What are the Trust Services Criteria?

AICPA’s Trust Services Criteria are the framework used by auditors to determine which security and compliance controls they will test for in a company. The only Trust Services Criteria category required for every SOC 2 report is Security, but auditors have the option of adding Availability and Processing Integrity as well after determining the audit scope.  

Trust Services Criteria Categories:

Security

  • Data and systems are protected against unauthorized access and disclosure, including potentially compromising damage to systems. Data should be protected during its collection or creation, use, processing, transmission, and storage.

Availability

  • Data and systems are available for operation and use. Systems include controls to support accessibility for operation, monitoring, and maintenance.

Confidentiality

  • The organization should protect data designated as confidential (i.e., any sensitive information).

Processing Integrity

  • System processing (particularly customer data) is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

Privacy

  • Personal data is collected, used, retained, disclosed, and disposed of under relevant regulations and policies.