Instant downloadAuditor-writtenSecure Stripe checkout

The 5 SOC 2 Trust Services Criteria Explained

The five SOC 2 trust services criteria are the categories your auditor assesses: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is mandatory and forms the common criteria every SOC 2 report includes; the other four are optional and chosen based on the promises you make to customers. Scoping the right SOC 2 trust services criteria keeps your audit focused and your costs sensible.

SOC 2 trust services criteria scoping toolkit
A toolkit mapping controls to each of the SOC 2 trust services criteria.

1. Security (the common criteria)

Always required. Security — often called the “common criteria” — is the foundation of every SOC 2 report. It covers protecting systems and data against unauthorized access, covering areas like access controls, firewalls, monitoring, and incident response. If you do nothing else, you do Security.

2. Availability

Is the system available for operation and use as committed or agreed? This criterion covers uptime, performance monitoring, disaster recovery, and business continuity. It matters most when you make availability commitments (SLAs) to customers.

3. Processing Integrity

Does the system process data completely, accurately, timely, and with proper authorization? Relevant when the correctness of processing matters — think transaction processing, billing, or data pipelines.

4. Confidentiality

Is information designated as confidential protected as committed? This covers data classification, encryption, and controlled access — important when you handle sensitive business information like contracts or IP.

5. Privacy

Is personal information collected, used, retained, disclosed, and disposed of in line with your privacy notice and criteria? This applies specifically to personal data and aligns with privacy principles.

Controls mapped to every criterion.

The SOC 2 Toolkit gives you policies and controls documentation mapped to the Trust Services Criteria — so whichever criteria are in your scope, you have the evidence ready to tailor.

Get the SOC 2 Toolkit →

How to choose your SOC 2 trust services criteria

Security is mandatory; the other four are optional. You include a criterion only if it’s relevant to the commitments you make to customers:

  • Offer an uptime SLA? Consider Availability.
  • Process financial or critical transactions? Consider Processing Integrity.
  • Handle sensitive client information? Consider Confidentiality.
  • Process personal data? Consider Privacy.

Adding criteria increases scope and effort, so choose deliberately — align scope with what your customers actually care about. This choice shapes your report just as much as the Type I vs Type II decision.

Getting your SOC 2 trust services criteria scope right

Most companies start with Security alone and add categories only when a customer commitment demands it. Add Availability if you offer an uptime SLA, Processing Integrity if accuracy is contractual, Confidentiality if you handle sensitive non-personal data under NDA, and Privacy if you collect personal information and make privacy promises. Each extra category adds controls, evidence, and audit effort, so resist the temptation to include everything. The definitions are maintained by the AICPA, and mapping each promise you make to a specific criterion is the cleanest way to justify your scope.

Frequently asked questions

Do I have to include all five criteria?

No — only Security is mandatory. Most companies start with Security and add others as their commitments require.

What’s the difference between Confidentiality and Privacy?

Confidentiality covers any information designated confidential; Privacy applies specifically to personal information about individuals.

New to SOC 2? Start with our complete guide to SOC 2.

Bottom line: treat the SOC 2 trust services criteria as a menu, not a checklist. Start with Security, add only what your customer promises require, and your first audit stays both credible and affordable.

If you are unsure where to begin, default to Security only for your first report; you can always widen the scope at your next audit once you see how the process works in practice.

Shopping Cart