SOC 2 is structured around 5 Trust Service Criteria (TSC), and within these TSC there are sub-criteria and points of focus. The SOC 2 TSC represent the foundation of the entire SOC 2 audit and reporting process, as these are the criteria against which your policies, processes and controls will be evaluated. Of the 5 TSC, the only mandatory one is security. The other 4 TSC (availability, processing integrity, confidentiality, and privacy) are optional, and can be selected by your organisation based on their relevance to the service being audited and your clients’ expectations.
Security: The largest TSC, covering a range of aspects including governance, risk management, access management, and how you secure and validate the security of your services. In many ways, this TSC is similar to an information security management system (ISMS) and the key control areas from ISO 27001.
Availability: Aimed at assuring clients that you can fulfil uptime and availability commitments in relation to your service(s). For example, if you are a SaaS provider, your clients will almost certainly have expectations around how you will ensure that you maintain the appropriate availability of that service and, as such, availability would be a valid TSC for you.
Processing integrity: Relevant if the services being audited involve the processing of a client’s data, i.e., client data is input into your service and the processing of that data produces an output. It covers areas such as data flow and how you validate inputs and outputs, and is concerned with how complete, valid, accurate, timely and authorised your system processing is.
Confidentiality: Concerned with the controls you have implemented to maintain the confidentiality and availability of information. This TSC is often based on contractual obligations that relate to managing the confidentiality of your client’s data and will cover aspects such as your information classification and handling policy.
Privacy: Relates to services that involve the handling of personally identifiable information (PII), i.e., the personal data of individuals. Here, your privacy policy and controls around access to PII will be relevant.
From beginning to end URM made achieving PCI compliance incredibly easy & worked with us to educate us on the requirements. They were always available for a call whenever we needed to discuss queries along the way & were always flexible to our internal deadlines. We would highly recommend URM from a consultancy & auditing perspective.
Prize competition business
All you need to meet SOC 2 requirements
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
Find out more
related BLog
SOC 2 Explained
Published on
27 Mar
2025
URM’s blog answers key questions about SOC 2, including what it is & who it applies to, why it is beneficial, how SOC 2 reports are structured & more.
Read more
"
Our URM consultant was most helpful. Very constructive with her thoughts. She completely understood the technology we are using to monitor the ISMS, which allowed her to fully appreciate the documentation.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.