SOC 2 Compliance Framework: Trust Services Criteria Explained
Every SOC 2 Compliance — Type I or Type II — is built on five criteria defined by the AICPA. This guide breaks down what each one means, how auditors test it, what it costs, and how to decide which criteria your organization actually needs.
What SOC 2 Actually Is
SOC 2 Compliance (Service Organization Control 2) is a voluntary attestation standard created by the American Institute of Certified Public Accountants (AICPA). Unlike a certification with a pass/fail badge, SOC 2 produces a report — an independent CPA firm’s opinion on whether your internal controls meet the Trust Services Criteria (TSC) you’ve chosen to be evaluated against.
The framework is deliberately principle-based rather than checklist-based. It doesn’t tell you which firewall to buy or which MFA tool to use — it tells you the outcome your controls need to achieve, and lets you design the specific mechanics around your own architecture.
| Attribute | Type I | Type II |
|---|---|---|
| What it measures | Controls are suitably designed at a single point in time | Controls are designed and operating effectively over a review period |
| Typical duration | Snapshot (one date) | 3–12 months of observation |
| Buyer perception | Good starting signal | Expected minimum for enterprise deals |
| Relative cost | Lower | Higher (longer audit + evidence period) |
| Best for | First-time applicants proving readiness | Companies renewing or facing procurement requirements |
What's New for SOC 2 in 2026
The underlying five Trust Services Criteria haven’t changed since 2017 — but expectations around how you meet them have shifted. Auditors and enterprise buyers are increasingly expecting evidence of modern access controls: multi-factor authentication as a baseline, network segmentation, least-privilege access policies, and — while not an explicit SOC 2 requirement — Zero Trust architecture principles that align naturally with the security TSC’s access-control expectations. Reports are also trending more comprehensive overall, with a 2024 benchmark finding 23% of SOC 2 reports now contain more than 150 individual security controls, reflecting a generally more rigorous approach across the industry.
The Five Trust Services Criteria
Security is mandatory in every SOC 2 audit. The other four are selected based on what your product actually does and what your customers expect assurance over.
| Criterion | Status | What it evaluates | Typical evidence |
|---|---|---|---|
| SECURITY | Mandatory | Protection against unauthorized access, physical and logical | MFA, firewalls, access reviews, intrusion detection |
| AVAILABILITY | Optional | Whether systems are accessible and operate as agreed | Uptime monitoring, incident response, capacity planning |
| PROCESSING INTEGRITY | Optional | Whether data processing is complete, accurate, and timely | Input validation, reconciliation logs, QA checks |
| CONFIDENTIALITY | Optional | Protection of non-public business information | Encryption, NDAs, data classification policies |
| PRIVACY | Optional | Collection, use, retention, and disposal of personal data | Consent records, retention schedules, DSR handling |
|
Scoping tip: adding more criteria doesn’t automatically mean stronger security — it means broader assurance coverage. Only expand scope once your existing controls are mature and consistently operated; breadth without maturity tends to create audit exceptions rather than trust. |
What Are the SOC 2 Trust Services Criteria?
The Trust Services Criteria (TSC) are the set of standards published by the AICPA that a SOC 2 audit is measured against. Instead of a rigid checklist, the framework groups controls into five categories, each covering a different dimension of how a service organization protects and manages customer data.
A SOC 2 report never covers all five by default. Security is the only criterion required in every engagement; the other four are selected based on the commitments you’ve made to customers and the nature of your systems.
Quick definition :Trust Services Criteria = the AICPA’s five-category framework (Security, Availability, Processing Integrity, Confidentiality, Privacy) that every SOC 2 audit is scoped and tested against.
Points of Focus: What Actually Changed in 2022 (and What's Held Steady Into 2026)
It’s worth clearing up a common misconception: the five Trust Services Criteria themselves have not changed since the AICPA published them in 2017. What changed, in the fall of 2022, was the supporting guidance — the “points of focus” that help auditors and companies interpret each criterion in light of newer threats and technologies. That’s still the operative standard heading into 2026.
In practical terms, auditors now expect to see evidence of things that weren’t common vocabulary in 2017: multi-factor authentication as a baseline rather than a bonus, network segmentation, API security controls, device inventories, and a documented risk-assessment process that specifically names new categories of threats — including risks tied to AI tooling. Zero trust architecture isn’t a named SOC 2 requirement, but it lines up cleanly with the access-control and risk-mitigation points of focus, and it’s increasingly what auditors expect a mature control environment to look like. Formal disclosure of subservice providers — the cloud hosts, payment processors, and SaaS tools you rely on — has also become close to universal in current reports, reflecting how much modern software depends on a chain of vendors rather than a single company’s own infrastructure.
Who Actually Needs SOC 2
If your product stores, processes, or transmits customer data — especially in the cloud — SOC 2 questions will find you eventually. Only about 7% of companies with under $1M in funding are SOC 2 compliant, compared to 45% of companies generating over $100M in annual revenue. That gap isn’t a coincidence — it tracks almost exactly with when enterprise procurement starts gating deals behind a compliance report.
You’ll typically need SOC 2 Compliance when:
- An enterprise prospect’s security questionnaire lists it as a requirement
- A deal is stuck in vendor risk review with no way to move forward
- Investors or board members want independent assurance before a raise or exit
- You’re competing against vendors who already have a report and you don’t
The Common Criteria (CC-Series)
Underneath the five TSCs sits a shared foundation called the Common Criteria — the CC1 through CC9 series that every SOC 2 audit touches, regardless of which optional criteria you select.
| Code | Focus area |
|---|---|
| CC1 | Control Environment — governance, ethics, oversight |
| CC2 | Communication & Information — reporting responsibilities clearly |
| CC3 | Risk Assessment — identifying threats to objectives |
| CC4 | Monitoring Activities — ongoing control evaluation |
| CC5 | Control Activities — policies enforcing practice |
| CC6 | Logical & Physical Access — the access-control core |
| CC7 | System Operations — detection & incident response |
| CC8 | Change Management — controlled system changes |
| CC9 | Risk Mitigation — vendor and business-continuity risk |
How B4Q Assurance helps : As a licensed U.S. CPA firm (AICPA) handling SOC 1, SOC 2, and SOC 3 engagements, B4Q Assurance works with you during scoping to select the Trust Services Criteria that genuinely match your risk profile and customer commitments — not a one-size-fits-all checklist.
How a SOC 2 Audit Actually Runs
A SOC 2 Compliance moves through five stages. Type II audits repeat the observation stage over months rather than a single point in time.
Scoping: identify which systems handle customer data and which TSCs apply to your business model.
Gap assessment: compare current controls against the chosen criteria and flag missing evidence, policies, or tooling.
Remediation: implement or document the controls needed to close identified gaps.
Observation period: for Type II, controls must operate consistently across the review window — this is where continuous monitoring matters most.
Audit and report: an independent CPA firm tests controls and issues an opinion — unqualified (clean), qualified, or adverse.
What It Costs and How Long It Takes
| Cost bucket | Type I range | Type II range | Notes |
|---|---|---|---|
| Auditor fees | Mid four to low five figures (USD) | Low five figures and up | Varies by scope, TSC count, and firm reputation |
| Readiness / tooling platform | High four to low five figures / year | Same | Priced by headcount, frameworks, environment complexity |
| Remediation work | $1,000–$10,000+ | Same | Depends on how many control gaps exist |
| Internal engineering time | 100–200+ hours | Same | Often the most underestimated cost |
Typical end-to-end timelines run 2–4 months for Type I and 6–12 months for Type II once the observation period is included.
SOC 2 vs. ISO 27001
| SOC 2 | ISO 27001 | |
|---|---|---|
| Issued by | CPA firm (AICPA standard) | Accredited certification body |
| Output | Attestation report | Certificate |
| Structure | Principle-based (TSC) | Prescriptive (ISMS + Annex A controls) |
| Primary market | North America / SaaS buyers | Global, especially EU / APAC |
| Renewal | Annual report | 3-year cycle with annual surveillance |
Common Mistakes When Scoping Trust Services Criteria
- Including all five criteria “just to be safe”, which inflates cost and audit time unnecessaril
- Excluding Availability or Processing Integrity when customer SLAs already require it
- Confusing Confidentiality with Privacy and mapping controls to the wrong criterion
- Never revisiting scope as the business or product changes
Ready to Start Your SOC 2 Journey?
Choosing the right Trust Services Criteria, scoping your audit correctly, and working with a licensed CPA firm that actually understands SaaS and technology companies makes the difference between a smooth audit and a nine-month headache. B4Q Assurance CPA PC works with organizations across the US on SOC 1, SOC 2, and SOC 3 engagements — from initial readiness assessment through Type I and Type II reporting.
Book a free strategy call to talk through which Trust Services Criteria actually make sense for your business before you commit to a full audit scope.
Official Resources & Further Reading
The primary sources below are useful for verifying exact control language and for anyone comparing SOC 2 Compliance to adjacent frameworks.
AICPA – Trust Services Criteria (TSP Section 100): The official 2017 Trust Services Criteria document, with revised points of focus (2022) — the primary source auditors test against (free account required to download).
AICPA – SOC 2 Framework Mappings: Official mappings from the Trust Services Criteria to ISO 27001, NIST 800-53, and the CSA Cloud Controls Matrix — useful when pursuing more than one framework.
ISO/IEC 27001: The official international standard, for organizations comparing SOC 2 against ISO 27001 or planning to pursue both.
https://www.iso.org/standard/27001
AICPA – SOC 2 Description Criteria: A companion document governing how a service organization’s system description should be written for the audit report — separate from, but required alongside, the Trust Services Criteria.
FAQs
Is SOC 2 a Compliance?
SOC 2 produces an attestation report from an independent CPA firm, not a certificate from an accreditation body like ISO 27001.
Which Trust Services Criteria do we need?
Security is always required. The rest depend on your product — Availability if uptime is contractually promised, Processing Integrity if you transform or calculate data, Confidentiality for sensitive business data, and Privacy if you handle significant personal data.
How long is a SOC 2 report valid?
Reports typically cover a defined period and are renewed annually to remain relevant for procurement and vendor-review processes.
Can a startup get SOC 2 before it's "ready"?
Yes — many pursue Type I early as a readiness signal, then move to Type II once controls have operated consistently for a few months.