Glossary · SOC
Trust Services Criteria
TSC
The five categories defined by the AICPA against which SOC 2 controls are evaluated: security, availability, processing integrity, confidentiality, and privacy. Security (the "common criteria") is always in scope; the other four are included only if relevant to the service.
This definition is part of TCSA’s plain-English compliance glossary, written and reviewed by the auditors who prepare organizations for these frameworks — 500+ audits delivered across India, USA, UK, Australia & UAE.
Go deeper: the full Trust Services Criteria guide
The complete plain-English explainer behind this definition.
Related SOC terms
AT-C Section 320
The section of the AICPA's clarified attestation standards (introduced by SSAE 18) under which every SOC 1 examination is performed. It prescribes what management's system description must contain, how control objectives are specified, and what the service auditor's opinion covers.
Bridge Letter
A short letter from a service organisation's management covering the gap between the end of its latest SOC report period and a customer's financial year-end, stating whether the described controls have materially changed. It is a management representation, not a CPA opinion, and is meant as a stop-gap until the next report.
Carve-out Method
One of two ways to treat subservice organisations (such as a cloud or data-centre provider) in a SOC 1 or SOC 2 report: their controls are excluded from the description and testing, and the report instead identifies the complementary subservice organization controls (CSOCs) being relied on. The alternative is the inclusive method.
CSOCs
Controls that a carved-out subservice organisation (for example, a hosting provider) is assumed to operate for the service organisation's control objectives to be met. Report readers verify they are covered — usually by obtaining the subservice organisation's own SOC report.
CUECs
Controls that a SOC report assumes the customer (user entity) operates at its own end — for example, approving payroll input before submission or deactivating leavers' accounts promptly. If a user entity does not operate its CUECs, the report's assurance does not fully apply to it.
Inclusive Method
The alternative to the carve-out method: the subservice organisation's relevant controls are included in the service organisation's system description and tested by the service auditor. It gives report readers fuller coverage but is rarer in practice because it requires the subservice organisation's cooperation.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours