Every SOC 2 audit is organized around the Trust Services Criteria — a framework developed by the AICPA that defines the properties a service organization must demonstrate to earn client trust. Understanding the TSC is the starting point for every SOC 2 engagement: they define what the audit will test, what evidence you need to collect, and what the auditor’s opinion will ultimately address.
There are five criteria in total. Only one — Security — is mandatory for every SOC 2 audit. The remaining four are elective, selected by the organization based on the nature of the service commitments made to clients and the specific risks associated with those commitments. Choosing the wrong criteria set can mean an audit that doesn’t satisfy client requirements, or one that is broader than necessary and drives up cost and complexity.
The TSC Selection Framework
The AICPA provides clear guidance on how to select applicable Trust Services Criteria: organizations should include criteria whose achievement is necessary to provide reasonable assurance that the principal service commitments and system requirements are achieved. In practice, this means: what have you promised your clients? What risks, if unmitigated, would prevent you from keeping those promises?
| Criteria | Abbreviation | Core Question | Who Should Include It |
|---|---|---|---|
| Security | CC (Common Criteria) | Are our systems protected against unauthorized access and threats? | Every SOC 2 audit — mandatory |
| Availability | A | Can our clients depend on the system being available when they need it? | SaaS platforms, cloud infrastructure, any service with uptime SLAs |
| Processing Integrity | PI | Are transactions processed completely, accurately, and on time? | Payment processors, data pipelines, transaction systems, financial platforms |
| Confidentiality | C | Is confidential information protected throughout its lifecycle? | Any organization that receives confidential client data, IP, or trade secrets |
| Privacy | P | Is personal information handled in line with our privacy commitments? | Organizations processing significant personal data, those with CCPA/GDPR obligations |
Security — The Common Criteria (CC)
The Security criteria is the foundation of every SOC 2 audit. It is also the most expansive — organized into nine Common Criteria clusters (CC1 through CC9) that together cover the full breadth of an organization’s security control environment. When clients say “we need your SOC 2 report,” they are primarily interested in what the Security criteria revealed about your controls.
The Common Criteria map directly to the COSO 2013 internal control framework and draw additional implementation guidance from COBIT. This alignment with financial reporting frameworks is intentional: SOC 2 was designed by accountants who needed a way to audit technology controls using the same rigor applied to financial controls. The nine CC clusters are: Control Environment (CC1), Communication and Information (CC2), Risk Assessment (CC3), Monitoring Activities (CC4), Control Activities (CC5), Logical and Physical Access (CC6), System Operations (CC7), Change Management (CC8), and Risk Mitigation (CC9).
| KEY IDEA | CC6 — Logical and Physical Access — consistently receives the most auditor scrutiny. It covers MFA, access provisioning and deprovisioning, access reviews, privileged access management, and physical security. Access control failures are the leading cause of exceptions in SOC 2 Type II reports. |
Availability — The A Criteria
The Availability criteria addresses whether the system is available for operation and use as committed or agreed. For SaaS companies, this typically means uptime commitments in Service Level Agreements — 99.9%, 99.95%, or higher. The A criteria requires organizations to demonstrate that they monitor availability, detect availability incidents, respond to them systematically, and have the recovery capability to restore service within committed timeframes.
The evidence trail for Availability runs through monitoring dashboards, incident registers, post-incident review records, backup test results, and disaster recovery plan documentation. Organizations that promise high availability but have not formalized their monitoring and incident response processes discover during readiness assessments that their operational practices are sound but their evidence is thin.
| BITLION INSIGHT | Availability is the second most common TSC selected after Security, and for good reason — virtually every SaaS client cares about uptime. The A criteria adds relatively modest additional audit scope if you already have uptime monitoring and basic incident management. The evidence gap is usually documentation, not practice. |
Processing Integrity — The PI Criteria
Processing Integrity covers the accuracy, completeness, validity, timeliness, and authorization of system processing. It is the criteria most specific to transaction-based systems — payment platforms, data transformation pipelines, financial calculation engines, and logistics systems where the correctness of individual processing events matters to clients.
The PI criteria is often misunderstood as covering “data quality” broadly. In SOC 2 terms, it is specifically about the integrity of processing: did the system process each transaction completely and correctly, were errors detected and handled, and were outputs validated before delivery? Organizations that operate data pipelines, run batch processing, or provide calculation-as-a-service to clients should consider PI seriously.
Confidentiality — The C Criteria
The Confidentiality criteria covers information that organizations explicitly identify and commit to protect from unauthorized disclosure — client intellectual property, trade secrets, commercially sensitive data, and contractually designated confidential information. Unlike the Privacy criteria (which is about personal data), Confidentiality in SOC 2 terms is about any information designated as confidential under the terms of the client relationship.
For technology service providers who handle client data under NDA or contractual confidentiality obligations — which is virtually every B2B SaaS company — the Confidentiality criteria adds meaningful assurance. Evidence includes data classification policies, encryption standards, access controls on confidential data, and secure disposal procedures. Most organizations that add C to their scope find that 70–80% of the required evidence already exists for the Security criteria.
Privacy — The P Criteria
The Privacy criteria is the most complex and jurisdiction-sensitive of the five TSC. It covers personal information from collection through disposal, mapping closely to international privacy frameworks including GDPR, CCPA, and Indonesia’s UU PDP. The P criteria includes requirements for notice and consent, collection limitation, use and retention, access and correction, disclosure to third parties, security for privacy, monitoring and enforcement.
| IMPORTANT | The Privacy TSC adds significant audit scope and requires dedicated privacy documentation: a privacy notice, a personal data inventory, data subject rights procedures, and evidence of consent management. Organizations processing large volumes of personal data should model Privacy TSC requirements against their existing GDPR or UU PDP compliance work — there is substantial overlap. |
Building Your Criteria Selection
The right TSC combination depends on the nature of your service, your client base, and the commitments you have made. For most SaaS and technology service providers starting their SOC 2 journey, Security + Availability is the pragmatic starting point. This combination satisfies the vast majority of enterprise security questionnaire requirements and can be extended in subsequent audit cycles.
| Organization Type | Recommended Starting Criteria | Rationale |
|---|---|---|
| SaaS platform (B2B) | Security + Availability | Addresses uptime commitments and data security — the two questions enterprise buyers ask first |
| Data analytics / BPO | Security + Confidentiality | Confidential client data is the core risk; C criteria directly addresses contractual NDA obligations |
| Payment or fintech platform | Security + Availability + Processing Integrity | Transaction accuracy is central to the service value proposition and client trust |
| HR tech / healthtech (personal data) | Security + Availability + Privacy | P criteria addresses the personal data processing at the heart of the service |
| Full enterprise SaaS (mature) | All five criteria | Comprehensive coverage for enterprise clients with broad due diligence programs |