SOC 2 Trust Services Criteria Explained (the Five Categories)

Every SOC 2 report is measured against the AICPA Trust Services Criteria — five categories, of which only Security is mandatory. Here is what each category covers, why Security maps to the Common Criteria, and how your scoping choices drive audit effort and cost for both Type I and Type II.

What the Trust Services Criteria are, and why they matter

The Trust Services Criteria (TSC) are the standard a SOC 2 examination is measured against. They are published by the AICPA — the American Institute of Certified Public Accountants — and they define the controls a service organization is expected to have in place to protect the systems and data it handles on behalf of its customers. When a licensed CPA firm performs a SOC 2 engagement, the TSC are the yardstick: the auditor forms an opinion on whether your controls meet the criteria you have chosen to be examined against.

The criteria are organized into five Trust Services Categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. These are not five separate report types or five badges you collect. They are a single menu, and your SOC 2 report covers whichever categories are relevant to the service you provide. Choosing those categories — your scope — is one of the first and most consequential decisions in a SOC 2 project, because it determines how many controls you have to design, operate, and evidence.

One category is different from the other four. Security, the first category, is mandatory in every SOC 2 examination. The remaining four are optional and should be added only when they genuinely apply to your service. Get that distinction clear and the rest of SOC 2 scoping becomes much easier to reason about.

Security: the Common Criteria, always required

Security is the foundation of every SOC 2 report, and it is the one category you cannot leave out. In the TSC it is implemented through the Common Criteria, usually written as the CC series — CC1 through CC9. They are called "common" because they apply across all of the categories: any other category you add builds on top of the Common Criteria rather than replacing them. This is why people often use "Security" and "Common Criteria" interchangeably when talking about SOC 2.

The Common Criteria are organized around the COSO internal-control framework and then extended with technology-specific criteria. The early CC sections cover governance-style topics — your control environment, communication, risk assessment, monitoring, and control activities (CC1 to CC5). The later sections cover the operational security controls an auditor expects to see: logical and physical access (CC6), system operations and incident response (CC7), change management (CC8), and risk mitigation including vendor management (CC9). Together they describe a working security program, not just a set of written policies.

Because Security is always in scope, every SOC 2 readiness effort starts here. If you do nothing else, you build and evidence the Common Criteria. A report examined against Security alone is a complete, legitimate SOC 2 report, and for many service organizations it is exactly the right scope to begin with.

The four optional categories: what each one covers

The other four categories are added only when they are relevant to what you do and what you have committed to your customers. Each brings its own criteria and its own controls to design, operate, and evidence.

Availability covers whether the system is available for operation and use as committed — capacity planning, environmental safeguards, backups, and tested recovery procedures. It is a common addition for SaaS platforms and hosting providers that make uptime or service-level commitments. Processing Integrity covers whether system processing is complete, valid, accurate, timely, and authorized. It fits organizations whose value depends on processing data correctly — payment processors, payroll, transaction platforms, analytics pipelines — and notably it concerns the integrity of processing, not the quality of the underlying data itself.

Confidentiality covers information that has been designated as confidential — how it is identified, protected throughout its required retention period, and securely destroyed at end of life. It applies when you handle sensitive business information such as customer datasets, contracts, or intellectual property under confidentiality obligations. Privacy is the most distinct of the four: it concerns the collection, use, retention, disclosure, and disposal of personal information in line with your privacy notice and applicable criteria. Privacy specifically addresses personal information about individuals, so it carries its own dedicated set of criteria and is the category most organizations should think hardest about before including, because it is the most demanding to evidence.

How scoping categories changes effort and cost

Which categories you include is the single biggest lever on the size of a SOC 2 project. Every category beyond Security adds its own criteria, and each criterion needs controls that you design, operate, and produce evidence for. More categories means more controls, more documentation, more evidence to collect, and more for the auditor to test — which lengthens the engagement and raises the fee.

The discipline that saves the most money is scoping tightly. Add a category because a real customer commitment or a genuine feature of your service requires it, not because more categories sounds more impressive. A category you include but do not truly need adds work and cost without making your report more valuable to the buyers you are trying to satisfy. Most early-stage service organizations are well served by Security alone, or Security plus one carefully chosen category such as Availability or Confidentiality.

As rough planning context, and consistent with how we frame costs elsewhere, each additional category meaningfully increases readiness effort and audit fees, with Privacy generally the most demanding to add. These are illustrative observations, not quotes; actual figures vary by scope, firm, and complexity, so get written proposals from CPA firms for your specific category selection before you budget. Decide scope deliberately and early, because changing it later means reworking controls and evidence you have already built.

The same yardstick for Type I and Type II

A frequent point of confusion is the relationship between the Trust Services Criteria and the choice between a SOC 2 Type I and a Type II report. They are two different decisions. The categories define what your controls are measured against; Type I versus Type II defines how and over what span of time the auditor tests them.

Both report types are examined against the same TSC. A Type I assesses whether your controls are suitably designed to meet the criteria in scope as of a single point in time — a snapshot on the report date. A Type II assesses both that design and the operating effectiveness of those same controls across an observation period, commonly three to twelve months, with evidence sampled throughout. In both cases the criteria are identical; only the testing approach and the time window differ.

This means your category scope applies regardless of which report you pursue. If you scope Security plus Availability, that is what a Type I examines on its date and what a Type II examines across its whole period. Choosing categories and choosing Type I versus Type II are independent decisions, and it is worth making them deliberately rather than treating them as one. Ask your CPA firm to advise on both for your specific situation, since they interact with your timeline and your buyers' expectations.

Mapping your controls to the criteria

Whatever categories you scope, a SOC 2 examination starts from the same place: your controls and their documentation have to exist and be mapped to the criteria before a CPA firm can evaluate them. The auditor works criterion by criterion, so a clear mapping — this policy and this evidence satisfy this criterion — is what makes a readiness effort navigable rather than a scramble. Without it, you are guessing at coverage and likely to discover gaps during fieldwork, which is the most expensive time to find them.

This is where a structured starting point helps. The ComplianceDocs SOC 2 toolkits — the SOC 2 Policy Pack (Core) and the SOC 2 Complete Toolkit (current list prices apply; a launch discount may show at checkout) — include a TSC control-mapping workbook that lays out the Common Criteria alongside the supplemental category criteria, with the editable policies the mapping points back to. That gives you the documentation layer already structured to the Trust Services Criteria, so you tailor and map rather than draft and organize from a blank page.

Be clear about what that does and does not do. The toolkit speeds your readiness and gives you an editable foundation; it does not produce the report and does not make your organization SOC 2 compliant, certified, or attested. A SOC 2 report is an independent attestation that only a licensed CPA firm can issue after examining the controls you actually operate, against the categories you have scoped, for either a Type I or a Type II. Good documentation buys you a faster, cleaner path into that examination — not a shortcut around it.

Frequently asked questions

What are the five SOC 2 Trust Services Categories?

They are Security, Availability, Processing Integrity, Confidentiality, and Privacy, defined by the AICPA Trust Services Criteria. Security is mandatory in every SOC 2 examination and is implemented through the Common Criteria. The other four are optional and are included only when they are relevant to the service you provide. Your SOC 2 report covers whichever categories you choose to be examined against, which is your scope.

Is the Security category really required for every SOC 2 report?

Yes. Security, often called the Common Criteria or the CC series, is always in scope for a SOC 2 examination — there is no SOC 2 report that omits it. The Common Criteria (CC1 through CC9) cover governance, risk assessment, access controls, system operations, change management, and vendor risk, and the other four categories build on top of them rather than replacing them. A report examined against Security alone is a complete, legitimate SOC 2 report, and for many organizations it is the right place to start.

How do I decide which optional categories to include?

Add a category only when a real customer commitment or a genuine feature of your service requires it. Availability suits services that make uptime commitments; Processing Integrity suits services whose value depends on processing data correctly; Confidentiality suits handling of sensitive business information; and Privacy applies when you handle personal information about individuals. Scope tightly, because every added category brings more controls and evidence, raising effort and cost. Many early-stage organizations are well served by Security alone or Security plus one carefully chosen category.

Do the Trust Services Criteria differ between a Type I and a Type II report?

No. Both report types are examined against the same Trust Services Criteria for whichever categories you scope. The difference is the testing approach: a Type I assesses whether controls are suitably designed at a single point in time, while a Type II assesses both that design and the operating effectiveness of the same controls across a period, commonly three to twelve months. Your category scope is a separate decision from Type I versus Type II, and the two interact with your timeline and your buyers' expectations.

Does a SOC 2 toolkit with a TSC mapping make my company SOC 2 compliant?

No. No template or toolkit makes an organization SOC 2 compliant, certified, or attested. A SOC 2 report is an independent attestation that only a licensed CPA firm can issue after examining the controls you actually operate, against the categories you have scoped, for a Type I or a Type II. A toolkit with a TSC control-mapping workbook is the documentation layer of readiness: it gives you editable policies mapped to the criteria so you tailor rather than draft from scratch. You still have to operate the controls, generate the evidence, and undergo the CPA examination to get the report.

Related guides: SOC 2

Toolkits that help

← All articles