SOC 2 is structured around 5 Trust Service Criteria (TSC), and within these TSC there are sub-criteria and points of focus. The SOC 2 TSC represent the foundation of the entire SOC 2 audit and reporting process, as these are the criteria against which your policies, processes and controls will be evaluated. Of the 5 TSC, the only mandatory one is security. The other 4 TSC (availability, processing integrity, confidentiality, and privacy) are optional, and can be selected by your organisation based on their relevance to the service being audited and your clients’ expectations.
Security: The largest TSC, covering a range of aspects including governance, risk management, access management, and how you secure and validate the security of your services. In many ways, this TSC is similar to an information security management system (ISMS) and the key control areas from ISO 27001.
Availability: Aimed at assuring clients that you can fulfil uptime and availability commitments in relation to your service(s). For example, if you are a SaaS provider, your clients will almost certainly have expectations around how you will ensure that you maintain the appropriate availability of that service and, as such, availability would be a valid TSC for you.
Processing integrity: Relevant if the services being audited involve the processing of a client’s data, i.e., client data is input into your service and the processing of that data produces an output. It covers areas such as data flow and how you validate inputs and outputs, and is concerned with how complete, valid, accurate, timely and authorised your system processing is.
Confidentiality: Concerned with the controls you have implemented to maintain the confidentiality and availability of information. This TSC is often based on contractual obligations that relate to managing the confidentiality of your client’s data and will cover aspects such as your information classification and handling policy.
Privacy: Relates to services that involve the handling of personally identifiable information (PII), i.e., the personal data of individuals. Here, your privacy policy and controls around access to PII will be relevant.
On our path of growing our business, we have found in URM a very capable and knowledgeable consultancy firm to guide and structure our processes towards SOC 2 compliance. The consultancy by URM played an essential role in building our competences and expanding the compliance framework for our SaaS based propositions.
Scientific data platform
All you need to meet SOC 2 requirements
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
Find out more
related BLog
Preparing for a Successful SOC 2 Audit
Published on
17 Oct
2025
URM’s blog offers key advice on what to expect from your SOC 2 audit in practice, the types of evidence you will need to provide, how best to prepare, and more.
Read more
Information Security
Published on
29/8/2025
SOC 2 ExplainedURM’s blog answers key questions about SOC 2, including what it is & who it applies to, why it is beneficial, how SOC 2 reports are structured & more.
Read more
"
I am pleased to recognise the work of the URM internal auditor we have worked. Throughout all the audits carried out, he has consistently demonstrated professionalism, diligence, and a commitment to excellence in every task undertaken. Thanks to his efforts, we have achieved a very successful first stage ISO 27001:2022 certification audit, with zero findings noted, which has positioned us on track for the second stage audit and for long-term success.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.