Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat are the Trust Services Criteria (TSC)?
Trust Services Criteria (TSC) are a standardized set of principles developed by the AICPA to evaluate how organizations safeguard systems and data. They underpin SOC 2 reporting and focus on five areas: security, availability, processing integrity, confidentiality, and privacy, helping auditors assess whether controls are properly designed and effective.
Why the Trust Services Criteria matter for SOC 2
The Trust Services Criteria form the foundation of SOC 2 audits. They translate high-level security expectations into clear, testable controls that auditors can objectively evaluate.
The five criteria include:
- Security (mandatory): Protects systems against unauthorized access
- Availability: Ensures systems are operational when needed
- Processing Integrity: Assesses whether data processing is complete, valid, accurate, timely, and authorized
- Confidentiality: Safeguards sensitive business information
- Privacy: Governs how personal data is collected, used, retained, disclosed, and disposed of
While all five are important, only Security is required for every SOC 2 report. The remaining criteria depend on the organization’s services and compliance scope.
How organizations implement Trust Services Criteria
To meet the this criteria, organizations must design, document, and enforce controls aligned with each category. Auditors then assess these controls based on the SOC 2 report type.
Evaluation approach:
- SOC 2 Type I: Evaluates whether controls are properly designed at a specific point in time
- SOC 2 Type II: Assesses whether controls are designed effectively and operate consistently over a defined period
Common implementation practices include:
- Conducting risk assessments and continuous monitoring
- Enforcing role-based access and least privilege policies
- Encrypting sensitive data at rest and in transit
- Maintaining audit logs and incident response processes
- Managing endpoints, users, and third-party access
| Criteria | Example Control |
| Security | Multi-factor authentication (MFA) |
| Availability | Disaster recovery and uptime monitoring |
| Processing Integrity | Automated validation and error checks |
| Confidentiality | Role-based data access restrictions |
| Privacy | Data consent and retention policies |
Trust Services Criteria and endpoint management
Endpoints like laptops, smartphones, and tablets are critical to meeting Trust Services Criteria, especially for Security and Confidentiality. Poorly managed devices increase the risk of unauthorized access and data exposure.
Hexnode Pro Tip:
Hexnode UEM can support endpoint security and compliance workflows through documented capabilities such as compliance policies, device management, and patch management features.
- Compliance policies, along with documented encryption-related restrictions for supported platforms such as iOS and Windows
- Conditional access integrations that work with identity providers
- Centralized compliance monitoring and documented patch management workflows for supported desktop platforms, including Windows and macOS
- Secure management of both BYOD and corporate-owned devices
These controls can help IT teams enforce documented security and compliance policies across managed devices.
Key takeaway
Trust Services Criteria provide IT admins with a structured framework to demonstrate that security and data protection controls are properly designed and operating effectively for SOC 2 compliance.
FAQ
- What is included in the Trust Services Criteria?
Five categories: security, availability, processing integrity, confidentiality, and privacy, used to evaluate how effectively an organization protects systems and data. - How do Trust Services Criteria relate to SOC 2?
They define the control framework used in SOC 2 audits to assess whether an organization’s systems and processes meet established security and compliance standards.