The 5 Trust Services Criteria (TSCs) Explained

Image by Gerd Altmann from Pixabay

SOC 2 Reports Explained With Help From History’s Greatest Thinkers

If you are new to SOC 2®, you may find that SOC 2 reports do not resemble your typical audit or assessment report. A SOC 2 report begins by detailing the specifics of an organization’s unique environment. The report also allows for companies to provide additional information such as an explanation of the organization, personnel, and/or the in-scope system.

Developed by the American Institute of CPAs (AICPA), the five Trust Services Criteria (TSC) (Previously called Trust Services Principles) are available to include in your SOC 2 attestation report. Right now, you may be asking yourself, what are these TSCs you speak of?! But there is no need to fret, this blog will give you a brief overview of each and offer you guidance on which TSCs to include in your report. The five TSCs are Security, Availability, Confidentiality, Processing Integrity, and Privacy. While Security is the only required TSC, stay tuned to learn the benefit of the remaining criteria.
If you choose to embark on the SOC 2 journey you should find this blog valuable. Let’s take a walk through each criterion with wise words from some of the greatest minds in history.

1. Security

“If you have built castles in the air, your work need not be lost; that is where they should be. Now put the foundations under them.”

-Henry David Thoreau, American Poet and Philosopher

Was Henry David Thoreau referring to your cloud infrastructure? Most likely not, but the sentiments resonate even in 2022. Every castle needs a foundation, just like every SOC 2 report needs the Security criteria. The Security criteria, commonly referred to as the common criteria, are the only criteria required to be in a SOC 2 attestation report. The Security criteria are referred to as the common criteria because several parts of the criteria are shared among all five of the Trust Services Criteria.
This criterion is ordinarily applied to all engagements and addresses whether the system protects against unauthorized access. Access controls are in place to prevent security breaches such as disclosure of information, misuse of the software, unauthorized removal of data, and potential system abuse.

2. Availability

“Availability is the best ability”

-Bill Parcells, Hall of Fame NFL Coach

Thank you for the kind words, Bill. Consultants everywhere are ecstatic to hear TSCs getting the praise they deserve. The Availability criteria encompass the accessibility of a system, product, or service. It requires information and systems to be available for operation and meet the objectives laid out in your SLAs and contracts with customers.

3. Confidentiality

“I tried to keep us together, you were busy keeping secrets”

-Drake, Grammy Award Winning Music Artist

Okay, who invited Mr. Lover Boy? Security! Just like your trustworthiness within personal relationships, your customers want to know that they can trust you with their sensitive information. Put light-heartedly, you would never share a secret with your friend with a big mouth. If you handle sensitive data like personally identifiable information, strategic business plans, financial information, and intellectual property, it is highly suggested that the Confidentiality principle is included in your SOC 2 report.

4. Processing Integrity

“Whoever is careless with the truth in small matters cannot be trusted with important matters”

-Albert Einstein, Nobel Prize award-winning Theoretical Physicist

Wow, these geniuses really knew a thing or two about IT, Einstein would have made a great consultant. Processing Integrity pertains to whether a system of the service entity can achieve its purpose by delivering the right data at the right time. The key components here are that the system has valid, accurate, timely, and authorized data.

5. Privacy

“In the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules – not just for governments but for private companies.”

– Bill Gates, Billionaire Business Magnate and Philanthropist

Spot on Bill, Privacy has been a point of contention for information technologies since their inception and is also a criterion an organization can choose to examine in their SOC report. Privacy is the principle that covers how a third-party vendor collects and uses personal information. This ensures that personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the privacy notice. Personal information could include names, addresses, and social security numbers.

Which Criteria Should You Include in Your SOC 2 Report?

The service organization should also prepare and become familiar with all five TSCs to see how they could apply to their systems and services. An important step in SOC 2 audit planning is determining which of the five criteria you should include in your examination. Speaking with experts at QoS Consulting Solutions will help ensure that you include the correct TSCs in your audit to avoid spending too much time, resources, and money on criteria you do not need. You can also find a comprehensive overview of the key differences between SOC 2 reports by clicking here.

For more information speak with a QoS consultant today,, or reach out through our contact form on our website,