GRC Answer

What are the SOC 2 Trust Services Criteria?

The Trust Services Criteria (TSC) are the standards the AICPA publishes against which an independent CPA firm evaluates a service organization's controls. There are five categories. Security (Common Criteria, CC) is mandatory and appears in every SOC 2 report. The other four — Availability (A), Processing Integrity (PI), Confidentiality (C), and Privacy (P) — are optional: organizations include them where relevant to the services they provide and to what buyers need to see. Most SaaS companies scope Security as the baseline and add Availability when uptime commitments matter to buyers, Confidentiality when enterprise data handling is a selling point, Privacy when the service processes significant personal data, and Processing Integrity for transactional or financial processing. The Common Criteria are further divided into CC1 through CC9. CC6 covers logical and physical access controls — provisioning, authentication, role-based access, and periodic access review. CC7 covers systems operations and monitoring. CC9 covers risk management and vendor risk, including CC9.2, which requires monitoring of third-party providers and the controls they operate on your behalf. CC6 maps closely to ISO 27001 A.5.15–A.5.18; CC9.2 to A.5.19–A.5.23 — organizations running both frameworks reuse this evidence rather than maintaining separate control sets.