SOC 2 · Trust Services Criteria
The five SOC 2
Trust Services Criteria
Every SOC 2 examination is built on the AICPA Trust Services Criteria. Security is mandatory; the other four categories are optional add-ons you scope in based on what you commit to customers.
Security is required in every report — Availability, Processing Integrity, Confidentiality, and Privacy are chosen by customer demand.
AICPA Trust Services Criteria · SSAE 18 attestation · Last reviewed June 2026
Direct Answer
What are the Trust Services Criteria?
The Trust Services Criteria (TSC) are the five categories the AICPA defines for a SOC 2 examination — Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security, implemented through the Common Criteria CC1–CC9, is mandatory in every report; the other four are optional and chosen based on the commitments you make to customers. SOC 2 itself is an SSAE 18 attestation issued by a licensed CPA — an independent opinion, not a certificate.
The five categories
Explore each criterion
Security
The Common Criteria (CC1–CC9) — the only category required in every SOC 2 report. It protects systems and data against unauthorised access, disclosure, and damage.
Read the Security criteriaAvailability
For commitments around uptime and accessibility — monitoring, capacity, backup, and disaster recovery. Common when customers depend on your SLA.
Read the Availability criteriaProcessing Integrity
For systems that must process data completely, accurately, and on time — input validation, processing controls, and output reconciliation.
Read the Processing Integrity criteriaConfidentiality
For information designated confidential — classification, encryption, access restriction, and secure disposal across its lifecycle.
Read the Confidentiality criteriaPrivacy
For personal information — notice, choice and consent, collection, use, retention, and disclosure handled in line with your privacy notice.
Read the Privacy criteriaFrequently Asked Questions
Common questions on scoping the SOC 2 Trust Services Criteria.
How many SOC 2 Trust Services Criteria are there?
Five: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is the only mandatory category — it appears in every SOC 2 report. The other four are optional and selected based on the commitments you make to customers and the nature of your service.
Which Trust Services Criteria should we include in our SOC 2?
Start with Security, which is always required. Add Availability if customers rely on uptime SLAs, Confidentiality if you hold sensitive non-personal data, Privacy if you process personal information, and Processing Integrity if accurate, complete transaction processing is core to your service. Scoping in only what you can support keeps the audit focused and the report credible.
Is a "Security-only" SOC 2 report valid?
Yes. Because Security (the Common Criteria) is the mandatory baseline, a report scoped to Security alone is a complete, valid SOC 2 report — often exactly what enterprise buyers ask for. You can add the other categories in a later examination as customer requirements evolve.
Keep Exploring
Related Reading
SOC 2 Knowledge Hub
Type 1 vs Type 2, criteria, timelines and audit prep — all guides.
Read moreType 1 vs Type 2
Which report to get first, and when to go straight to Type 2.
Read moreSOC 2 Audit Preparation
Evidence, readiness checks and what the CPA firm will sample.
Read moreSOC 2 Overview
The AICPA attestation US and global enterprise buyers ask for.
Read moreSOC 2 Consulting in India
Auditor-led SOC 2 readiness and CPA coordination for Indian teams.
Read moreProof & Track Record
Every number we publish — explained, sourced and verifiable.
Read moreWritten By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours