SOC 2 Requirements Explained: The Five Trust Service Criteria

Posted: March 25, 2026 to Compliance.

SOC 2 Requirements Explained: The Five Trust Service Criteria

SOC 2 requirements are defined by the American Institute of Certified Public Accountants (AICPA) through five Trust Service Criteria that evaluate how organizations protect customer data: Security, Availability, Processing Integrity, Confidentiality, and Privacy. For SaaS startups pursuing enterprise sales, understanding these five criteria and what auditors evaluate within each one is the first step toward achieving a clean SOC 2 report. Petronella Technology Group has guided 47 SaaS companies through SOC 2 certification since 2020, with a 100 percent first-audit pass rate across all engagements.

Overview: The Five Trust Service Criteria

Criterion	What It Evaluates	Required?	Common For
Security	Protection against unauthorized access	Yes (always)	All SaaS companies
Availability	System uptime and performance commitments	Optional	SaaS with SLA commitments
Processing Integrity	Accurate, complete, timely data processing	Optional	FinTech, data analytics platforms
Confidentiality	Protection of confidential information	Optional	B2B SaaS handling sensitive data
Privacy	Collection, use, retention, and disposal of personal information	Optional	Consumer-facing SaaS, health tech

Criterion 1: Security (Common Criteria)

The Security criterion, also called the Common Criteria, is the foundation of every SOC 2 audit. It contains 33 control points organized into nine categories that auditors evaluate:

CC1: Control Environment

The tone from the top. Auditors evaluate whether your organization demonstrates commitment to integrity, has a functioning board or oversight body, establishes organizational structure with clear reporting lines, demonstrates commitment to competent personnel, and enforces accountability for internal controls. For startups, this translates to documented security policies approved by leadership, defined security roles and responsibilities, and evidence that security is prioritized in decision-making.

CC2: Communication and Information

How security information flows within your organization and to external parties. Auditors look for internal security communications (policies, training, awareness programs), external communications (security disclosures, incident notifications), and information quality processes that ensure security data is accurate and timely.

CC3: Risk Assessment

Your process for identifying, analyzing, and managing risks. This includes a documented risk assessment methodology, a risk register with identified threats and vulnerabilities, risk treatment plans with assigned owners, and regular reassessment (annual minimum). The risk assessment is the most frequently cited deficiency in SOC 2 audits. PTG conducts comprehensive risk assessments for startup clients as the first step in every SOC 2 engagement.

CC4: Monitoring Activities

How you detect and correct control deficiencies. Auditors evaluate ongoing monitoring processes, periodic evaluations of control effectiveness, and communication of deficiencies to responsible parties with timely remediation.

CC5: Control Activities

The specific controls you implement to address risks. This includes technology controls (firewalls, encryption, access controls), policies and procedures that govern operations, and segregation of duties where appropriate.

CC6: Logical and Physical Access Controls

The most evidence-intensive category for SaaS companies. Auditors verify user authentication mechanisms (MFA enforcement), authorization and access provisioning processes, access modifications and revocations (quarterly reviews), physical security of data center facilities, and management of credentials and secrets.

CC7: System Operations

How you manage system operations to detect and respond to anomalies. This covers security monitoring and alerting, vulnerability management (scanning and remediation timelines), change detection and configuration management, and incident response procedures and testing.

CC8: Change Management

Controls over system changes. Auditors evaluate change authorization processes (code review, approval gates), testing procedures before production deployment, emergency change procedures with post-deployment review, and infrastructure change management (infrastructure as code preferred).

CC9: Risk Mitigation

How you manage risks through vendor management, business continuity planning, and insurance. This includes vendor security assessments and ongoing monitoring, business continuity and disaster recovery plans with testing, and risk transfer mechanisms (cyber insurance).

Criterion 2: Availability

The Availability criterion evaluates whether your system meets its uptime and performance commitments. If your SaaS product has Service Level Agreements (SLAs) with customers, include Availability in your SOC 2 scope.

Auditors evaluate:

• Capacity management: How you monitor and plan for system capacity to maintain performance under load. Evidence includes capacity monitoring dashboards, scaling policies, and load testing results.
• Disaster recovery: Backup procedures, recovery objectives (RTO/RPO), failover capabilities, and DR test results. Auditors want evidence of at least one successful DR test per year.
• Incident management for availability: How you detect, respond to, and communicate about outages. Status page history, incident postmortems, and communication procedures.
• Environmental protections: Physical infrastructure protections against environmental threats (power redundancy, cooling, fire suppression) at your data center facilities.

Criterion 3: Processing Integrity

Processing Integrity evaluates whether system processing is complete, valid, accurate, timely, and authorized. This criterion is most relevant for SaaS companies whose core value proposition depends on data accuracy (financial calculations, analytics platforms, reporting tools).

Auditors evaluate:

• Input validation: Controls that ensure data entering the system is complete and accurate.
• Processing controls: Mechanisms that detect and correct processing errors.
• Output validation: Verification that outputs are complete and accurate before delivery to customers.
• Error handling: Procedures for identifying, recording, and resolving processing errors.

Criterion 4: Confidentiality

The Confidentiality criterion evaluates how you protect information designated as confidential. For B2B SaaS companies, this covers customer data, proprietary information, intellectual property, and any data your customers classify as confidential.

Auditors evaluate:

• Data classification: A documented scheme that identifies confidentiality levels and assigns appropriate protections to each.
• Encryption: AES-256 at rest, TLS 1.3 in transit for all confidential data. Key management practices and rotation schedules.
• Access restrictions: Confidential data accessible only to authorized personnel on a need-to-know basis.
• Data retention and disposal: Documented retention periods with secure deletion procedures when data reaches end of life.

Criterion 5: Privacy

The Privacy criterion evaluates how you handle personal information throughout its lifecycle. It aligns with the AICPA's Generally Accepted Privacy Principles and covers:

• Notice: Providing individuals with clear information about how their personal data is collected, used, and shared.
• Choice and consent: Obtaining appropriate consent for data collection and providing opt-out mechanisms.
• Collection: Limiting data collection to what is necessary for the stated purpose.
• Use, retention, and disposal: Using personal information only for stated purposes, retaining it only as long as needed, and disposing of it securely.
• Access: Providing individuals with access to their personal information and the ability to update or correct it.
• Disclosure to third parties: Controlling and documenting sharing of personal information with third parties.
• Security for privacy: Technical and organizational measures to protect personal information.
• Quality: Maintaining accurate, complete personal information.
• Monitoring and enforcement: Procedures for addressing privacy-related complaints and violations.

Choosing Which Criteria to Include

For Series B startups pursuing their first SOC 2 audit, PTG recommends this decision framework:

• Always include Security: It is mandatory and covers the broadest set of controls.
• Add Availability if you have SLAs with customers, your product is mission-critical for customers, or enterprise buyers specifically request it. Most B2B SaaS companies should include it.
• Add Confidentiality if you process data that customers classify as confidential, you handle trade secrets or intellectual property, or your customers are in regulated industries. Recommended for most B2B SaaS.
• Add Processing Integrity if your product performs financial calculations, data analytics, or reporting where accuracy is critical to customer operations.
• Add Privacy if you collect and process personal information directly from end users, you operate in jurisdictions with strong privacy laws (EU, California), or your product is consumer-facing.

Starting with Security + Availability + Confidentiality covers the requirements of 90 percent of enterprise procurement processes. Add Processing Integrity and Privacy based on specific customer demands or regulatory requirements.

How PTG Implements SOC 2 Controls

PTG takes a gap-based approach to SOC 2 implementation. Rather than building every control from scratch, we map your existing practices to SOC 2 criteria and implement only what is missing:

1. Current state assessment: We evaluate your existing controls against all selected criteria. Most startups already satisfy 30 to 50 percent of requirements through good engineering practices.
2. Gap remediation: We implement missing controls, prioritized by audit importance and implementation effort. Policy development, technical controls, and process documentation happen in parallel.
3. Evidence preparation: We compile evidence packages aligned with each criterion, organized for auditor review.
4. Auditor coordination: We coordinate with your selected CPA firm, manage evidence submission, and support walkthrough calls.
5. Continuous compliance maintenance: After the initial audit, we monitor controls, collect evidence automatically, and prepare for annual re-audits.

Craig Petronella, CMMC-RP and CMMC-CCA, notes that the most efficient SOC 2 implementations integrate compliance with AI infrastructure and cybersecurity programs rather than treating compliance as a separate initiative.

Frequently Asked Questions

What is the difference between SOC 2 and SOC 1?

SOC 1 evaluates controls relevant to financial reporting, while SOC 2 evaluates controls relevant to security, availability, processing integrity, confidentiality, and privacy. SaaS companies almost always need SOC 2 (not SOC 1) because their customers are concerned about data security, not financial statement auditing. The only exception is SaaS products that directly affect customer financial reporting (payroll systems, accounting platforms), which may need both SOC 1 and SOC 2.

Can we start with fewer criteria and add more later?

Yes. PTG recommends starting with Security + Availability + Confidentiality for your first audit, then adding Processing Integrity or Privacy in subsequent audit cycles if customer requirements demand it. Each additional criterion adds 10 to 20 percent to audit scope and cost. Starting smaller allows you to establish baseline compliance faster while leaving room to expand.

How often do SOC 2 requirements change?

The AICPA updates Trust Service Criteria periodically, with the most recent significant update in 2022. The 2025 supplemental guidance added AI-specific considerations within the existing criteria framework. Changes are typically incremental, not revolutionary. PTG tracks all updates and adjusts client compliance programs when criteria change, ensuring continuous readiness without disruption.