What is Trust Services Criteria (TSC)?

The Trust Services Criteria (TSC) are the AICPA control criteria a SOC 2 examination measures a service organization against. They span five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Only Security (the Common Criteria) is mandatory; the other four are included based on audit scope. They define objectives, not a fixed control list.

The Trust Services Criteria matter because they are the yardstick every SOC 2 report is measured against. Unlike ISO/IEC 27001:2022, which gives you 93 fixed Annex A reference controls, the TSC describe outcomes you must achieve and leave the specific controls to you. The Security category (the Common Criteria, CC1–CC9) is required in every SOC 2; you add Availability, Confidentiality, Processing Integrity, or Privacy only when they are relevant to the service and your customers' expectations.

For example, a SaaS company that promises uptime in its contracts will usually include Availability, while one handling sensitive client records may add Confidentiality. Each criterion has "points of focus" the auditor uses to assess whether your controls meet the objective. Because there is no prescribed control list, two SOC 2 reports for similar companies can describe very different controls and still both be valid.

A documented set of policies mapped to the TSC categories is what an auditor and prospective customers ask for first, so a control-mapping workbook removes weeks of drafting and gap-hunting. Templates accelerate that readiness work, but they do not by themselves make you SOC 2 compliant — the report comes only from a licensed CPA firm after it examines the controls you actually operate.

Related terms: SOC 2 Type I vs Type II · Service Organization · Security Control · Certification vs Attestation

Frequently asked questions

How many Trust Services Criteria categories are there, and which are required?

There are five: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Only Security (the Common Criteria) is mandatory in every SOC 2; the other four are optional and chosen based on your service and audit scope.

Are the Trust Services Criteria a list of controls I have to implement?

No. The TSC define objectives and "points of focus," not specific controls. You design your own controls to meet each criterion, which is why SOC 2 control sets vary widely between organizations.

Who owns and maintains the Trust Services Criteria?

The American Institute of Certified Public Accountants (AICPA) defines and updates the Trust Services Criteria. SOC 2 examinations are performed against them under the SSAE 18 attestation standard by licensed CPA firms.

Toolkits that cover Trust Services Criteria (TSC)

Learn more in our SOC 2 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary