What is Trust Services Criteria?
What is Trust Services Criteria?
Trust Services Criteria (TSC) are the foundational categories defined by the American Institute of Certified Public Accountants (AICPA) that form the basis of SOC 2 audits. They provide a structured set of principles against which a service organization's controls are evaluated. Understanding TSC is essential for any company pursuing SOC 2 compliance.
The five categories
The Trust Services Criteria are organized into five categories:
- Security — the only required category in every SOC 2 engagement, covering protection of systems and data against unauthorized access, both physical and logical
- Availability — addresses whether systems are operational and accessible as committed in service-level agreements or contracts
- Processing integrity — evaluates whether system processing is complete, valid, accurate, timely, and authorized
- Confidentiality — focuses on protecting information designated as confidential, such as trade secrets, intellectual property, or business plans
- Privacy — concerns the collection, use, retention, disclosure, and disposal of personal information in accordance with an organization's privacy notice
How TSC relates to SOC 2
Every SOC 2 audit is built around one or more Trust Services Criteria. The Security category (also known as the Common Criteria) is mandatory. Organizations then select additional categories based on the nature of their services and what their customers or prospects require.
For example, a cloud infrastructure provider may include Availability because uptime guarantees are central to its business. A data analytics company might include Processing Integrity to demonstrate accuracy of its outputs. A healthcare SaaS product may include Privacy to address handling of personal information.
Common Criteria (CC series)
The Security category is broken into a series of Common Criteria points (CC1 through CC9) that address topics like:
- CC1: Control environment
- CC2: Communication and information
- CC3: Risk assessment
- CC4: Monitoring activities
- CC5: Control activities
- CC6: Logical and physical access controls
- CC7: System operations
- CC8: Change management
- CC9: Risk mitigation
These Common Criteria points also serve as a foundation for the other four categories. Additional criteria specific to Availability, Processing Integrity, Confidentiality, and Privacy supplement the common set.
Why TSC matters for your organization
Selecting the right Trust Services Criteria directly impacts the scope, cost, and duration of your SOC 2 audit. Choosing too few categories might not satisfy customer requirements. Choosing too many can increase the number of controls you need to implement and the evidence you need to collect, driving up both effort and audit fees.
A strategic approach is to start with Security (required) and one or two additional categories that align with customer demand, then expand over time as your compliance program matures.
Mapping controls to TSC
Each Trust Services Criteria category includes specific points of focus that guide what controls should exist. Organizations must map their internal controls to these points and collect evidence showing the controls are designed and operating effectively.
This mapping exercise is a core part of SOC 2 readiness. It identifies gaps where new controls are needed and highlights areas where existing processes already satisfy the criteria.
How episki helps
episki provides pre-built control mappings to all five Trust Services Criteria categories, making it straightforward to see which controls satisfy which criteria points. The platform tracks evidence collection tied to each control and flags gaps before your auditor arrives. Learn more on our SOC 2 compliance page.
