Trust Services Criteria for SOC 2: What You Need to Know

The key to business is giving your customers what they want. In today’s world, your customers want and need to know that you have the appropriate security and privacy controls to protect their data. You may need to undergo a SOC 2 compliance audit to achieve your revenue targets, but looking at the SOC 2 controls can leave you wondering where to begin. 

By understanding the trust services criteria (TSC) and where they fit into your SOC 2 compliance, you can make the process more manageable.

Trust Services Categories vs. Criteria: What’s the Difference?

The Trust Services Criteria are grouped into five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Each category contains specific criteria that auditors use to evaluate how your controls are designed and operating. These criteria are standardized by the American Institute of Certified Public Accountants (AICPA) and include both common controls (like access management and monitoring) and category-specific requirements (like data disposal for Privacy or capacity planning for Availability).

For example:

• Security includes common criteria (CC1–CC9), which apply across many frameworks.

• Availability and the other optional categories include additional criteria tailored to their specific focus area.

In short:

• Categories = The five high-level areas of trust that tell readers of your report what is covered within your SOC 2 report and what factors of your service were evaluated.

• Criteria = The specific elements within a category that your system must fulfill in order to have the category included within your SOC 2 report.

The Five SOC 2 Trust Services Criteria

In 2017, the AICPA published the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, defining what auditors would look for and evaluate when engaging in SOC 2 attestations and consulting engagements. 

In 2022, the Assurance Services Executive Committee (ASEC) published an update that reflected new focus points. While the basic criteria remain the same, these revisions focus on ways that IT and cybersecurity threats have changed.

Each criterion serves a specific purpose. Security is always required; the others are optional and should align with your services, customer expectations, and regulatory obligations.

Let’s break them down.

1. Security (Required for All SOC 2 Audits)

When you think about the security criteria, you want to focus on preventing unauthorized external parties from accessing or disclosing information. When implementing internal controls that fall into this category, you want to think about how to prevent damage to systems that could compromise data’s availability, integrity, confidentiality, and privacy, and impact your business’s ability to achieve its objectives.

Security is assessed using the Common Criteria (CC), a framework derived from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) that evaluates how controls are designed, implemented, and maintained. There are nine CC categories (though only the first five are considered necessary for establishing a strong security posture):

• CC1: Control Environment – Establishes roles, responsibilities, and policies that support a strong security culture.

• CC2: Communication and Information – Ensures security updates and expectations are clearly communicated across teams.

• CC3: Risk Assessment – Identifies and analyzes potential threats to customer data and business objectives.

• CC4: Monitoring Activities – Continuously evaluates control effectiveness and flags potential issues.

• CC5: Control Activities – Translates policies into action, such as system access procedures or change approvals.

• CC6: Logical and Physical Access Controls – Restricts who can access systems, both digitally and physically.

• CC7: System Operations – Covers system performance, event monitoring, and incident response.

• CC8: Change Management – Ensures that system changes follow a secure and documented process.

• CC9: Risk Mitigation – Helps reduce impact through contingency planning and asset protection.

2. Availability

Within this category, you need to keep operations running and data accessible to the people who need it. Availability covers whether internal users and customers can use information and systems. It also examines your controls, ensuring that they support operation, monitoring, and maintenance.

The specific Availability criteria are:

• A1.1: Capacity Management – Ensures systems can scale to meet usage demands without performance issues.

• A1.2: Environmental Protections – Covers safeguards against outages or disasters, including power loss or hardware failure.

• A1.3: Backup and Recovery Testing – Requires regular tests of recovery systems to validate your ability to bounce back from disruptions.

Although this category doesn’t define a minimum performance level, it does look at whether a system functions as intended and whether people can use it to do what they need to do. Much of what the auditor examines will be based on commitments you make to your customers, such as any SLAs you agree to.

3. Processing Integrity

When looking at processing integrity, auditors need to know whether systems do what you want them to do without experiencing impairments, errors, delays, omissions, incorrect processing, unauthorized or accidental manipulation.

The Processing Integrity criteria are:

• PI1.1: Defined Processing Requirements – Systems must follow clearly documented rules for handling data.

• PI1.2: Input Validation – Ensures only complete and correct data enters your systems.

• PI1.3: Accurate Processing – Controls must detect and fix processing errors in real time.

• PI1.4: Reliable Output Delivery – Verifies that processed data reaches the correct recipient, intact.

• PI1.5: Data Retention and Protection – Protects the integrity of stored records and logs.

4. Confidentiality

Under this category, you need to protect all information designated confidential, like personally identifiable information (PII), intellectual property, trade secrets, and corporate financials. Auditors will review how well you protect this information across its entire lifecycle, from creation/collection until disposal.

The AICPA breaks down Confidentiality into two subcriteria:

• C1.1: Data Classification – Helps your team identify which data is confidential and how it should be handled.

• C1.2: Protection Mechanisms – Enforces controls like encryption, access restrictions, and secure deletion protocols.

5. Privacy

The privacy category only applies to personal information, unlike the confidentiality criteria, which includes broader categories of information. The privacy criteria focus on: 

• Notice and communication of objectives: Telling people why you want their information. 

• Choice and consent: Letting know how you collect, use, retain, disclose, and dispose of information so they can make informed decisions about giving it to you. 

• Collection: Telling people how the information supports the reason you want it. 

• Use, retention, and disposal: limiting how you use, retain, and dispose of personal information. 

• Access: Giving people a way to access the personal information you collected so that they can review it or ask for you to correct it. 

• Disclosure and notification: Informing people about who you share their data with, and notifying them of data breaches. 

• Quality: Collecting and maintaining up-to-date, complete, relevant personal information. 

• Monitoring and enforcement: Monitoring compliance, including how to address privacy-related inquiries, complaints, and disputes.

How to Choose the Right Trust Services Criteria for Your SOC 2 Report

Your attestation engagement defines which Trust Services categories fall within your SOC 2 audit scope—and that scope determines which criteria and controls your organization must address. For every in-scope category, you need to address all defined criteria. 

Every SOC 2 audit begins with Security, which includes the Common Criteria (CC1–CC9). These controls are the foundation for how your organization manages risk, defines roles and responsibilities, protects system access, and responds to security events. Because these areas are so important to overall data protection, Security is mandatory, and often the reason customers request SOC 2 reports in the first place.

When considering the other four categories—Availability, Processing Integrity, Confidentiality, and Privacy—you need to weigh the business value of each against the increased audit scope. Each additional category brings more criteria and control requirements, so the goal isn’t to cover everything but rather to align your audit scope with your services, customer expectations, and compliance requirements.

Here’s how to evaluate which categories belong in your SOC 2 audit:

• If your platform offers infrastructure, cloud services, or deployment tooling, the Availability category matters. Customers will want to know your systems can handle scale, avoid outages, and recover quickly.

• If your product processes financial transactions, reporting data, or business-critical operations, then Processing Integrity helps show that your outputs are accurate, complete, and free from unauthorized manipulation.

• If you store or manage sensitive internal or customer data—like product roadmaps, proprietary algorithms, or IP—Confidentiality shows that you have strong access controls, encryption, and secure disposal methods in place.

• If your business collects personally identifiable information (PII)—like names, emails, payment details, or health records—Privacy helps demonstrate compliance with evolving global regulations like GDPR and CCPA.

In some cases, your customer contracts or SLAs may mandate the inclusion of specific categories. Enterprise clients might require Availability to meet uptime guarantees, or Privacy to align with regulatory expectations.

You don’t need to include every category at once. Many organizations start with Security, then add other categories as they grow, land larger clients, or expand into regulated markets. Just focus on defining a scope that matches your business model and risk profile without overwhelming your team or delaying audit readiness.

How the Trust Services Criteria Work Together

One of the biggest advantages of the Trust Services Criteria framework is that many controls support multiple categories. This overlap allows you to reduce effort, minimize redundancy, and simplify compliance. For example:

• Access control policies apply to both Security and Confidentiality—they show how you restrict unauthorized access to systems and data.

• Change management procedures satisfy requirements under Security, Availability, and Processing Integrity by ensuring updates don’t disrupt operations or introduce risk.

• Monitoring and alerting systems help meet criteria under Security (detecting threats), Availability (responding to downtime), and Privacy (identifying unauthorized data access).

The interconnected structure means that choosing multiple categories doesn’t always mean starting from scratch. With the right infrastructure—and the right automation—you can scale your controls across multiple criteria without duplicating work.

Get SOC 2 Audit Ready Faster With Drata

Drata replaces the chaos of manual prep with always-on automation. From real-time evidence collection to continuous control monitoring, everything you need lives in one platform. You’ll track assets, manage access, and maintain audit readiness, without chasing screenshots or second-guessing compliance gaps.

And you won’t do it alone—our in-house experts are here to guide you every step of the way. Whether you’re preparing for your first SOC 2 audit or expanding into new trust categories, Drata helps you move faster, stay compliant, and build trust with every customer.

Book a demo to see how Drata helps you become compliant—and stay that way—with less effort and more confidence.

Trust Services Criteria Frequently Asked Questions (FAQs)

Still have questions about the Trust Services Criteria? Below we answer some of the most common queries.

Do I Need to Include All Five Trust Services Criteria In My SOC 2 Audit?

No, you only need to include the Security category. The Security trust principle (along with its nine Common Criteria) is mandatory in every SOC 2 audit because it addresses fundamental risk areas like access controls, incident response, and system monitoring. These controls provide the baseline for evaluating whether your organization can protect sensitive data.

The other four categories—Availability, Processing Integrity, Confidentiality, and Privacy—are optional and should be added only if they align with your business model, contractual obligations, or customer expectations. Including additional categories increases your audit scope, so you’ll need to meet every criterion within each one you select.

How Do I Know Which Trust Services Categories to Include?

Align your SOC 2 scope with your services, data types, and customer expectations. The Security category is always required, but beyond that, your selection should reflect what your business does and what your customers care about.

Ask yourself:

• What kind of data do we handle? (e.g., personal or confidential information, financial records, internal IP)

• Do we offer uptime guarantees or process transactions?

• Are customers asking for specific assurances in RFPs or contracts?

• Do we operate in regulated industries or regions? (e.g., healthcare, fintech, EU)

Can I Add More Trust Services Categories Later?

You can expand your SOC 2 scope over time. You may begin with just the Security category to quickly produce a report, especially if you’re trying to close deals or meet a customer’s minimum security requirements. Once that foundation is in place, you can add other categories like Availability or Privacy in later audit cycles.

Adding a new category means your auditor will evaluate a fresh set of criteria tied to that category—so you’ll need to implement and document the relevant controls in advance. Depending on your audit cadence, this may require a new readiness assessment or a scoped update to your current controls.

What Happens if I Include a Category But Miss One of Its Criteria?

If you miss a required criterion within an in-scope category, your auditor will report it as an exception in your SOC 2 report. That doesn’t automatically mean you’ve failed, but it can affect your audit outcome and how customers interpret your security posture.

There are four possible audit opinions:

• Unqualified (clean): You met all criteria and controls operated effectively—this is the ideal result.

• Qualified: Most controls were effective, but one or more criteria had issues or gaps.

• Adverse: You didn’t meet several requirements; your systems are not operating as expected.

• Disclaimer: The auditor couldn’t gather enough evidence to form an opinion.

Even a single exception, if it's material, can downgrade your report from unqualified to qualified. That’s why it's important to only include categories you’re confident you can fully support, and why some organizations phase them in over time.

Do the Criteria Overlap Between Categories?

Yes, and that’s a good thing. Many SOC 2 controls satisfy requirements across multiple Trust Services Criteria, which means you can do more with less if your systems are well designed.

For example:

• Access controls are required for Security, but also support Confidentiality by preventing unauthorized access to sensitive information.

• Change management processes satisfy Security, Processing Integrity, and Availability, since they help ensure system updates are secure, tested, and don’t disrupt service or introduce errors.

• Monitoring and logging helps fulfill criteria in Security (detecting unauthorized activity), Availability (uptime tracking), and Privacy (auditing access to personal data).

When controls overlap, you don’t need to implement separate systems for each category—you just need to ensure the control is properly documented and monitored.