SOC 2 is built on the Trust Services Criteria (TSC) — a framework developed by the AICPA that defines the control requirements that your SOC 2 audit will assess against. There are five sets of Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Understanding which criteria apply to your service and your client base is one of the first and most consequential scoping decisions in your SOC 2 programme.
Security (Common Criteria): The Mandatory Foundation
The Security criteria — also called the Common Criteria (CC) — are mandatory for every SOC 2 report. Every SOC 2 engagement, regardless of which additional criteria are in scope, assesses the Security criteria. They cover the controls that protect your systems against unauthorised access, use, disclosure, modification, or destruction — including logical and physical access controls, change management, risk management, incident response, and monitoring.
The Security criteria alone represent a comprehensive and demanding control set. A SOC 2 report covering Security only (often described as a SOC 2 Security report) provides strong assurance about your information security programme. For many service providers, Security alone is sufficient for their client requirements.
Availability: For Uptime-Critical Services
The Availability criteria cover the availability of systems for operation and use as committed or agreed. They address monitoring of system performance, disaster recovery and business continuity, capacity management, and the processes that ensure systems remain available at contracted levels.
Availability criteria are most relevant for service providers where system uptime is critical to their clients’ operations — cloud infrastructure providers, payment processors, healthcare IT systems, and other services where unavailability has direct operational consequences for clients. If your SLA commitments are material to your client relationships, Availability criteria should be in scope.
Processing Integrity: For Transaction Accuracy
Processing Integrity criteria address whether system processing is complete, valid, accurate, timely, and authorised. They are relevant for services that process transactions on behalf of clients — financial processing, order management, data processing pipelines where the accuracy and completeness of processing is a material client concern.
Processing Integrity is less commonly included than Security and Availability, but is specifically required or expected in financial services and e-commerce contexts where clients need assurance that their transaction data is being processed correctly.
Confidentiality: For Data Protection Commitments
The Confidentiality criteria cover the protection of information designated as confidential — whether through contractual commitments, regulatory requirements, or the nature of the information itself. They address how confidential information is identified, how it is protected during processing and storage, and how it is disposed of when no longer needed.
Confidentiality criteria are relevant for service providers that handle data their clients have designated as confidential — particularly those with specific contractual confidentiality obligations or those serving sectors where data confidentiality is a primary concern.
Privacy: For Personal Data Processing
The Privacy criteria address the collection, use, retention, disclosure, and disposal of personal information in conformity with AICPA’s Generally Accepted Privacy Principles. They are relevant for service providers that collect, process, or store significant quantities of personal information on behalf of clients.
The Privacy criteria in SOC 2 overlap significantly with GDPR requirements for organisations processing EU personal data. For organisations that handle personal data and face both SOC 2 and GDPR obligations, the Privacy criteria can be addressed as part of a combined programme rather than as two separate exercises.
At Bitsecura, we help organisations determine the right Trust Services Criteria scope for their service, client base, and regulatory context — ensuring the SOC 2 programme addresses what clients actually need to see without unnecessarily expanding the audit scope and cost. Talk to us here to scope your SOC 2 programme correctly from the start.
Bitsecura provides SOC 2 readiness and compliance support services. Learn more about our SOC 2 services.