Which SOC 2 Trust Service Criteria Should You Include? A Decision Framework
Security is mandatory in every SOC 2 examination. The other four Trust Service Criteria—Availability, Confidentiality, Processing Integrity, and Privacy—are optional. Including the wrong ones wastes $2,000–$5,000 per criterion in additional audit costs and weeks of evidence collection. Excluding one your customers expect means repeating the audit with a broader scope later. Here’s how to decide which SOC 2 Trust Service Criteria to include.
Security (Common Criteria): Always Included
Every SOC 2 examination evaluates the Security criteria, organized into nine Common Criteria sub-categories (CC1–CC9). This covers governance, risk assessment, access controls, system operations, change management, and vendor management—33 controls total. You don’t choose this one. It’s the baseline of every SOC 2 report.
Which Optional SOC 2 Trust Service Criteria to Include
Availability (A1): Include If You Make Uptime Commitments
Include when:
- Your contracts include SLA uptime commitments (99.9%, 99.99%)
- You provide infrastructure or platform services where downtime directly impacts customer operations
- Customers have asked about your disaster recovery and business continuity practices
Skip when:
- Your service is asynchronous (batch processing, email-based workflows) where brief outages don’t materially affect customers
- You don’t make contractual uptime guarantees
Availability adds 3 criteria covering backup procedures, recovery testing, and business continuity planning. Most SaaS companies include it—it’s the most commonly added optional criterion after Security.
Confidentiality (C1): Include If You Handle Non-Personal Sensitive Data
Include when:
- You process client intellectual property, trade secrets, or financial data under NDA
- Your customers share confidential business information through your platform
- Contracts reference data classification or confidential information handling obligations
Skip when:
- All data you handle is either public or personal (personal data falls under Privacy, not Confidentiality)
- Your service generates outputs from customer inputs but doesn’t store the inputs
Confidentiality adds 2 criteria focused on identifying, protecting, and disposing of confidential information. It’s distinct from Privacy—Confidentiality covers non-personal sensitive data like trade secrets and internal business documents.
Processing Integrity (PI1): Include If Accuracy Matters to Your Customers
Include when:
- You process financial transactions where errors have direct monetary impact
- You run calculations, data transformations, or reports that customers rely on for business decisions
- Data completeness and accuracy are explicit service commitments in your contracts
Skip when:
- Your service is primarily storage, communication, or collaboration—not data processing
- Customers independently verify outputs before acting on them
Processing Integrity adds 5 criteria covering data validation, error handling, and output accuracy. This is the least commonly included criterion—only relevant for services where processing errors create direct business risk for customers.
Privacy (P1): Include If You Collect Personal Information
Include when:
- You collect, store, or process personally identifiable information (PII) on behalf of customers or their end users
- Your service involves consumer-facing data: names, emails, health records, financial records
- Customers ask about your privacy practices beyond what the Security criteria covers
Skip when:
- You only handle business data with no PII component
- Your customers’ end users don’t interact with your platform directly
Privacy adds 8 criteria aligned with the AICPA Generally Accepted Privacy Principles (GAPP), covering the full data lifecycle: collection, use, retention, disclosure, and disposal. This is the most labor-intensive optional criterion because of the documentation required at each stage.
Common Combinations by Company Type
| Company Type | Typical Scope | Why |
|---|---|---|
| B2B SaaS (most common) | Security + Availability | Customers expect uptime; data is business data, not personal |
| Data analytics / processing | Security + Availability + Processing Integrity | Customers rely on output accuracy for decisions |
| Healthcare SaaS | Security + Availability + Privacy | HIPAA-adjacent; personal health information in scope |
| Financial services platform | Security + Availability + Confidentiality + PI | Sensitive financial data plus transaction processing |
| HR / payroll platform | Security + Availability + Privacy + Confidentiality | Employee PII plus confidential compensation data |
What Each Additional Criterion Costs
Each optional Trust Service Criterion increases your audit cost by $2,000–$5,000 and adds 2–4 weeks of evidence preparation time. The incremental cost isn’t just the audit firm’s fees—it’s the internal time spent documenting controls, collecting evidence, and maintaining additional policies throughout the observation period.
For a first-time Type II audit, a Security-only scope runs approximately $20,000–$40,000 total (including compliance platform and audit firm fees). A full 5-criterion scope runs $35,000–$70,000+. The difference isn’t worth paying unless your customers contractually require the additional criteria or your service model genuinely demands the broader assurance.
If you already hold ISO 27001 certification, roughly 80% of SOC 2’s Security controls overlap—reducing both audit scope and cost. Other frameworks like CMMC, HIPAA, and PCI-DSS also have significant overlap that can reduce your incremental effort.
Assess Your TSC Scope
Not sure which criteria apply to your service? PlainAudit’s free SOC 2 gap assessment starts with a scope wizard that helps you select the right Trust Service Criteria based on your service model, industry, and existing certifications. It then evaluates your readiness across all selected criteria and calculates framework overlap—so you can see exactly how much of the SOC 2 work your current compliance already covers.