What are Trust Services Criteria?
Trust Services Criteria (TSC) are a set of principles developed by the AICPA that organizations can use to evaluate and report on controls relevant to security, availability, processing integrity, confidentiality, and privacy. They form the foundation of SOC 2 examinations.
The Five Categories
Security (Common Criteria) Required for all SOC 2 reports
- Logical and physical access controls
- System operations
- Change management
- Risk mitigation
Availability
- System monitoring
- Data backup
- Disaster recovery
- Capacity planning
Processing Integrity
- Completeness
- Accuracy
- Timeliness
- Authorization
Confidentiality
- Identification of confidential information
- Protection of confidential information
- Disposal of confidential information
Privacy
- Notice
- Choice and consent
- Collection
- Use, retention, and disposal
- Access
- Disclosure
- Quality
- Monitoring and enforcement
Common Criteria (CC Series)
CC1: Control Environment CC2: Communication and Information CC3: Risk Assessment CC4: Monitoring Activities CC5: Control Activities CC6: Logical and Physical Access CC7: System Operations CC8: Change Management CC9: Risk Mitigation
Points of Focus
Each criterion includes "points of focus" that provide guidance on implementation but are not requirements themselves.
Complementary User Entity Controls (CUECs)
Controls that service organization assumes clients implement.