Understanding the Five AICPA Trust Services Criteria for SOC 2 Compliance
For companies providing digital services, proving that you can keep customer data secure is essential. One of the most widely recognized ways to demonstrate that commitment is through a SOC 2 audit, which assesses how well an organization protects information using the AICPA Trust Services Criteria.
The Five Trust Services Criteria
Mandatory for all audits
System reliability
Accurate processing
Protect sensitive data
Personal information
These five criteria are: Security, Availability, Processing Integrity, Confidentiality, and Privacy, which form the foundation of the SOC 2 framework developed by the American Institute of Certified Public Accountants (AICPA). Together, they define what "trust" means in the context of modern information systems and guide how companies should manage and protect data.
In this article, we'll explain what each criterion means, what it covers, and how companies can prepare to meet them during a SOC 2 audit.
The Foundation of SOC 2: The Trust Services Criteria
The Trust Services Criteria (TSC) serves as a benchmark for evaluating a company's internal controls around information security and data handling. They address everything from how your organization restricts system access to how you manage incidents, back up data, and protect customer information.
Among these five criteria, Security - sometimes called the Common Criteria - is mandatory for every SOC 2 report. The other four (Availability, Processing Integrity, Confidentiality, and Privacy) are optional depending on the services your company provides. Most businesses start with Security and later expand their SOC 2 scope as their operations grow.
Read more: SOC 2: What Is It and Who Would Need It?
1. Security: The Core of Every SOC 2 Audit
The Security criterion focuses on protecting systems and information from unauthorized access, misuse, or disruption. It ensures that your organization has the right preventive, detective, and corrective controls in place to keep customer data safe.
What It Covers:
Security is broad, encompassing physical safeguards, access management, network protection, and incident response. Typical controls include:
Multi-factor authentication and password management
Role-based access controls
Firewalls and intrusion detection systems
Security awareness training
Logging and monitoring of system activity
Formal incident response procedures
To satisfy the Security criterion, companies should:
Define clear access policies: Limit system access based on job responsibilities and use least-privilege principles.
Implement technical safeguards: Use encryption, MFA, and network segmentation to reduce attack surfaces.
Monitor continuously: Keep detailed logs, review them regularly, and investigate anomalies.
Educate your team: Ensure that employees understand their role in preventing breaches.
Security is the only Trust Services Criterion required for all SOC 2 audits, but it also underpins the other four.
2. Availability: Keeping Systems Reliable and Accessible
The Availability criterion evaluates whether systems are available and functioning as promised to clients. It's not about uptime targets alone- it also examines how well an organization prepares for and recovers from disruptions.
What It Covers:
Availability focuses on infrastructure reliability and continuity planning. Relevant controls may include:
System monitoring and performance management
Data backups and redundancy mechanisms
Disaster recovery and business continuity plans
Incident communication and escalation processes
Companies can strengthen their availability controls by:
Developing a tested disaster recovery plan: Define recovery objectives and ensure backups are tested regularly.
Building redundancy into infrastructure: Use multiple servers, power sources, and data centers to reduce downtime.
Tracking uptime metrics: Document system performance and identify recurring issues.
Documenting service commitments: Clearly state what availability levels clients can expect (for example, 99.9% uptime).
If your business provides cloud hosting, SaaS applications, or any platform where downtime directly affects clients, the Availability criterion should be part of your SOC 2 scope.
3. Processing Integrity: Ensuring Systems Work as Intended
Processing Integrity assesses whether systems process data accurately, completely, and on time, according to their intended purpose. It ensures that outputs are reliable and that transactions follow proper logic and sequencing.
What It Covers:
This criterion doesn't focus on whether the data itself is correct, but whether the system processes it correctly. For example:
Orders on an e-commerce site should complete successfully without duplication or loss.
A financial platform should post transactions in the correct sequence.
Automated processes should flag errors and prevent incomplete or duplicate entries.
To meet Processing Integrity requirements:
Define process objectives and validation steps: Document how inputs are received, processed, and output.
Use quality assurance checks: Implement automated and manual reviews to catch data or logic errors.
Log exceptions and errors: Track failures and document how they are resolved.
Restrict access to system configuration: Ensure that only authorized personnel can change processing logic.
Companies involved in financial reporting, e-commerce, or data processing should include this criterion, as accuracy and reliability are critical to customer trust.
4. Confidentiality: Protecting Sensitive Information
The Confidentiality criterion examines how an organization protects information designated as confidential - such as business plans, source code, pricing data, or legal documents - from unauthorized disclosure.
What It Covers:
Confidentiality controls govern how data is stored, accessed, transmitted, and eventually destroyed. Typical examples include:
Data classification and labeling policies
Encryption for data in transit and at rest
Secure file transfer protocols
Access logs and user permissions
Data retention and disposal policies
To comply with this criterion:
Identify what data is confidential: Create a data classification scheme that distinguishes public, internal, confidential, and restricted data.
Limit access and enforce least privilege: Only employees who need to use sensitive data should have access.
Encrypt and monitor: Protect files during transfer and storage, and monitor access attempts.
Establish retention schedules: Define how long confidential data is kept and ensure secure deletion when no longer needed.
If your organization handles sensitive client information, proprietary research, or intellectual property, adding the Confidentiality criterion to your SOC 2 scope demonstrates a commitment to safeguarding those assets.
5. Privacy: Safeguarding Personal Information
The Privacy criterion focuses on how an organization collects, uses, stores, shares, and disposes of personal information. It aligns closely with global privacy frameworks such as the GDPR and CCPA, but within the context of SOC 2.
What It Covers:
Privacy applies to any data that identifies or could identify an individual - names, addresses, emails, health data, and similar details. Controls typically address:
Consent and data collection policies
Secure storage and encryption of personal information
Procedures for responding to data subject requests (access, correction, deletion)
Breach notification processes
Compliance with applicable privacy laws and internal policies
To meet Privacy requirements, companies should:
Define a clear privacy policy: Explain how personal data is collected, used, and retained.
Limit collection to necessity: Gather only data essential for service delivery.
Establish consent mechanisms: Allow individuals to opt in or out where required.
Protect data end-to-end: Apply encryption, pseudonymization, and secure disposal methods.
Train employees: Make privacy awareness part of onboarding and annual training.
If your company processes personal or sensitive data, such as customer contact details, healthcare information, or payment data, the Privacy criterion will be highly relevant to your SOC 2 audit.
How to Decide Which Criteria to Include
While Security is mandatory for every SOC 2 audit, the other criteria depend on the nature of your services and your customers' expectations. For example:
A cloud storage provider may add Availability and Confidentiality.
An HR software company might include Privacy and Processing Integrity.
A fintech platform often requires all five to assure investors and partners.
Start by identifying which criteria align most closely with your risk profile and customer commitments. You can expand your audit scope over time as your controls mature.
Ready to Implement SOC 2?
Enter your email to receive a Free SOC 2 Preparation Checklist and start your compliance journey today.
Building Toward SOC 2 Compliance
Achieving SOC 2 compliance doesn't happen overnight. Preparing for an audit involves several key steps:
Conduct a readiness assessment: Identify gaps between your current controls and the Trust Services Criteria.
Define your scope: Choose which criteria apply to your organization and which systems fall under the audit.
Implement necessary controls: Establish and document policies, procedures, and technologies that address each selected criterion.
Collect and maintain evidence: Keep logs, reports, and screenshots showing that controls are implemented and operating effectively.
Engage a licensed auditor: A CPA firm will review your controls and issue a SOC 2 Type I or Type II report.
To streamline the process, many companies use compliance automation tools that centralize evidence collection, monitor security controls continuously, and simplify auditor collaboration.
Why the Trust Services Criteria Matter
Beyond the audit report, the Trust Services Criteria provide a framework for building long-term credibility. Meeting these standards demonstrates that your company doesn't just talk about security but embeds it into daily operations.
For customers and partners, a SOC 2 report offers reassurance that:
Data is protected from unauthorized access and misuse.
Systems are resilient and reliable.
Transactions are processed accurately.
Sensitive information is kept confidential.
Personal data is handled responsibly.
For your company, the process builds stronger internal discipline, reduces operational risk, and strengthens relationships with clients who increasingly expect third-party assurance before doing business.
Streamline Your SOC 2 Compliance with Smartly
Navigating the five Trust Services Criteria can be complex, but it doesn't have to be overwhelming. Smartly's compliance automation platform helps you implement, monitor, and maintain controls across all five criteria with ease.
With Smartly, you can centralize evidence collection, automate control monitoring, and stay audit-ready year-round, reducing the time and cost of SOC 2 compliance by up to 70%.
Final Thoughts
The five AICPA Trust Services Criteria form the backbone of SOC 2 compliance. Each criterion of Security, Availability, Processing Integrity, Confidentiality, and Privacy represents a different dimension of trust between your organization and its stakeholders.
While the initial audit may seem daunting, the outcome is a signal of maturity, reliability, and accountability. By aligning your policies, processes, and technology with these criteria, you're building a foundation of trust that supports your business's growth for years to come.