SOC 2 is built on the Trust Services Criteria (TSC), a framework developed by the AICPA that defines the controls required for service organizations. The TSC contains five categories, but only one is mandatory. Understanding which categories to include in your SOC 2 scope determines both your compliance effort and the value your report provides to customers.
Security (Common Criteria) - Required
The Security category is the foundation of every SOC 2 report and the only mandatory category. It covers nine Common Criteria (CC1 through CC9) spanning control environment, communication, risk assessment, monitoring, logical and physical access, system operations, and change management.
The Common Criteria map closely to COSO internal control framework principles. They cover the governance, risk management, and operational controls that every service organization should have regardless of what optional categories they include.
Availability - Most Common Optional
The Availability category covers controls that ensure your system is available for operation and use as committed. This includes infrastructure redundancy, disaster recovery, backup procedures, incident response, and capacity planning. If you have SLAs with customers that include uptime commitments, include Availability in your scope.
Confidentiality
Confidentiality covers controls for protecting information designated as confidential. This includes data classification, encryption, access restrictions, and secure disposal. Include this category if you handle customer data that is not publicly available and your customers expect controls specifically addressing data confidentiality.
Processing Integrity
Processing Integrity covers controls ensuring that system processing is complete, valid, accurate, timely, and authorized. This is relevant for financial processing systems, data analytics platforms, and any service where data accuracy is critical to the value you provide. It is less commonly included than Security and Availability.
Privacy
Privacy covers controls for the collection, use, retention, disclosure, and disposal of personal information. This category aligns with generally accepted privacy principles and is relevant if you process personal data subject to privacy regulations like GDPR or CCPA.
| Category | Required | Common Use Case |
|---|---|---|
| Security | Yes | Every SOC 2 engagement |
| Availability | No | SaaS with uptime SLAs |
| Confidentiality | No | Handling sensitive customer data |
| Processing Integrity | No | Financial processing, data analytics |
| Privacy | No | Processing personal information |
Starting point: For your first SOC 2, start with Security + Availability. These two categories cover what most enterprise buyers expect and keep the scope manageable. Add Confidentiality in your second year if customers request it. Only add Privacy or Processing Integrity if your service specifically requires them.
Need security testing or compliance support?
We provide penetration testing, compliance assessments, and security consulting for organizations at every stage.
