Trust Services Criteria

The Trust Services Criteria, often abbreviated TSC, are the five categories defined by the AICPA that form the basis for SOC 2 audits. The five categories are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is required for every SOC 2 audit and is implemented through the nine Common Criteria series CC1 through CC9. The other four categories are optional and selected based on customer requirements, regulatory obligations, or business commitments. Each category contains category-specific criteria that layer on top of the required Common Criteria. A service organization's scope statement explicitly lists which categories are included, and auditors design their testing to address every criterion within the selected categories. The TSC framework is principles-based rather than prescriptive: companies define controls that meet each criterion in a way that fits their operating model, then demonstrate to the auditor that the controls are appropriate and effective. Understanding the TSC structure is foundational for any team preparing for SOC 2.