The five Trust Services Criteria (TSC) are Security, Availability, Processing Integrity, Confidentiality, and Privacy. ‘Security’ is the only mandatory category and focuses on protecting against unauthorized access. ‘Availability’ ensures systems are operational and usable as agreed. ‘Processing Integrity’ confirms that system processing is complete, valid, accurate, and timely. ‘Confidentiality’ deals with protecting data restricted to a specific set of persons or organizations. Finally, ‘Privacy’ addresses the collection, use, retention, disclosure, and disposal of personal information in conformity with the organizationâs privacy notice. Companies can choose which of the four optional criteria to include in their audit based on their specific business model and customer requirements.
Understanding the Five Trust Services Criteria in SOC 2 Audits
For financial professionals evaluating vendor risk, understanding the Trust Services Criteria (TSC) is essential. These five categories form the foundation of every SOC 2 audit and directly affect how you assess the controls environment of the companies you work with or invest in.
Security: The Only Mandatory Criterion
Security is the baseline requirement for every SOC 2 examination. It cannot be excluded. This criterion evaluates whether an organization has sufficient controls to protect its systems and data against unauthorized access, whether physical or logical. For financial readers, think of this as the non-negotiable minimum. If a vendor presents a SOC 2 report, it will always cover Security, sometimes referred to as the âCommon Criteriaâ because its controls underpin all the other categories.
Key areas include access controls, firewalls, intrusion detection, and multi-factor authentication. When reviewing a SOC 2 report, the Security section will give you the clearest picture of how seriously a company treats its foundational risk posture.
Availability: Uptime and Operational Resilience
The Availability criterion measures whether systems are operational and accessible as committed in service-level agreements (SLAs) or contracts. This matters significantly in financial contexts where downtime can translate directly into lost revenue, failed transactions, or regulatory exposure.
Controls under this category typically cover disaster recovery planning, performance monitoring, incident handling, and redundancy. If you rely on a third party for payment processing, portfolio management platforms, or trading infrastructure, you should expect to see Availability included in their SOC 2 scope.
Processing Integrity: Accuracy and Completeness of Data
Processing Integrity confirms that system processing is complete, valid, accurate, timely, and authorized. For finance teams, this is particularly relevant when evaluating vendors that handle transaction processing, reporting engines, or data aggregation.
A failure in processing integrity could mean incorrect calculations, duplicated entries, or delayed outputs, all of which carry financial and compliance consequences. Controls in this area often address quality assurance procedures, error monitoring, and reconciliation processes.
Confidentiality: Protecting Sensitive Business Information
Confidentiality focuses on data that is restricted to a defined set of individuals or organizations. This is distinct from Privacy (covered below) because it applies to business data rather than personal data. Think of intellectual property, financial projections, merger details, or proprietary trading strategies.
For financial professionals, this criterion is worth scrutinizing when a vendor has access to non-public financial information. Controls here typically cover encryption, network segmentation, access restrictions, and data classification policies.
Privacy: Handling Personal Information Responsibly
The Privacy criterion addresses how an organization collects, uses, retains, discloses, and disposes of personal information. It specifically evaluates whether these practices conform to the entityâs published privacy notice and to widely accepted privacy principles.
This criterion has grown in importance alongside regulations like GDPR and CCPA. If a vendor processes customer personal data on your behalf, particularly in wealth management, insurance, or retail banking, the inclusion of Privacy in their SOC 2 scope should carry weight in your due diligence.
How Companies Choose Which Criteria to Include
Only Security is mandatory. The remaining four categories, Availability, Processing Integrity, Confidentiality, and Privacy, are selected based on the nature of the business, the types of data handled, and what customers or regulators require. A cloud infrastructure provider might include Availability and Confidentiality, while a healthcare payments company might add Privacy and Processing Integrity.
When reviewing a SOC 2 report, always check which criteria were included in scope. A report that only covers Security is not necessarily a red flag, but it does tell you that the other dimensions were not independently examined. Ask vendors why certain criteria were included or excluded, as their reasoning will often reveal how well they understand their own risk landscape.