SOC 2 is structured around 5 Trust Service Criteria (TSC), and within these TSC there are sub-criteria and points of focus. The SOC 2 TSC represent the foundation of the entire SOC 2 audit and reporting process, as these are the criteria against which your policies, processes and controls will be evaluated. Of the 5 TSC, the only mandatory one is security. The other 4 TSC (availability, processing integrity, confidentiality, and privacy) are optional, and can be selected by your organisation based on their relevance to the service being audited and your clients’ expectations.
Security: The largest TSC, covering a range of aspects including governance, risk management, access management, and how you secure and validate the security of your services. In many ways, this TSC is similar to an information security management system (ISMS) and the key control areas from ISO 27001.
Availability: Aimed at assuring clients that you can fulfil uptime and availability commitments in relation to your service(s). For example, if you are a SaaS provider, your clients will almost certainly have expectations around how you will ensure that you maintain the appropriate availability of that service and, as such, availability would be a valid TSC for you.
Processing integrity: Relevant if the services being audited involve the processing of a client’s data, i.e., client data is input into your service and the processing of that data produces an output. It covers areas such as data flow and how you validate inputs and outputs, and is concerned with how complete, valid, accurate, timely and authorised your system processing is.
Confidentiality: Concerned with the controls you have implemented to maintain the confidentiality and availability of information. This TSC is often based on contractual obligations that relate to managing the confidentiality of your client’s data and will cover aspects such as your information classification and handling policy.
Privacy: Relates to services that involve the handling of personally identifiable information (PII), i.e., the personal data of individuals. Here, your privacy policy and controls around access to PII will be relevant.
On our path of growing our business, we have found in URM a very capable and knowledgeable consultancy firm to guide and structure our processes towards SOC 2 compliance. The consultancy by URM played an essential role in building our competences and expanding the compliance framework for our SaaS based propositions.
Scientific data platform
All you need to meet SOC 2 requirements
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
Find out more
related BLog
SOC 2 Explained
Published on
27 Mar
2025
URM’s blog answers key questions about SOC 2, including what it is & who it applies to, why it is beneficial, how SOC 2 reports are structured & more.
Read more
"
We are immensely grateful to URM for their unwavering support, professionalism, and expertise throughout our ISO 27001 and Cyber Essentials Plus journey. Their guidance and strategic insights have been invaluable. With URM's continued partnership and support, we are confident in our ability to proactively address emerging threats and keep our business secure.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.