track performance under normal and peak conditions and respond quickly, providing proactive controls over reactive fixes.

• Monitor system capacity, utilization, and performance against defined baselines
• Forecast growth trends and scale infrastructure before reaching limits
• Implement automated alerting tied to uptime and performance thresholds
• Ensure responsible teams are notified immediately during incidents
• Monitor for cyber threats, outages, and environmental disruptions that impact availability
• Conduct incident response testing at least annually to validate readiness

These controls show that uptime is actively managed through measurable operational practices, not assumptions.

Disaster Recovery and Business Continuity Requirements

Availability also measures how well organizations prepare for disruption. SOC 2 expects businesses to anticipate failures and maintain recovery capabilities that minimize downtime and data loss.

• Identify environmental risks such as power failures, fires, and natural disasters during risk assessments
• Deploy safeguards like redundancy, failover infrastructure, UPS systems, and backup power
• Maintain secure, reliable backups with verified data integrity
• Define disaster recovery and business continuity procedures aligned with business priorities
• Perform annual recovery testing, including restoring systems from backups

Effective recovery planning proves the organization can maintain service continuity even during major disruptions.

How Availability Is Evaluated in SOC 2 Type 2 Reports

SOC 2 Type 2 audits focus on operational evidence over time. Auditors examine whether availability controls consistently function under real-world conditions.

• Assess infrastructure resilience during stress or outage scenarios
• Review recovery time objectives (RTOs) and alignment with service commitments
• Verify documented testing results for continuity and recovery plans
• Evaluate preparedness against both human threats and environmental hazards

Demonstrating tested recovery capabilities and measurable uptime performance shows customers that reliability is engineered into operations — not left to chance.

Processing Integrity: Valid, Accurate, and Timely Operations

Processing integrity ensures your systems do what they’re supposed to — completely, accurately, on time, and only when authorized. It’s about more than security: it’s about proving your data moves through your systems correctly, without accidental errors or unauthorized changes. Think of it as the “trustworthiness” of your operations.

Input, Processing, and Output Control Activities

Processing integrity covers three critical stages of data handling:

1. Input Controls (PI1.2): Ensure data entering the system is complete, correct, and valid.

• Reject incorrect or incomplete inputs automatically
• Validate required fields and formats
• Track transactions with unique IDs and timestamps for traceability

2. Processing Controls (PI1.3): Verify that data is processed accurately according to business rules.

• Apply automated rules for calculations and transformations
• Use feedback loops to detect anomalies
• Reconcile files and batches to confirm totals match expectations

3. Output Controls (PI1.5): Confirm outputs are accurate, complete, and protected.

• Compare outputs against previous cycles
• Flag unusual variances exceeding thresholds
• Secure outputs from theft, alteration, or accidental damage

These controls ensure every stage of the data lifecycle is monitored and verified, reducing risk of mistakes or misprocessing.

Error Detection, Logging, and Exception Handling

Mistakes happen — the key is catching and correcting them quickly:

• Error Prevention: Automated checks prevent errors before they affect operations
• Detection Systems: Monitor data in real time to spot anomalies
• Quick Fixes: Procedures to resolve issues efficiently without breaking workflows

Auditors look for metrics such as error rates, throughput, and reconciliation reports to validate that your system is consistently reliable.

When to Include Processing Integrity in Your SOC 2 Scope

Processing integrity matters if your operations involve:

• Financial transactions, e-commerce, or payment processing
• Managing transactions for clients or third parties
• Meeting defined operational commitments or SLAs
• Previous issues with data accuracy or reliability
• Industries where precision directly affects business outcomes

Including processing integrity shows you’re not just focused on security, but also on delivering accurate, dependable services that customers and partners can trust. It’s proof that your data processes are as solid as your security controls.

Confidentiality: Protecting Sensitive Business Information

Confidentiality in SOC 2 focuses on keeping sensitive business information secure from collection to proper disposal. While optional, it’s critical for organizations handling client data, trade secrets, financial records, or legal documents, helping reduce risk, maintain compliance, and build trust with clients.

Data Classification and Information Handling Policies

Effective confidentiality starts with knowing exactly what information needs protection. Without clear classification, organizations often try to protect everything and fail to safeguard what truly matters.

• Formal Classification Policy: Define precisely what counts as confidential.
• Retention Rules: Specify how long each type of information should be kept.
• Key Confidential Information:
  • Business plans and strategies
  • Financial records and banking information
  • Trade secrets and intellectual property
  • Legal documents and contracts

Focused classification and handling policies ensure resources protect the most critical information efficiently.

Access Restrictions and Encryption Requirements

Once data is classified, proper access and encryption controls are essential to prevent unauthorized exposure.

• Role-Based Access: Grant access only to employees who need it for their role.
• Encryption: Use strong encryption methods for data at rest and in transit.
• Monitoring: Track access activity to detect unusual or unauthorized behavior.
• Third-Party Vendors: Confirm partners comply with the same confidentiality standards.

Restricting access and encrypting data keeps sensitive information safe across internal systems and external partnerships.

Retention and Secure Disposal of Confidential Data

Confidentiality doesn’t end with storage; secure retention and disposal are just as important.

• Identify Expired Data: Determine which information no longer serves a purpose.
• Proper Destruction: Use cryptographic wiping for digital data and shredding for physical documents.
• Documentation: Keep detailed records of destroyed data for audits and accountability.

Secure retention and disposal practices complete the confidentiality lifecycle, mitigating risks, supporting SOC 2 audits, and proving to clients that sensitive information is managed responsibly.

Privacy: Protecting Personally Identifiable Information

Privacy is all about protecting personally identifiable information (PII), and it’s become critical for modern businesses. Over 90% of leaders now see strong privacy protections as essential for customer trust — and for good reason. If you operate in healthcare, government contracts, or handle sensitive personal data, privacy is non-negotiable.

Personally Identifiable Information Handling Requirements

PII includes any data that can identify or be linked to a specific person. You need clear strategies to protect it throughout its lifecycle:

• The obvious: Names, addresses, email addresses, phone numbers
• Sensitive data: Social Security numbers, financial records
• Health information: Medical records, health status
• Demographic details: Race, sexuality, or other identifiers when relevant

Organizations must track what PII they collect, how it flows through systems, and ensure secure handling at all stages. Ignoring this leaves exposure gaps and regulatory risks.

Notice, Consent, and Data Subject Rights Controls

Privacy isn’t just about locking data away — it’s about transparency and respecting individual rights:

• Privacy Notices: Clearly communicate what data is collected, why, and how long it’s retained
• Consent Management: Track user consents and honor preferences rigorously
• Access Rights: Allow individuals to view, update, or request deletion of their personal information
• Only use PII for stated purposes and as agreed by the data subject

Clear notice, consent, and access management proves you respect user privacy and sets the stage for compliant operations.

AICPA Trust Services Criteria for Privacy

The AICPA divides privacy into eight focused areas, providing auditors with clear points of evaluation:

• Notice: Communicate privacy practices clearly
• Choice and Consent: Give people control over their data
• Collection: Only gather necessary information
• Use, Retention, and Disposal: Properly manage data through its lifecycle
• Access: Enable users to review and correct their information
• Disclosure to Third Parties: Protect data when shared externally
• Quality: Maintain accurate personal information
• Monitoring and Enforcement: Handle complaints, enforce policies, and maintain compliance

While privacy is the most complex Trust Services Criterion, implementing it demonstrates real commitment to data protection and builds customer confidence.

Choosing the Right SOC 2 TSC for Your Organization

Choosing the right SOC 2 Trust Services Criteria is strategic — it affects audit complexity, cost, and value. Focus on what aligns with your business and customer needs.

How to Align SOC 2 TSC With Your Business Commitments

Start by reviewing your service commitments, contracts, SLAs, and what you’ve promised customers. Are you guaranteeing system uptime, accurate data processing, confidentiality, or privacy protections? The criteria you select should reflect these promises. Different business models naturally map to different criteria — the goal is to align audit scope with real operational obligations.

When to Include Optional Criteria

Deciding which optional SOC 2 criteria to include depends on your business operations, customer commitments, and the type of data you handle. Only add what truly matters.

• Availability: Include if you operate always-on platforms, cloud services, or critical delivery systems.
• Processing Integrity: Relevant for financial reporting, e-commerce, or transaction-heavy operations.
• Confidentiality: Needed when handling sensitive business data, strategies, or intellectual property.
• Privacy: Mandatory if you collect, store, or process personal information.

Optional criteria should never be added arbitrarily. Each additional criterion increases complexity and cost, so include only what’s necessary to demonstrate real compliance and operational integrity.

Balancing SOC 2 TSC List With Actual Needs

Organizations often overcomplicate audits by including everything or picking irrelevant criteria. Start with Security, the only mandatory criterion, and layer in others based on actual business needs. Keep your scope lean, purposeful, and aligned with what truly impacts customers. This ensures a SOC 2 audit that’s efficient, credible, and meaningful.

Why Trust Services Criteria Matter for SOC 2 Compliance

Most teams treat trust services criteria like a compliance hurdle. That misses the point. These SOC 2 trust criteria aren’t just audit paperwork — they’re the foundation for building a business customers actually trust with sensitive data.

Today, proof of strong security and privacy controls isn’t optional. Customers and partners expect evidence, not promises. SOC 2 reports help demonstrate that your organization takes protection seriously and has structured controls in place.

The real value comes from how the AICPA trust services criteria translate compliance into action. They turn vague requirements into measurable risk management, give visibility into your security posture, and strengthen internal processes before incidents happen — not after.

The smartest approach is focused adoption. The SOC 2 TSC framework lets you prioritize criteria that match your commitments and risks. Aligning with trust services criteria SOC 2 isn’t just about passing an audit — it builds continuous monitoring and stronger security long after certification.

Achieve SOC 2 compliance with clarity and confidence using UprootSecurity — where GRC turns audits into stronger security.
→ Book a demo today