GRC-Focused Overview of the Trust Services Criteria
The Trust Services Criteria (TSC), developed by the American Institute of Certified Public Accountants (AICPA), is one of the most widely recognized frameworks for evaluating cybersecurity assurance — especially for technology and service-oriented companies.
The TSC underpins System and Organization Controls (SOC) 2 and SOC 3 reporting. It is not a regulation or security standard in the technical sense, but rather a control framework designed to help organizations evaluate and report on the design and operating effectiveness of controls over data security, confidentiality, privacy, availability and processing integrity.
This page provides a cybersecurity-focused summary of the Trust Services Criteria from a GRC practitioner’s perspective, including the history of the framework, practical compliance strategies and the role of high-quality documentation to be secure, compliant and resilient.
Trust Services Criteria (TSC) (aka SOC 2)
No direct licensing fee for the framework itself, though SOC 2 examinations must be performed by a licensed CPA firm and involve significant engagement costs.
Yes. A CPA firm may issue a SOC 2 Type I or Type II report attesting to the design and/or operating effectiveness of controls.
TL / DR — Too Long / Didn't Read
The Trust Services Criteria (TSC), developed by the AICPA, is one of the most widely recognized frameworks for evaluating cybersecurity assurance, especially for technology and service-oriented companies. The TSC underpins SOC 2 and SOC 3 reporting. It is not a regulation or security standard in the technical sense, but rather a control framework designed to help organizations evaluate and report on the design and operating effectiveness of controls over data security, confidentiality, privacy, availability and processing integrity.
Origins of the Trust Services Criteria
The TSC traces its origins to the AICPA’s efforts to standardize assurance reporting on systems and controls in organizations that provide services to other entities. Prior to the introduction of SOC reports, Statement on Auditing Standards (SAS) 70 was often misapplied to IT environments, though it was originally designed for financial reporting audits.
Recognizing the need for a more IT- and cybersecurity-aligned assurance framework, the AICPA introduced Service Organization Control (SOC) reports in 2011 under the Statement on Standards for Attestation Engagements (SSAE) framework. SOC 1 covers controls relevant to financial reporting; SOC 2 covers controls relevant to the Trust Services Criteria; and SOC 3 covers the same criteria as SOC 2 in general-use reports without the confidential detail.
In 2017, the AICPA issued a major update structuring the criteria around five trust service categories, each supported by common and supplementary criteria, aligned to the COSO Internal Control–Integrated Framework and incorporating references to ISO 27001, NIST CSF, COBIT and GDPR.
Industry Applicability & Implementation
Industries and Common Methods to Achieve Conformity
The TSC and SOC 2 reporting are particularly relevant for service organizations — entities that process, store or manage customer data or operations. The framework is especially useful in sectors where organizations don’t fall under strict statutory cybersecurity requirements but still need to prove due care and control integrity.
Technology and SaaS Providers
Most cloud and software-as-a-service companies undergo SOC 2 examinations as a core part of their customer assurance and go-to-market strategy. Customers increasingly require SOC 2 reports as part of their vendor risk management programs.
Financial Technology and Payment Platforms
While not replacing PCI DSS or GLBA compliance, TSC-based SOC 2 audits give fintech firms a way to demonstrate the strength of their security and availability controls to institutional partners, investors and banking regulators.
Healthcare SaaS and Business Associates
Health technology vendors and processors of protected health information leverage the Trust Services Criteria to address security and availability expectations in parallel with HIPAA compliance obligations.
Managed Services and Data Processors
Managed IT service providers, co-location facilities and third-party data processors use SOC 2 reports to contractually demonstrate cybersecurity and operational reliability to enterprise customers.
Industry Applicability & Implementation
Common Implementation Approach
Define the Audit Scope and System Boundaries
Identify the system under examination, determine which Trust Services Categories apply based on customer needs and risk exposure, and engage a licensed CPA firm that performs SOC 2 audits in accordance with AICPA attestation standards.
Build or Strengthen the Control Environment
Implement technical security measures (access control, logging, alerting, encryption), establish governance artifacts (risk assessments, policies, procedures) and deploy security awareness training and operational processes.
Conduct a Type I or Type II Audit
A Type I report assesses the design of controls at a specific point in time. A Type II report assesses both the design and operating effectiveness of controls over a period (typically 6–12 months). Type II reports carry more weight in enterprise and regulated environments.
Maintain Controls and Monitor Continuously
Track changes in risk exposure and update controls, conduct periodic reviews and incident simulations, and prepare annually for re-audits and customer/vendor scrutiny.
Structure of the Trust Services Criteria
The TSC is rooted in the COSO Internal Control–Integrated Framework, a globally accepted model for enterprise risk management. Each criterion follows COSO’s five components of internal control: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.
Under each component, the TSC defines “common criteria” applying to all five Trust Services Categories, and “supplemental criteria” specific to Availability, Confidentiality, Privacy and Processing Integrity. Each criterion is supported by Points of Focus that serve as implementation considerations — analogous to control objectives or safeguards in other frameworks.
The flexibility of this structure allows organizations to tailor their control implementations to their unique operational model, size and risk profile. For example, Common Criteria 6.1 (Logical Access Controls) maps to sub-controls such as unique user identification, role-based access provisioning, multi-factor authentication and periodic access reviews.
Type I vs. Type II: Understanding the Difference
Type I Report
Attests that controls are suitably designed to meet the applicable Trust Services Criteria as of a specific point in time. Useful as a starting point or for organizations early in their compliance journey, but provides limited assurance about operational effectiveness.
Type II Report
Attests that controls are suitably designed and were operating effectively over a defined review period, typically six to twelve months. Type II reports carry significantly more weight with enterprise customers, regulated clients and board-level governance stakeholders.
The Indispensable Role of Documentation In the Trust Services Criteria
Documented evidence is the foundation of a successful SOC 2 examination. Unlike checkbox assessments, SOC 2 reports are attestation engagements, meaning that auditors form an opinion based on documented control design, operation and effectiveness. The strength of cybersecurity documentation often determines the success of TSC alignment and SOC 2 attestation.
Governance and Policy Evidence
Well-crafted policies and procedures directly support Common Criteria such as CC1.2 (commitment to integrity and ethical values), CC2.1 (specification of suitable objectives) and CC3.2 (risk identification and assessment). Auditors review these artifacts for completeness, version control and alignment to actual operations.
Control Design and Implementation Records
Operational procedures, playbooks and technical standards demonstrating how controls are consistently implemented, including access management SOPs, change management workflows, incident response plans and simulations, and asset and vulnerability management guidelines.
System Descriptions and Diagrams
Accurate and detailed network diagrams, data flow maps and architectural documentation reduce audit friction and clarify scope. The system description section of the SOC 2 report must clearly articulate scope boundaries, types of data handled, infrastructure and technologies used, and third-party dependencies.
Logs, Reports and Monitoring Evidence
Audit logs, alert tickets, system reports and event response records are critical for evaluating the operating effectiveness of controls over the review period. Without this documentation, auditors cannot attest to whether controls were applied over time.
Continuous Improvement and Corrective Actions
Documentation of findings, root cause analysis and control updates demonstrates a mature security program and supports Monitoring Activities under COSO. These records are reviewed to assess how the organization responds to incidents and control failures.
.png)
%20(white).png)