SOC 2 is often discussed as a single compliance requirement. In practice, it is built around five core principles known as the Trust Service Criteria (TSC). These criteria define how organisations protect customer data, maintain system reliability, and manage information securely.
Understanding the five Trust Service Criteria and knowing which ones apply to your business can make SOC 2 far more practical and less overwhelming.
What Are the SOC 2 Trust Service Criteria?
The Trust Service Criteria form the structure of a SOC 2 report. They are used to assess how effectively an organisation designs and operates controls related to:
Not every organisation is required to include all five criteria in its SOC 2 report.
The Five Trust Service Criteria Explained
1. Security (Required)
Security is the foundation of SOC 2 and is included in every SOC 2 report.
It focuses on protecting systems from unauthorised access, cyber threats, and data breaches. This includes access controls, monitoring, secure system configuration, and incident response processes.
If your organisation handles customer data or operates online systems, Security is essential.
2. Availability
Availability assesses whether systems remain accessible and operational when users need them.
This includes uptime commitments, backup procedures, disaster recovery planning, and how service disruptions are managed. Availability is particularly relevant for SaaS providers, cloud services, and businesses with service level agreements.
3. Processing Integrity
Processing Integrity ensures systems operate as intended, with data processed accurately, completely, and on time.
This criterion is important when customers rely on system outputs for billing, reporting, or operational decision-making.
4. Confidentiality
Confidentiality applies to sensitive business information that is not public or personal data.
Examples include contracts, intellectual property, pricing information, and internal documentation. Controls focus on limiting access to authorised users and protecting information throughout its lifecycle.
5. Privacy
Privacy focuses on personal data and how it is collected, used, stored, retained, and disposed of.
This criterion aligns closely with privacy regulations and is relevant for organisations handling personal information such as customer details, employee records, or user identifiers.
Which SOC 2 Trust Service Criteria Should You Choose?
Every SOC 2 report includes Security. The remaining Trust Service Criteria depend on your services, data types, and customer expectations.
Common combinations include:
- Security only
Often suitable for early-stage companies or internal platforms - Security and Availability
Typical for SaaS providers and cloud-based services - Security and Processing Integrity
Useful for platforms handling financial or operational data - Security and Confidentiality
Relevant when managing sensitive commercial information - Security and Privacy
Important for organisations processing personal data at scale
Choosing the right combination ensures your SOC 2 report is proportionate, relevant, and aligned with how your business operates.
SOC 2 is not about ticking every possible box.
It is about demonstrating that the right security and data protection controls are in place for your specific services and risks. By understanding the Trust Service Criteria, organisations can focus on what matters most: building trust through effective, well-managed security practices.
