Trust Services Criteria (TSC)

The Trust Services Criteria, defined by the AICPA, are the five foundational categories against which organizations are evaluated during a SOC 2 examination: Security (Common Criteria), Availability, Processing Integrity, Confidentiality, and Privacy. Security is the only mandatory criterion and covers protection against unauthorized access to system resources through logical and physical controls. Availability addresses whether systems are operational and accessible as committed, while Processing Integrity evaluates whether system processing is complete, valid, accurate, and timely. Confidentiality and Privacy criteria govern how organizations handle sensitive and personal information respectively, including collection, use, retention, and disposal practices. Most organizations begin their SOC 2 journey with Security and add Availability and Confidentiality, with each additional criterion increasing audit scope and cost by approximately 10–15%.