Do I have to include all five Trust Services Criteria categories?

No. Only Security (the common criteria) is required. Availability, Processing Integrity, Confidentiality, and Privacy are each optional and selected based on what your service does and what your customers contractually care about.

Did the AICPA change the TSC in 2022?

The criteria themselves did not change. The AICPA issued revised points of focus in 2022 to update the implementation guidance. Reports issued today should reference the 2017 criteria with 2022 points of focus.

What's the difference between criteria and points of focus?

Criteria are the requirements being evaluated (e.g., CC6.1 covers logical access security). Points of focus are illustrative examples of how a control might satisfy a criterion. Points of focus are not requirements — not every one is relevant to every organization.

How many controls are typical for a SOC 2 Type II?

There's no AICPA-prescribed count. Real-world Security-only SOC 2 reports range from about 60 to 150 distinct controls; reports that include all five categories typically run 100–250. The control count is driven by how the service organization chooses to design its system, not by the TSC.

DisclosureIndependent directory. Not a CPA firm. Nothing here is legal, audit, or tax advice. Methodology.

Trust Services Criteria: AICPA framework for SOC 2

By Editorial team · Published 2026-04-26 · Last updated 2026-06-13

What the five Trust Services Criteria are, why Security is the only mandatory category, and how the 2017 criteria with 2022 points of focus actually get applied.

The Trust Services Criteria (TSC) are the AICPA-published rubric every SOC 2 examination is graded against. They tell auditors what they're looking for and tell service organizations what they have to demonstrate. Five categories — Security, Availability, Processing Integrity, Confidentiality, Privacy — cover roughly 60 criteria in total, plus several hundred 'points of focus' that describe how a control might satisfy each criterion.

The five categories

Security is mandatory in every SOC 2. The other four are optional and added based on what your service actually does and what your customers care about.

Why Security is also called the common criteria

Most criteria in the Security category — risk assessment, monitoring, change management — apply equally to the other four categories. Rather than restating those criteria four more times, the AICPA designates the Security criteria as 'common' and reuses them. If you add Availability to your scope, the Availability-specific criteria (A1.1, A1.2, A1.3) layer on top of the common criteria; you don't re-test risk assessment for Availability separately.

2017 criteria with 2022 points of focus

The criteria themselves haven't changed since 2017. What changed in 2022 was the 'points of focus' — the implementation guidance attached to each criterion. The AICPA refreshed points of focus to address modern concerns: cloud configuration, third-party risk, vendor concentration, ransomware, and remote workforce considerations. The criteria are stable; the supporting guidance is current.

Points of focus are not a checklist. The AICPA explicitly notes that not every point of focus is relevant for every service organization, and meeting them is not required to pass an examination. They are illustrative — examples of what 'meeting' a criterion might look like.

How the criteria become controls

This is where many founders get confused. The TSC don't tell you which controls to implement. They tell you what control objectives the system has to achieve. You — with your auditor and (often) your compliance platform — design the actual controls that map to each criterion. CC6.1 ('logical access security software, infrastructure, and architectures over protected information assets') might be satisfied by some combination of MFA, role-based access, SSO, and quarterly access reviews. The auditor evaluates whether your specific controls, as designed and operated, are reasonable.

Choosing which optional categories to include

Add Availability if you publish SLAs or your customers' operations depend on continuous access to your service.
Add Processing Integrity for systems that compute, transform, or transact (payments, billing, payroll, AI inference where output accuracy is contractually material).
Add Confidentiality when 'Confidential Information' appears in your standard MSA — most B2B SaaS already commits to this contractually, so the audit just verifies the controls behind those commitments.
Add Privacy when you act as a data controller (not just a processor) and have a published privacy notice the audit can map to.
When in doubt, talk to your top three customers about which categories they want. Customer demand is the most reliable signal.