What Are the SOC 2 Criteria?
At the heart of SOC 2 attestation are the Trust Services Criteria (TSC), five areas that guide how a service organization safeguards customer data. Developed by the AICPA, these criteria form the basis of SOC 2 audits. Auditors evaluate your system description & boundary and assess whether controls are designed effectively (Type I) and operated consistently (Type II).
Developed by the AICPA, these criteria form the basis of SOC 2 audits. Auditors don’t just check that policies exist, they evaluate whether your controls are designed effectively and functioning as intended.
What Do the SOC 2 Criteria Evaluate?
SOC 2 is built around trust, not checklists. The framework is designed to help service organizations protect sensitive data and deliver services with consistency and resilience.
Each Trust Services Criteria (TSC) acts as a guiding principle. Together, they help auditors assess how well your organization:
- Secures access to systems
- Ensures uptime and performance
Maintains data integrity and accuracy - Protects confidential information
- Handles personal data responsibly
Auditors use these criteria to examine your environment, policies, and internal control operations.
The Five Trust Services Criteria (TSC)
Each TSC focuses on a specific area of organizational trust and system integrity. Organizations can choose which ones to include in their SOC 2 scope, but Security is always required.
| Trust Services Criteria | Required/Optional | Purpose | Examples |
| Security / Common Criteria (CC) | Required | Protects systems from unauthorized access and changes | SSO/MFA, least privilege, logging/monitoring, change management, vulnerability management |
| Availability (A) | Optional | Meets uptime commitments and ensures operational resilience | SLAs, capacity planning, disaster recovery/business continuity planning with tested restores, infrastructure monitoring |
| Processing Integrity (PI) | Optional | Ensures processing is complete, valid, accurate, and timely | Input validation, reconciliation, change validation in CI/CD pipelines |
| Confidentiality (C) | Optional | Protects sensitive information throughout its lifecycle | Data classification, encryption & key management/rotation, controlled sharing, NDAs |
| Privacy (P) | Optional | Manages personal data according to stated privacy commitments | Privacy notice alignment, consent management, data subject rights workflows, data retention/disposal |
What Are Points of Focus?
The Trust Services Criteria are broad, but the Points of Focus bring clarity.
These are practical, non-mandatory guidelines that help interpret each TSC. They help both auditors and organizations determine whether relevant controls are in place.
For example, under the Security criterion, Points of Focus may include:
- Identity and access management
- Change control and approval workflows
- Incident response planning
- Data classification procedures
While you don’t need to address every Point of Focus, using them helps ensure your controls are thorough and audit-ready.
Evidence and Documentation Required for SOC 2
Auditors assess whether your controls are:
- Designed effectively
- Operating consistently (for Type II audits)
To do that, they require specific evidence, such as:
- Access logs and permission change history
- Information security and privacy policies
- Risk assessment reports
- Security awareness training records
- Incident response and remediation documentation
- Monitoring tool alerts and screenshots
- Backup schedules and recovery test results
For Type II, provide period-covered evidence (e.g., monthly volume scans across all months, quarterly access reviews, annual DR test). Be ready with population listings, sample selections, timestamps, and proof of remediation (tickets, commits, approvals).
The key is to show not just that policies exist, but that they’re being followed consistently.
How SOC 2 Type I and Type II Differ in Criteria Assessment
The Trust Services Criteria stay the same across Type I and Type II, but the way they’re evaluated changes:
Type I:
- Auditors assess your control design at a specific point in time.
- Question: Are the right policies and processes in place today?
Type II:
- Auditors assess how those controls operate over a period (typically 6–12 months).
- Question: Have you been following these controls consistently over time?
Because Type II includes operational evidence, it typically requires longer preparation and documentation efforts.
Mapping Controls to Criteria and Evidence
To meet SOC 2 expectations, you’ll need to implement internal controls and map them to the relevant criteria.
Examples:
| Trust Service Criteria | Control Example | Evidence Example |
| Security | MFA for all admin access | Authentication logs, access policy documentation |
| Availability | Disaster recovery and backup testing | Recovery plan, test logs, uptime reports |
| Processing Integrity | Input validation for form submissions | Code documentation, test cases |
| Confidentiality | Role-based access to sensitive reports | Access control lists, data classification policy |
| Privacy | Data retention and deletion policies | Privacy notice, disposal logs, audit trail reports |
This control mapping not only helps your team implement best practices, it also helps your auditor validate your approach more efficiently.
FAQs About SOC 2 Criteria
There are five principles, Security, Availability, Processing Integrity, Confidentiality, and Privacy, that define what your controls should support.
No. Only Security is required. The others are optional based on your services and client expectations.
System logs, policies, monitoring reports, risk assessments, training records, and more, anything that demonstrates your controls are designed and operational.
The criteria are the same, but Type I looks at control design at a point in time, while Type II verifies that the controls worked consistently over several months.