Readiness Guides
What Does SOC 2 Require? (The Five Trust Criteria Explained Simply)
Breaks down the Trust Services Criteria in practical terms, what they mean and how they show up in real companies.
Introduction
Once you understand what SOC 2 is and when you might need it, the next question becomes more practical:
What does SOC 2 actually require us to do?
This is where many companies start to feel overwhelmed. The language can be technical, and the requirements can seem unclear at first.
In reality, SOC 2 is built around a simple idea. It evaluates how your company operates across a small set of core areas that relate to security and trust.
These areas are called the Trust Services Criteria.
What Are the Trust Services Criteria?
The Trust Services Criteria define what auditors are evaluating during a SOC 2 audit.
There are five categories:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
Every SOC 2 audit includes Security. The other four are included depending on your business and what your customers expect.
Each category represents a different aspect of how your systems and processes should operate. Together, they form the foundation of SOC 2.
Security (Required for Every SOC 2 Audit)
Security is the core of SOC 2. Every audit includes it.
This category focuses on protecting your systems from unauthorized access and ensuring that only the right people have access to the right resources.
In practice, this includes things like how you manage user accounts, how you control access to systems, how you monitor activity, and how you respond to incidents.
Auditors are looking for consistency. They want to see that access is granted appropriately, reviewed regularly, and removed when no longer needed. They also want to see that you are actively monitoring your systems and addressing issues when they arise.
For most companies, this is where the majority of effort is focused.
Availability
Availability focuses on whether your systems are up and running when customers need them.
This includes how you manage uptime, how you monitor system performance, and how you respond to outages or disruptions.
For example, auditors may look at how you track system availability, how you handle incidents, and whether you have processes in place to restore service if something goes wrong.
If your product is critical to your customers’ operations, availability becomes an important part of your SOC 2 scope.
Processing Integrity
Processing Integrity focuses on whether your system processes data accurately and completely.
This is especially relevant for systems that perform calculations, transactions, or data transformations.
Auditors want to understand whether your system behaves as expected. They may look at how you validate inputs, how you handle errors, and how you ensure that outputs are correct.
Not every company needs to include this category, but it becomes important if your customers rely on your system to produce accurate results.
Confidentiality
Confidentiality focuses on protecting sensitive information from unauthorized access.
This includes things like customer data, internal business information, and any other data that should not be exposed.
In practice, this involves how data is stored, how it is transmitted, and who has access to it. Auditors may review encryption practices, access controls, and data handling procedures.
If your company handles sensitive customer data, confidentiality is often included in your SOC 2 audit.
Privacy
Privacy focuses specifically on personal information.
This includes how you collect, use, store, and share personal data. It also includes how you handle user consent and how you respond to requests related to personal information.
Privacy is typically included if your company processes personal data in a way that requires clear policies and controls around its use.
Not every SOC 2 audit includes privacy, but it is relevant for companies that deal with user data at a more detailed level.
How These Criteria Apply in Practice
One of the most important things to understand is that SOC 2 does not give you a single checklist to follow.
Instead, it expects you to design controls that make sense for your business and then demonstrate that those controls are working.
For example, access control might look different for a small team compared to a larger organization. What matters is that access is managed in a consistent and secure way.
The Trust Services Criteria provide the framework, but your implementation should reflect how your company actually operates.
Choosing What Applies to You
Every SOC 2 audit includes Security. Beyond that, the scope depends on your business and your customers.
Some companies start with Security only and expand later. Others include additional criteria from the beginning based on customer expectations.
The right approach depends on what your customers care about and how your system is used.
Understanding the criteria helps you make informed decisions instead of guessing what might be required.
Common Misconceptions
A common misconception is that you need to include all five criteria. In reality, many companies begin with Security and add others over time.
Another misconception is that the criteria are purely technical. While technical controls are important, SOC 2 also looks at processes, documentation, and how your team operates.
Some companies also assume that the criteria dictate exactly how to build their systems. In practice, they provide guidance, not rigid instructions.
Practical Takeaways
SOC 2 is built around five core areas called the Trust Services Criteria. These define what auditors are evaluating.
Security is always required. The other criteria depend on your business and customer expectations.
The goal is not to follow a fixed checklist, but to implement controls that fit your company and demonstrate that they are working consistently.
Understanding these criteria gives you a clear picture of what SOC 2 is actually measuring.
What Comes Next
Now that you understand what SOC 2 requires, the next step is to understand how audits are structured.
Should you start with a Type I or a Type II audit?
In the next article, we will break down the difference and how most companies approach it.
If you're working toward SOC 2, building your processes around these core areas early can make the audit process much smoother and more predictable.