SOC 2 Compliance Framework: Trust Services Criteria Explained

SOC 2 Compliance Framework: Trust Services Criteria Explained

Every SOC 2 Compliance — Type I or Type II — is built on five criteria defined by the AICPA. This guide breaks down what each one means, how auditors test it, what it costs, and how to decide which criteria your organization actually needs.

SOC 2 Compliance Framework

What SOC 2 Actually Is

SOC 2 Compliance  (Service Organization Control 2) is a voluntary attestation standard created by the American Institute of Certified Public Accountants (AICPA). Unlike a certification with a pass/fail badge, SOC 2 produces a report — an independent CPA firm’s opinion on whether your internal controls meet the Trust Services Criteria (TSC) you’ve chosen to be evaluated against.

The framework is deliberately principle-based rather than checklist-based. It doesn’t tell you which firewall to buy or which MFA tool to use — it tells you the outcome your controls need to achieve, and lets you design the specific mechanics around your own architecture.

Attribute Type I Type II
What it measures Controls are suitably designed at a single point in time Controls are designed and operating effectively over a review period
Typical duration Snapshot (one date) 3–12 months of observation
Buyer perception Good starting signal Expected minimum for enterprise deals
Relative cost Lower Higher (longer audit + evidence period)
Best for First-time applicants proving readiness Companies renewing or facing procurement requirements

What's New for SOC 2 in 2026

The underlying five Trust Services Criteria haven’t changed since 2017 — but expectations around how you meet them have shifted. Auditors and enterprise buyers are increasingly expecting evidence of modern access controls: multi-factor authentication as a baseline, network segmentation, least-privilege access policies, and — while not an explicit SOC 2 requirement — Zero Trust architecture principles that align naturally with the security TSC’s access-control expectations. Reports are also trending more comprehensive overall, with a 2024 benchmark finding 23% of SOC 2 reports now contain more than 150 individual security controls, reflecting a generally more rigorous approach across the industry.

The Five Trust Services Criteria

Security is mandatory in every SOC 2 audit. The other four are selected based on what your product actually does and what your customers expect assurance over.

Criterion Status What it evaluates Typical evidence
SECURITY Mandatory Protection against unauthorized access, physical and logical MFA, firewalls, access reviews, intrusion detection
AVAILABILITY Optional Whether systems are accessible and operate as agreed Uptime monitoring, incident response, capacity planning
PROCESSING INTEGRITY Optional Whether data processing is complete, accurate, and timely Input validation, reconciliation logs, QA checks
CONFIDENTIALITY Optional Protection of non-public business information Encryption, NDAs, data classification policies
PRIVACY Optional Collection, use, retention, and disposal of personal data Consent records, retention schedules, DSR handling

 Scoping tip: adding more criteria doesn’t automatically mean stronger security — it   means broader assurance coverage. Only expand scope once your existing controls   are mature and consistently operated; breadth without maturity tends to create audit   exceptions rather than trust.

What Are the SOC 2 Trust Services Criteria?

The Trust Services Criteria (TSC) are the set of standards published by the AICPA that a SOC 2 audit is measured against. Instead of a rigid checklist, the framework groups controls into five categories, each covering a different dimension of how a service organization protects and manages customer data.

A SOC 2 report never covers all five by default. Security is the only criterion required in every engagement; the other four are selected based on the commitments you’ve made to customers and the nature of your systems.

 Quick definition :Trust Services Criteria = the AICPA’s five-category framework         (Security, Availability, Processing Integrity, Confidentiality, Privacy) that every SOC 2     audit is scoped and tested against.

Points of Focus: What Actually Changed in 2022 (and What's Held Steady Into 2026)

It’s worth clearing up a common misconception: the five Trust Services Criteria themselves have not changed since the AICPA published them in 2017. What changed, in the fall of 2022, was the supporting guidance — the “points of focus” that help auditors and companies interpret each criterion in light of newer threats and technologies. That’s still the operative standard heading into 2026.

In practical terms, auditors now expect to see evidence of things that weren’t common vocabulary in 2017: multi-factor authentication as a baseline rather than a bonus, network segmentation, API security controls, device inventories, and a documented risk-assessment process that specifically names new categories of threats — including risks tied to AI tooling. Zero trust architecture isn’t a named SOC 2 requirement, but it lines up cleanly with the access-control and risk-mitigation points of focus, and it’s increasingly what auditors expect a mature control environment to look like. Formal disclosure of subservice providers — the cloud hosts, payment processors, and SaaS tools you rely on — has also become close to universal in current reports, reflecting how much modern software depends on a chain of vendors rather than a single company’s own infrastructure.

Who Actually Needs SOC 2

If your product stores, processes, or transmits customer data — especially in the cloud — SOC 2 questions will find you eventually. Only about 7% of companies with under $1M in funding are SOC 2 compliant, compared to 45% of companies generating over $100M in annual revenue. That gap isn’t a coincidence — it tracks almost exactly with when enterprise procurement starts gating deals behind a compliance report.

You’ll typically need SOC 2 Compliance  when:

  • An enterprise prospect’s security questionnaire lists it as a requirement
  • A deal is stuck in vendor risk review with no way to move forward
  • Investors or board members want independent assurance before a raise or exit
  • You’re competing against vendors who already have a report and you don’t

The Common Criteria (CC-Series)

Underneath the five TSCs sits a shared foundation called the Common Criteria — the CC1 through CC9 series that every SOC 2 audit touches, regardless of which optional criteria you select.

Code Focus area
CC1 Control Environment — governance, ethics, oversight
CC2 Communication & Information — reporting responsibilities clearly
CC3 Risk Assessment — identifying threats to objectives
CC4 Monitoring Activities — ongoing control evaluation
CC5 Control Activities — policies enforcing practice
CC6 Logical & Physical Access — the access-control core
CC7 System Operations — detection & incident response
CC8 Change Management — controlled system changes
CC9 Risk Mitigation — vendor and business-continuity risk

  How B4Q Assurance helps : As a licensed U.S. CPA firm (AICPA) handling SOC 1, SOC    2, and SOC 3 engagements, B4Q Assurance works with you during scoping to select     the Trust Services Criteria that genuinely match your risk profile and customer     commitments — not a one-size-fits-all checklist.

How a SOC 2 Audit Actually Runs

A SOC 2 Compliance moves through five stages. Type II audits repeat the observation stage over months rather than a single point in time.

Scoping: identify which systems handle customer data and which TSCs apply to your business    model.

Gap assessment: compare current controls against the chosen criteria and flag missing evidence, policies, or tooling.

Remediation: implement or document the controls needed to close identified gaps.

Observation period: for Type II, controls must operate consistently across the review window — this is where continuous monitoring matters most.

Audit and report: an independent CPA firm tests controls and issues an opinion — unqualified (clean), qualified, or adverse.

What It Costs and How Long It Takes

Cost bucket Type I range Type II range Notes
Auditor fees Mid four to low five figures (USD) Low five figures and up Varies by scope, TSC count, and firm reputation
Readiness / tooling platform High four to low five figures / year Same Priced by headcount, frameworks, environment complexity
Remediation work $1,000–$10,000+ Same Depends on how many control gaps exist
Internal engineering time 100–200+ hours Same Often the most underestimated cost

Typical end-to-end timelines run 2–4 months for Type I and 6–12 months for Type II once the observation period is included.

SOC 2 vs. ISO 27001

SOC 2 ISO 27001
Issued by CPA firm (AICPA standard) Accredited certification body
Output Attestation report Certificate
Structure Principle-based (TSC) Prescriptive (ISMS + Annex A controls)
Primary market North America / SaaS buyers Global, especially EU / APAC
Renewal Annual report 3-year cycle with annual surveillance

Common Mistakes When Scoping Trust Services Criteria

  • Including all five criteria “just to be safe”, which inflates cost and audit time unnecessaril
  • Excluding Availability or Processing Integrity when customer SLAs already require it
  • Confusing Confidentiality with Privacy and mapping controls to the wrong criterion
  • Never revisiting scope as the business or product changes

Ready to Start Your SOC 2 Journey?

Choosing the right Trust Services Criteria, scoping your audit correctly, and working with a licensed CPA firm that actually understands SaaS and technology companies makes the difference between a smooth audit and a nine-month headache. B4Q Assurance CPA PC works with organizations across the US on SOC 1, SOC 2, and SOC 3 engagements — from initial readiness assessment through Type I and Type II reporting.

Book a free strategy call to talk through which Trust Services Criteria actually make sense for your business before you commit to a full audit scope.

Official Resources & Further Reading

The primary sources below are useful for verifying exact control language and for anyone comparing SOC 2 Compliance to adjacent frameworks.

AICPA – Trust Services Criteria (TSP Section 100): The official 2017 Trust Services Criteria document, with revised points of focus (2022) — the primary source auditors test against (free account required to download). 

https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022

AICPA – SOC 2 Framework Mappings: Official mappings from the Trust Services Criteria to ISO 27001, NIST 800-53, and the CSA Cloud Controls Matrix — useful when pursuing more than one framework.

 https://www.aicpa-cima.com

ISO/IEC 27001: The official international standard, for organizations comparing SOC 2 against ISO 27001 or planning to pursue both.

 https://www.iso.org/standard/27001

AICPA – SOC 2 Description Criteria: A companion document governing how a service organization’s system description should be written for the audit report — separate from, but required alongside, the Trust Services Criteria. 

https://www.aicpa-cima.com/resources/download/get-description-criteria-for-your-organizations-soc-2-r-report

FAQs

Is SOC 2 a Compliance?

 SOC 2 produces an attestation report from an independent CPA firm, not a certificate from an accreditation body like ISO 27001.

Security is always required. The rest depend on your product — Availability if uptime is contractually promised, Processing Integrity if you transform or calculate data, Confidentiality for sensitive business data, and Privacy if you handle significant personal data.

Reports typically cover a defined period and are renewed annually to remain relevant for procurement and vendor-review processes.

Yes — many pursue Type I early as a readiness signal, then move to Type II once controls have operated consistently for a few months.

Contact Us
Categories
Latest Posts

SOC 2 Compliance Framework: Trust Services Criteria Explained

SOC 2 Compliance Framework: Trust Services Criteria Explained Every SOC 2 Compliance — Type I or Type II — is built on five criteria defined by the AICPA. This guide breaks down what each one means, how auditors test it, what it costs, and how to decide which criteria your organization actually needs. What SOC 2 Actually Is SOC 2 Compliance  (Service Organization Control 2) is a voluntary attestation standard created by the American Institute of Certified Public Accountants (AICPA). Unlike a certification with a pass/fail badge, SOC 2 produces a report — an independent CPA firm’s opinion on whether your internal controls meet the Trust Services Criteria (TSC) you’ve chosen to be evaluated against. The framework is deliberately principle-based rather than checklist-based. It doesn’t tell you which firewall to buy or which MFA tool to use — it tells you the outcome your controls need to achieve, and lets you design the specific mechanics around your own architecture. Attribute Type I Type II What it measures Controls are suitably designed at a single point in time Controls are designed and operating effectively over a review period Typical duration Snapshot (one date) 3–12 months of observation Buyer perception Good starting

What do you think?