Contact Us
Home / Post / SOC 2 / The SOC 2 Trust Services Criteria Explained

The SOC 2 Trust Services Criteria Explained

Gaurav Vikash 21st Jun 20266 min read

The Trust Services Criteria are the control criteria the AICPA sets, and the yardstick every SOC 2 report is measured against. There are five categories: Security, Availability, Processing Integrity, Confidentiality and Privacy. Security, the common criteria, sits in every SOC 2. The other four are included only where you make commitments in those areas.

There is no master list of SOC 2 controls to work through. Teams new to it go looking for the checklist. It does not exist. A SOC 2 report is measured against the Trust Services Criteria, a set of outcomes the AICPA defines, and you choose which categories apply from the commitments you have actually made to customers. Add all five because more looks safer and you have just widened the audit to cover promises you never made.

What are the Trust Services Criteria?

They are the AICPA’s control criteria for a SOC 2 examination, published as the 2017 Trust Services Criteria with Revised Points of Focus, 2022, in TSP section 100. A licensed CPA firm tests your controls against them and writes an opinion. The 2022 revision updated the points of focus, the explanatory considerations sitting under each criterion, not the criteria themselves, so a report prepared today still works to the 2017 criteria. The criteria are organised into five categories. One is mandatory. The rest depend on what your service does and what you have told customers it protects. For the wider picture of how a report is built, see the SOC 2 guide and what a SOC 2 report is.

What does each of the five categories cover?

Each category groups criteria around a different promise a service makes about the data it handles.

CategoryWhat it coversIn every SOC 2?
SecurityProtection of systems and data against unauthorised access, the common criteria (the CC series)Yes, mandatory
AvailabilityThe system is available for operation and use as committedOnly if committed
Processing IntegrityProcessing is complete, valid, accurate, timely and authorisedOnly if committed
ConfidentialityInformation designated confidential is protected as committedOnly if committed
PrivacyPersonal information is collected, used, retained, disclosed and disposed of as committedOnly if committed

Security is the floor. Read the other four as questions about what you promise: an uptime commitment pulls in Availability, a contractual confidentiality clause pulls in Confidentiality, handling personal information under a privacy notice pulls in Privacy.

Which categories do you actually need?

Security always. It is the common criteria, the CC series, and no SOC 2 is issued without it. The other four are scoped in only where your service organisation makes commitments in that area. An infrastructure platform with an uptime SLA usually adds Availability. A payroll or payments processor adds Processing Integrity, because customers rely on the numbers being right. A company that handles personal information and says so in a privacy notice adds Privacy. The mistake is treating the categories as a maturity score and adding all five. Each one you add widens the scope, the evidence and the cost, for a promise you may never have made. Scope to your commitments, not to the longest list. The SOC 2 readiness checklist works through this scoping decision before any auditor is engaged.

What are points of focus, and are they mandatory?

They are not requirements. Under each criterion the AICPA lists points of focus, considerations that illustrate how a criterion might be met. They exist to help you and the auditor reason about whether a control meets the criterion, and the standard is explicit that not all of them apply to every entity. You are assessed against the criteria, not against a tally of points of focus. The 2022 revision changed these considerations to reflect current practice, which is why you see the criteria cited as 2017 with revised points of focus, 2022. Treat them as a thinking aid, not a checklist to tick.

How do the criteria become a SOC 2 report?

A licensed CPA firm runs an examination under the AICPA attestation standards, SSAE No. 18, engagement type AT-C section 205, and issues a report with an opinion. There is no certificate and no pass mark. A Type I report says your controls were suitably designed at a point in time. A Type II says they operated effectively over a period, commonly three to twelve months, which is the one most customers ask for. The report is restricted use, shared with you and specified parties such as customers and their auditors. The public, general use version is SOC 3. The split between the two report types is set out in SOC 2 Type I vs Type II.

How do the Trust Services Criteria map to ISO 27001?

Closely enough that the work carries across, not so closely that one replaces the other. ISO 27001 certifies a management system against a fixed standard on a three year cycle. SOC 2 reports against your own control commitments, measured by the Trust Services Criteria, usually renewed each year. The AICPA publishes an official mapping of the 2017 Trust Services Criteria to ISO/IEC 27001, which is why a company holding ISO 27001 can reuse much of its control evidence for SOC 2. Neither substitutes for the other. A United States customer asks for SOC 2; a European, Asian or Australian tender more often asks for ISO 27001. If you are weighing the two, ISO 27001 vs SOC 2 sets them side by side.

Is Security the only mandatory Trust Services category?

Yes. Security, the common criteria or CC series, is in every SOC 2. Availability, Processing Integrity, Confidentiality and Privacy are added only where your organisation makes commitments in those areas.

How many Trust Services Criteria categories are there?

Five: Security, Availability, Processing Integrity, Confidentiality and Privacy. Most reports cover Security alone, or Security plus one or two others that match the service’s commitments.

Do all the points of focus have to be met?

No. Points of focus are considerations that illustrate how a criterion might be met. The AICPA states not all apply to every entity. You are assessed against the criteria, not the points of focus.

Is the Privacy category the same as complying with privacy law?

No. The Privacy category tests whether you handle personal information in line with your own commitments. It does not certify compliance with the Australian Privacy Principles, the GDPR or any specific law.

Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.

Talk to us. We aren’t always chasing a transaction.

Sources:

  1. AICPA, 2017 Trust Services Criteria (with Revised Points of Focus, 2022), 2022
  2. AICPA, SOC 2 reporting guidance, accessed June 2026
  3. AICPA, Mapping of the 2017 Trust Services Criteria to ISO/IEC 27001, accessed June 2026

Last updated: 21 June, 2026