Decoding the SOC 2 Common Criteria Definitions

In recent years, the AICPA has made updates to what’s involved in a SOC 2 examination. Previously called Trust Services Principles, or Trust Services Principles and Criteria, the AICPA has dropped “Principles” and now calls them Trust Services Criteria (TSC).

The updated trust services criteria are necessary on any report issued on or after December 15, 2018. For 2020, any reports should be reference and map to the 2017 trust services criteria.

In this article, we outline the trust services criteria and provide a clear explanation for exactly what each one means.

SOC2 compliance for MSPs

The Trust Services Framework

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five TSCs. They are as follows:

  • Security
  • Availability
  • Confidentiality
  • Privacy
  • Processing Integrity

Now let’s take a look at each one.

1. Security

Official Definition:

“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.”


The security principle refers to the protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of any software, and improper alteration or disclosure of information.

2. Availability

Official Definition:

“Information and systems are available for operation and use to meet the entity’s objectives. Availability refers to the accessibility of information used by the entity’s systems as well as the products or services provided to its customers.”


Availability is a commonly included TSC since providing evidence that systems are available for operation is key to many clients of service organizations. What it boils down to is the reliability of your systems.

Most MSPs will have contractual requirements or service level agreements (SLAs) in place around the services being provided. So, it’s a commonly include TSC in any SOC 2 audit.

3. Confidentiality

Official Definition:

“Information designated as confidential is protected to meet the entity’s objectives.”


Data is considered confidential if its access and disclosure are restricted to a specified set of persons or organizations. In practice, this means:

  • Locking and securing paper documents
  • Using only approved business software for storing and processing confidential information
  • Shredding paper documents when no longer needed
  • Enforcing a clean desk and clean screen policy

4. Privacy

Official Definition:

“Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.”


It’s common to struggle with the difference between privacy and confidentiality. The difference between the two is that privacy controls protect personal information (name, social security number, address, etc.), and confidentiality protects non-personal information and data that is still classified as “confidential.

This graphic from PWC provides a simple but thorough run-through of the eight categories that the privacy criteria are organized around.

PWC Graphic

5. Processing Integrity

Official Definition:

“System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”


Is information processed appropriately by your systems? In other words, the processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time).

Organizations like MSPs that provide tech services and systems to third parties will have heard about SOC 2.

The overall framework and end goal are simple: it’s designed to ensure that you process information securely.

If you’re required to pass a SOC 2 audit to partner with or provide services to other companies, you’re going to want to understand the SOC 2 TSCs in more detail. We hope this provides a solid jumping-off point.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

What is Augmentt Academy?

  • Products
Augmentt believes that SaaS services is the single biggest source of opportunity for today’s MSP. The Augmentt Academy was designed to help our MSPs build and deliver profitable SaaS Services. [...]

Agent and Agentless

  • Products
When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]
Augmentt’s multi-tenant solution gives MSPs visibility across all end-users to easily audit, protect and detect security threats facing the Microsoft environment and manage SaaS.

Want to get the latest resources in Saas Security?

Join our mailing list and we’ll only send you value-add content.