Glossary · Frameworks & standards

What is Trust Services Criteria?

Also known as: TSC, AICPA Trust Services Criteria

Trust Services Criteria (TSC) are the five control criteria defined by the AICPA that a SOC 2 examination evaluates: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security — the common criteria — is always included, while the other four are optional categories an organization selects based on its commitments to customers.

Key takeaways

  • Defined by the AICPA and used as the basis of every SOC 2 report.
  • Five criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
  • Security (the common criteria) is mandatory in every SOC 2; the other four are optional.
  • Organizations choose which criteria to include based on customer commitments and relevance.
  • More criteria means broader assurance but a larger audit scope.

What are the five Trust Services Criteria?

The Trust Services Criteria are the evaluation framework behind a SOC 2 report. Each category addresses a different dimension of trust:

  • Security — protection of systems and data against unauthorized access; the common criteria included in every SOC 2.
  • Availability — the system is available for operation and use as committed or agreed.
  • Processing Integrity — system processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality — information designated as confidential is protected as committed.
  • Privacy — personal information is collected, used, retained, disclosed, and disposed of in line with commitments and criteria.

Why is Security always required?

Security is known as the common criteria because its controls underpin all the others; without baseline protection of systems and data, no other assurance is meaningful. Every SOC 2 engagement must therefore include the Security category, which covers areas such as access control, change management, risk mitigation, and monitoring.

The other four categories are optional and selected based on what an organization commits to its customers. A pure infrastructure provider might add Availability, while a service handling sensitive records might add Confidentiality and Privacy.

How do you choose which criteria to include?

Scope selection is driven by relevance and customer expectations. Including a criterion means the auditor will test controls against it and report on their design and, for a Type II report, operating effectiveness over a period.

  • Add Availability if uptime and resilience are core promises to customers.
  • Add Processing Integrity when accurate, complete transaction processing is central (e.g., financial or e-commerce platforms).
  • Add Confidentiality when you handle sensitive non-personal data such as business secrets.
  • Add Privacy when you process personal information and make privacy commitments.

A common pitfall is over-scoping early. Many organizations start with Security alone and expand criteria as customer demands grow, since each added criterion increases audit effort.

Frequently asked questions

Do all SOC 2 reports cover all five criteria?
No. Only Security is mandatory. Organizations choose which of the remaining four — Availability, Processing Integrity, Confidentiality, and Privacy — to include based on their commitments.
Who defines the Trust Services Criteria?
The American Institute of Certified Public Accountants (AICPA) defines and maintains the Trust Services Criteria used in SOC 2 examinations.
What is the common criteria in SOC 2?
The common criteria is the Security category, which is required in every SOC 2 report and forms the foundation that the other criteria build upon.
Does adding more criteria make a SOC 2 stronger?
It broadens the assurance provided but also expands audit scope and effort, so criteria should be chosen for relevance rather than added by default.

Authoritative sources

← Back to the glossary