Orion's Road to SOC 2·Part 3 of 15
SOC 2 Basics

The 5 Trust Services Criteria Explained (Without the Jargon)

Security. Availability. Confidentiality. Processing Integrity. Privacy. What each TSC means, what auditors test, and which ones your company actually needs.

RA
Rishabh Arora
January 20, 2025·10 min read
BeginnerI'm new to SOC 2

Framework Relevance

SOC 2
100%

How relevant is this article to each framework? 100% = directly addresses this framework's requirements.

In this article

The Framework Underneath the Framework

SOC 2 doesn't have a single checklist. It has five categories of criteria called Trust Services Criteria (TSCs), and the controls that apply to you depend on which TSCs are in scope for your audit.

This is one of the most misunderstood aspects of SOC 2 for beginners. Let's break each one down clearly.


1. Security (CC) — The Required One

Official name: Common Criteria (CC) — sometimes called "Security"

The plain-English version: Security covers whether your systems and data are protected from unauthorized access, both from the outside world and from within your organisation.

This one is mandatory. Every SOC 2 audit includes Security. You cannot have a SOC 2 report without it.

The Security criteria are organised into nine categories:

  • CC1: Control Environment (leadership, accountability, governance)
  • CC2: Communication & Information (how policies are communicated)
  • CC3: Risk Assessment (how you identify and evaluate risks)
  • CC4: Monitoring (how you track whether controls are working)
  • CC5: Control Activities (the actual operational controls)
  • CC6: Logical & Physical Access (who can access what, and how) — the most heavily tested
  • CC7: System Operations (vulnerability management, incident response)
  • CC8: Change Management (how code and infrastructure changes are controlled)
  • CC9: Risk Mitigation (vendor management, business continuity)

Most of your audit effort will be focused here, especially on CC6.2, CC6.3, CC7.1, and CC8.1.


2. Availability (A) — The Second Most Common

The plain-English version: Availability covers whether your system is accessible and operational as promised to your customers.

This TSC is relevant if:

  • You have uptime SLAs in customer contracts
  • You provide a service where downtime has meaningful business impact
  • Customers explicitly ask about your disaster recovery capabilities

What auditors test for Availability:

  • Do you monitor system performance and alert on degradation?
  • Do you have a tested disaster recovery plan?
  • Can you demonstrate that your infrastructure meets your SLA commitments?

Key controls: A1.1, A1.2, A1.3

Orion's decision: They included Availability because their product is a real-time analytics platform. Downtime means customers can't access their data — a direct SLA breach. For Orion, Availability was non-negotiable.


3. Confidentiality (C) — For When Data Sensitivity Matters

The plain-English version: Confidentiality covers whether information that is designated as confidential is actually protected from unauthorized disclosure.

This is distinct from privacy (which covers personal data). Confidentiality applies to business-sensitive information — trade secrets, financial data, proprietary data that customers have entrusted to you.

This TSC is relevant if:

  • Customers store business-sensitive data in your system
  • Your contracts include confidentiality obligations
  • You handle financial or commercial data

What auditors test:

  • How do you identify and classify confidential information?
  • How do you restrict access to confidential data?
  • What happens to confidential data when a customer relationship ends?

4. Processing Integrity (PI) — For Transaction-Critical Systems

The plain-English version: Processing Integrity covers whether your system processes data completely, accurately, timely, and validly.

This TSC is specifically relevant for companies where incorrect data processing has direct financial or legal consequences: payment processors, accounting software, healthcare billing platforms, and similar.

If you're a general SaaS company that stores and retrieves data but doesn't process financial transactions, this TSC is usually not in scope.

What auditors test:

  • Do you have controls to detect and correct processing errors?
  • Is there a reconciliation process for critical transactions?
  • How do you handle partial failures?

5. Privacy (P) — For Personal Data Processing

The plain-English version: Privacy covers whether personal information is collected, used, retained, and disclosed in accordance with commitments made to data subjects (individuals).

The Privacy TSC is aligned with AICPA's privacy framework and incorporates Generally Accepted Privacy Principles (GAPP). It has significant overlap with GDPR and India's DPDP Act.

This TSC is relevant if:

  • You collect personal information from end users
  • Your product processes personally identifiable information (PII)
  • Customers ask you specifically about privacy controls and data subject rights

Note: Privacy adds significant complexity to the audit. Many companies defer it until they have established their core Security + Availability report.


Which TSCs Should You Choose?

Here's my practical guidance based on company type:

| Company Type | Recommended TSCs | |---|---| | B2B SaaS (general) | Security + Availability | | Payments / Fintech | Security + Availability + Processing Integrity | | Healthcare / Health data | Security + Availability + Privacy | | Enterprise data management | Security + Availability + Confidentiality | | Consumer apps with PII | Security + Privacy | | High-security / Government | All five |

Start with Security. Add Availability if you have uptime SLAs. Add others based on your customers' specific requirements and what's in your contracts.


What Comes Next

Now that you know what the framework covers, the next critical step is defining which parts of your company are actually in scope. Scope definition is arguably the most important strategic decision in your entire SOC 2 journey — and it's where most companies make their first big mistake.

⚠️

Scope mistake alert: Including every system your company touches in your SOC 2 scope will make your audit enormously expensive and difficult. Next post, we'll show you exactly how Orion defined a tight, defensible scope.

Ready to assess your own SOC 2 readiness?

Run Your Free Assessment →
👨‍💻

Written by Rishabh Arora

GRC Architect & ex-Deloitte Consultant

I've guided 35+ B2B SaaS companies through SOC 2, ISO 27001, and DPDP compliance. My goal is to help engineering teams build logical access controls and security programs that actually work, without slowing down product velocity.

Connect on LinkedIn