SOC 2 Trust Service Criteria: Which Ones You Actually Need to Pick

Key Takeaways

  • Security is the only mandatory Trust Services Criteria category in a SOC 2 audit

  • Each optional category expands controls, evidence collection, and audit cost permanently

  • Availability belongs in scope when your contracts promise uptime or SLAs

  • Confidentiality fits when you hold sensitive business data under NDA or contract

  • Customer contracts and security questionnaires should drive the selection, not instinct

The Trust Services Criteria menu has five categories, one is mandatory, and every additional one you select expands your audit scope for as long as you keep reporting. Choosing well at the start is one of the cheapest SOC 2 decisions you will ever make, and choosing badly is one of the most annoying to unwind.

What the five categories actually cover

Security covers the common criteria: access controls, system monitoring, incident response, change management, and risk assessment. Availability adds uptime commitments, disaster recovery, backups, and capacity planning. Confidentiality covers how you protect and dispose of sensitive non-public business data. Processing integrity addresses whether systems process data completely, accurately, and on time. Privacy applies the criteria to personal information against your own privacy notice.

Every category beyond Security layers additional criteria on top of the common set, which means more controls, more evidence, and more audit hours.

Why Security is the floor

Security is required in every SOC 2 examination because the common criteria are the foundation the other categories build on. A Security-only report is a legitimate, complete SOC 2, and for many growth-stage SaaS companies it is the right first report. There is no rule that says more categories equal more credibility. A clean Security-only Type 2 beats a sprawling five-category report with exceptions.

When Availability earns its place

Add Availability when your customer contracts include uptime commitments, SLAs, or service credits, or when your buyers run mission-critical workloads on your platform. The criteria formalize what you already promised: monitoring, disaster recovery, backup, and continuity planning. If your MSA says 99.9 percent, an Availability opinion shows you can operationally back the number.

If you have no contractual uptime commitments and no enterprise buyer asking, Availability is scope you are buying early. It can wait for a later report period.

When Confidentiality earns its place

Add Confidentiality when you store or process sensitive business data under NDA or contractual confidentiality obligations: financial records, deal data, proprietary models, anything a customer would call a trade secret. The criteria cover identification, protection, retention, and defensible disposal of that data.

Note the boundary: Confidentiality covers sensitive business information, while personal information belongs to the Privacy category. Most B2B SaaS companies with enterprise customers have a real case for Confidentiality. Fewer have one for Privacy.

Processing integrity and privacy: the rare picks

Processing integrity fits platforms where the output itself is the product promise: payments, billing, payroll, claims processing, anything where a wrong number is the worst-case failure. Privacy fits companies that make consumer-facing privacy commitments and want them independently examined. Both are heavyweight additions, and both are frequently selected for the wrong reason: because they sound thorough.

If you handle personal data as a B2B processor, your customers usually care more about your Security controls and your DPA than a Privacy category opinion. Save Privacy for when a regulator or a major contract actually demands it.

What each addition costs you

Every category you add expands the control set, the evidence collection burden, the audit fee, and the annual maintenance, and the expansion is permanent as long as the category stays in scope. Dropping a category from a later report invites questions you do not want in a sales cycle. The asymmetry is the decision rule: adding later is easy, removing later is awkward.

How to make the call

Pull your three largest customer contracts and your last five security questionnaires, and list what they actually require. Uptime language points to Availability. Confidentiality clauses with data handling specifics point to Confidentiality. Nothing beyond security commitments points to a Security-only report. The selection should trace to documented customer demand, because that is also exactly how you will justify the scope to your auditor and your board.

Frequently Asked Questions

Is Security the only required SOC 2 Trust Services Criteria category?

Yes. Security (the common criteria) is mandatory in every SOC 2 examination, and the other four categories are optional additions based on your commitments and customer demands.

Can you add a Trust Services Criteria category to a later SOC 2 report?

Yes. Expanding scope in a future report period is routine, and starting narrow then adding when demand appears is the cost-efficient sequence.

Does adding more categories make a SOC 2 report stronger?

No. Categories signal breadth of coverage, not strength of security. A clean Security-only report is more persuasive than a broad report carrying exceptions.

If you have not yet mapped your customer contracts against the criteria categories, this is the week to do it. The exercise takes an hour and settles the scope debate with evidence instead of opinions.

Related Services

Recommended Reads

Next
Next

The 7 SOC 2 Type 2 Mistakes Growth-Stage SaaS Companies Make