What is Trust Services Criteria?
Definition
Trust Services Criteria (TSC) are a set of five principles defined by the AICPA that form the basis for SOC 2 audits. The five categories are Security, Availability, Processing Integrity, Confidentiality, and Privacy, each containing specific control objectives that organizations must address.
In Depth
The Trust Services Criteria provide a structured framework for organizations to evaluate and report on their internal controls. Security (also called the Common Criteria) is mandatory for every SOC 2 engagement and covers logical and physical access controls, system operations, change management, and risk mitigation. The remaining four categories are optional and selected based on the nature of services provided. For example, a cloud hosting provider would likely include Availability, while a data analytics company processing PII would include Privacy. Each criterion maps to specific points of focus that guide both the organization in designing controls and the auditor in testing them, creating a common language between service organizations and their customers. Organizations should carefully select which criteria to include based on customer expectations and the nature of their services.
Related Frameworks
Related Terms
SOC 2 Type II
SOC 2 Type II is an auditing standard developed by the AICPA that evaluates the effectiveness of an organization's controls over a sustained period, typically 6 to 12 months. Unlike Type I which only assesses control design at a point in time, Type II verifies that controls are operating effectively throughout the observation window.
AICPA
The American Institute of Certified Public Accountants (AICPA) is the national professional organization of CPAs in the United States. The AICPA develops and maintains the SOC reporting framework, including SOC 1, SOC 2, and SOC 3 standards used to evaluate service organizations.
Data Classification
Data classification is the process of categorizing data based on its sensitivity level and the impact of unauthorized disclosure. Common tiers include Public, Internal, Confidential, and Restricted, each with corresponding handling and protection requirements.
Access Control
Access control encompasses the policies, procedures, and technical mechanisms that regulate who can view or use resources within a computing environment. It ensures that only authorized individuals can access specific systems, data, or physical locations based on their role and need.
Generate compliance docs with PoliWriter
Stop reading about compliance and start achieving it. PoliWriter generates audit-ready policies customized to your organization in hours.
Get Started Free