SOC 2 Trust Services Criteria – Introduction & Overview

Let’s take a deep dive into the SOC 2 Trust Services Criteria and provide you with a clear and transparent understanding as you begin the process of becoming SOC 2 compliant. So, what exactly are the SOC 2 Trust Services Criteria? They are essentially criteria that form the very basis of a SOC 2 audit, relying heavily on information security and data privacy best practices. The following five (5) Trust Services Criteria that can be used when performing a SOC 2 audit.

• Security
• Availability
• Confidentiality
• Processing Integrity
• Privacy

Simply stated, when you decide to embark on the road towards SOC 2 compliance, you and your SOC 2 auditor will ultimately determine which of the five (5) Trust Service Criteria will be included within the scope of the engagement. Let’s take a look at each of them:

Security: The SECURITY TSP is the most commonly assessed TSP, and for good reason; It essentially sets the basis for the entire audit. In fact, the vast majority of service organizations undertaking SOC 2 compliance opt for just the SECURITY TSP, and nothing else. This is generally the case as they begin to trek into the world of compliance. After a few years, it is common to find that additional TSP’s are added on as part of the overall audit scope. Ultimately, it depends on the needs of your customers and what they demand and expect in terms of compliance.

As to the scope of the SEURITY TSP, it assesses a wide-range of baseline information security and operational controls. Some of the areas covered included the following: Access control, Risk Assessment, Change Control, Physical Security, and more. Again, the SECURITY TSP forms the very foundation of a SOC 2 audit. To learn more about SOC 2 compliance, please contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Availability: The AVAILABILTY TSP revolves around the concept of having systems available, online, functioning and communicating as necessary for business operations. For service organizations with cloud/SaaS offerings, the AVAILABILITY TSP is an essential element for SOC 2 reporting.

Confidentiality: The CONFIDENTIALITY TSP, not to be confused with the PRIVACY TSP (which it is at times), revolves around the concept of identifying, designating, and ultimately, protecting confidential information. As to the types of information, it can be almost any type of information deemed confidential, such as Personally Identifiable Information (PII), Protected Health Information (PHI), or more. CONFIDENTIALITY also requires putting in measures for destroying such information, as necessary. To learn more about SOC 2 compliance, please contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Processing Integrity: The PROCESSING INTEGRITY TSP is perhaps the least utilized of all the TSP’s when it comes to SOC 2 compliance. PROCESSING INTEGRITY controls relate to the input of information, and then how such information is processed, and how the data is then output. Think payroll companies (data in, data processed, and data out), medical claims billing, etc. To learn more about SOC 2 compliance, please contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today.

Privacy: The PRIVACY TSP has become profoundly important in recent years, due in large part to the growing need regarding the use, disclosure, and notification of sensitive data, much of it in the way of consumer data. Additionally, laws and regulations such as the GDPR and CCPA have shined an entire new light onto the world of data privacy. As a result, there’s been a noticeable uptick in terms of service organizations including the PRIVACY TSP within the scope of their SOC 2 audit.

NDB. North America’s Leading Provider of SOC 2 Compliance Audits

Looking for a firm with expertise, high-quality services, and attention to detail? Then look no further than the regulatory compliance experts at NDB. To learn more about SOC 2 compliance, please contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706, or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. today. NDB also offers a wide-range of additional services and solutions above and beyond SOC 2 compliance, such as PCI DSS assessments, HIPAA compliance, and much more. We have a household name all throughout the country, so lets’ talk about your needs today.

Three Reasons to Choose NDB as your Next SOC 2 Auditor

Experience: We’ve been performing third-party audits since April, 1992, which began with the original SAS 70 auditing standard. That’s a long time, indeed, and we have a long track record of success in the auditing world.
Pricing: NDB offers fixed-fees. Period. No hourly pricing. No hidden costs. Nothing. Just a fixed fee. Try that with other auditing firms.

Supporting Tools: From our industry leading SOC 2 Policy Packet to our online workflow management system, NDB offers clients a multitude of solutions that go above and beyond traditional SOC 2 auditing services. Our policy templates save businesses thousands of dollars, and our online SOC 2 portal is easy-to-use and implement.