Trust Services Criteria (TSCs)
Overview of SOC 2 requirements
Everything in SOC 2 ties back to the Trust Services Criteria, five key principles defined by the AICPA.
Here they are:
Security (Mandatory)
The Security TSC is non-negotiable. It concerns access control, threat detection, system monitoring, and all the other stuff that keeps threats and vulnerabilities in check. Every SOC 2 audit includes this.
Availability (Optional)
Availability determines whether your system is up and running when users need it. If your customers expect high uptime, you’ll want to include this.
Processing Integrity (Optional)
The processing integrity TSC covers how accurately and reliably your system processes data. It’s essential if your product transforms, calculates, or delivers real-time data.
Confidentiality (Optional)
Confidentiality focuses on protecting sensitive business data from unauthorized access. Think internal IP, financial info, and sensitive customer data.
Privacy (Optional)
Privacy is all about personal data, how you collect it, use it, store it, and delete it. If you handle a lot of user data, especially in B2C, it’s worth including.
Not all TSCs are mandatory in a SOC 2 audit. The criteria you choose to include depend on the nature of your business, customer expectations, and regulatory requirements. Only the selected criteria will be assessed during the audit.
Here they are:
Security (Mandatory)
The Security TSC is non-negotiable. It concerns access control, threat detection, system monitoring, and all the other stuff that keeps threats and vulnerabilities in check. Every SOC 2 audit includes this.
Availability (Optional)
Availability determines whether your system is up and running when users need it. If your customers expect high uptime, you’ll want to include this.
Processing Integrity (Optional)
The processing integrity TSC covers how accurately and reliably your system processes data. It’s essential if your product transforms, calculates, or delivers real-time data.
Confidentiality (Optional)
Confidentiality focuses on protecting sensitive business data from unauthorized access. Think internal IP, financial info, and sensitive customer data.
Privacy (Optional)
Privacy is all about personal data, how you collect it, use it, store it, and delete it. If you handle a lot of user data, especially in B2C, it’s worth including.
Not all TSCs are mandatory in a SOC 2 audit. The criteria you choose to include depend on the nature of your business, customer expectations, and regulatory requirements. Only the selected criteria will be assessed during the audit.
SOC 2 Trust Service Principles – Detailed Guide
SOC Frameworks Overview
SOC 2 Basics
SOC 2 Compliance Process
SOC 2 Compliance Process
Sprinto: Your ally for all things compliance, risk, governance
