SOC 2 Trust Services Criteria: Security, Availability, Confidentiality Explained

The Trust Services Criteria (TSC) are the control framework that underlies every SOC 2 audit. Published by the AICPA, the TSC replaced the older Trust Services Principles in 2017 and were updated again in 2022. Understanding the five categories — and exactly what auditors look for within each — is essential whether you are preparing for your first audit or trying to understand what a vendor's SOC 2 report actually covers.

The Five TSC Categories

SOC 2 reports can cover one or more of the five Trust Services Criteria:

Security (CC series) — the only required category
Availability (A series)
Processing Integrity (PI series)
Confidentiality (C series)
Privacy (P series)

Every SOC 2 report includes Security. The other four are optional add-ons selected based on what is relevant to the service commitments your organization makes to customers.

Security: The Common Criteria

Security is the foundation. The AICPA calls it the "Common Criteria" because its controls are prerequisites for all other categories. If a control is relevant to multiple TSC categories, it lives in Security to avoid duplication.

The Security criteria are organized into nine control groups (CC1 through CC9):

CC1: Control Environment

The control environment addresses the tone set by leadership. Controls here include:

A board of directors or equivalent that exercises oversight of security strategy
Management demonstrating commitment to competence, integrity, and ethical values
Defined organizational structure with clear accountability for security

For a small SaaS company, this often translates to: a documented security policy approved by executive leadership, a designated security lead with formal responsibility, and evidence that security is a standing agenda item in leadership meetings.

CC2: Communication and Information

This group covers how security-relevant information flows within and outside the organization:

Communicating security policies and procedures to the workforce
Communicating security commitments to customers (through service commitments and system descriptions)
Obtaining and using information from external parties (threat intelligence, vendor security reports)

Practically: your employee handbook references security policies, new employees receive security training, and your website accurately describes your security practices.

CC3: Risk Assessment

The organization must have a process for identifying, analyzing, and responding to risks:

A formal risk assessment process with defined methodology
Identification of fraud risks and risks from changes (new products, acquisitions, personnel)
Regular review and update of the risk assessment

Auditors look for a documented risk register, evidence of when it was last updated, and evidence that identified risks have treatment plans.

CC4: Monitoring Activities

Controls must be monitored to ensure they continue to operate effectively:

Ongoing and periodic evaluations of controls
Evaluation and communication of control deficiencies
Remediation of identified issues

This maps to internal audit programs, management reviews, and tracking of identified exceptions to resolution.

CC5: Control Activities

This group covers the design and implementation of controls to mitigate identified risks:

Selecting and developing control activities in response to risks
Deploying technology-based controls
Deploying policies and procedures

CC5 is where general IT controls — change management, logical access, physical security — are evaluated.

CC6: Logical and Physical Access Controls

CC6 is often the most heavily tested group. It covers:

CC6.1: Identification, authentication, and authorization — who can access what, and how is identity verified. Auditors review access lists, MFA enforcement, and role definitions.
CC6.2: User registration and deregistration — onboarding and offboarding procedures. Auditors look for evidence that access is removed promptly when employees leave.
CC6.3: Access provisioning — how access is granted, reviewed, and modified. Least privilege principle.
CC6.6: Security boundaries and network controls — firewall rules, VPN requirements, network segmentation.
CC6.7: Transmitting, moving, removing data — controls over data in transit and physical media.
CC6.8: Preventing unauthorized software — code signing, application whitelisting, endpoint protection.

For a cloud-native company: AWS IAM policies with least privilege, MFA enforced via SSO, quarterly access reviews, offboarding checklists with evidence of execution, VPC security groups reviewed, and an endpoint management tool (Jamf, Kandji, or similar).

CC7: System Operations

Ongoing operations and monitoring:

Detecting and monitoring configuration changes that introduce vulnerabilities
Detecting and monitoring security events
Responding to identified security incidents
Recovering from incidents

Auditors review SIEM configurations, vulnerability scan frequencies and results, patch management SLAs, and incident records.

CC8: Change Management

Changes to infrastructure and software must be controlled:

Identifying and evaluating changes for security impact
Approving and tracking changes through a formal process
Testing changes in non-production environments before deployment
Post-deployment review

Most teams satisfy this with a ticketing system (GitHub PRs, Jira) that enforces review and approval, and environment separation (dev/staging/prod).

CC9: Risk Mitigation

Addressing risks related to business disruption and vendor relationships:

Business continuity and disaster recovery planning
Vendor due diligence and ongoing monitoring

Auditors look for a business continuity plan, evidence of BCP testing (tabletop exercises or full failover tests), and a vendor inventory with evidence that critical vendors have been assessed.

Availability: Uptime and Resilience

The Availability criteria apply when you make explicit commitments to customers about system uptime or performance. They cover:

A1.1: Identifying and addressing availability requirements — defined SLAs, capacity planning, performance monitoring
A1.2: Environmental protections — power, HVAC, fire suppression (typically satisfied by cloud providers' certifications)
A1.3: Recovery processes — backup procedures, tested recovery capabilities

For a cloud SaaS: SLA commitments documented in your service agreement, uptime monitoring with alerting (PagerDuty, OpsGenie), infrastructure in multiple availability zones, automated backups with tested restoration, and a documented RTO/RPO.

An Availability opinion adds credibility when your customers' operations depend on your service being up. Downtime that violates your SLA without an Availability criterion in your SOC 2 creates only contractual liability. With the criterion in scope, auditors validate that your controls are actually designed to meet the commitments.

Processing Integrity: Accuracy and Completeness

Processing Integrity applies to services where customers rely on your system to process data accurately and completely — payment processors, payroll systems, data pipelines, or any system where incorrect processing has direct consequences.

The criteria (PI1 series) address:

Inputs are complete, accurate, and authorized before processing
Processing is complete, accurate, timely, and authorized
Outputs are complete, accurate, and distributed to the appropriate parties
Errors and exceptions are identified and resolved

Most general-purpose SaaS companies exclude Processing Integrity unless they have explicit contractual commitments around processing accuracy.

Confidentiality: Protecting Committed-Confidential Information

Confidentiality applies to information that the organization has committed to protect as confidential — typically information marked confidential in a customer contract or data classified as confidential under your data classification policy.

The C criteria address:

C1.1: Identifying and maintaining confidential information — a data classification process and inventory of confidential data
C1.2: Disposing of confidential information — secure deletion procedures, retention schedules

Note that Confidentiality in the TSC is narrower than most people assume. It covers information you have explicitly designated as confidential, not all sensitive data. Privacy (the P series) covers personal information about individuals; Confidentiality covers information about organizations and other confidential business data.

Privacy: Personal Information Lifecycle

The Privacy criteria are the most extensive of the optional categories, covering the full lifecycle of personal information:

P1: Notice — informing data subjects about your data practices
P2: Choice and consent — honoring preferences for collection and use
P3: Collection — collecting only what is necessary and authorized
P4: Use, retention, and disposal — using data only as stated, retaining it only as needed
P5: Access — allowing data subjects to access and correct their information
P6: Disclosure to third parties — restrictions on sharing personal information
P7: Security for privacy — technical controls protecting personal information
P8: Quality — maintaining accurate and complete personal information
P9: Monitoring and enforcement — privacy governance, complaints handling

A Privacy opinion in a SOC 2 is demanding. The AICPA's privacy criteria align closely with GDPR and CCPA principles, but the evidence requirements are rigorous. Most organizations pursuing Privacy include it when they are subject to significant privacy regulation and want a single audit to satisfy multiple compliance programs.

Selecting the Right Criteria

The most common combination for a first SOC 2 audit is Security only or Security + Availability. Adding criteria increases audit scope, time, and cost. The right selection depends on:

What commitments you make in your customer contracts
What your prospects ask for specifically
Whether you process personal data subject to privacy regulation
Whether processing accuracy is a material part of your value proposition

Review your sales pipeline and typical security questionnaire responses to understand which criteria your customers actually care about before expanding scope.