We deliver trusted Advisory Automation Audit | that drives results.

Compliance

SOC Assessments
PCI DSS
ISO 27001
HITRUST
CSA STAR
CMMC

Cybersecurity

Penetration Testing
Cyber Risk Assessment
Managed Security
Security Awareness Training

Privacy

GDPR
CCPA
HIPAA

Industry

Healthcare
Financial
Retail
Education
Energy and Utilities
View All Industries

Managed
Security

Cost-Effective Security That Scales

Always-on protection, expert insight, and cutting-edge technology – transforming risk into resilience.
Managed Compliance - GhostWatch

Managed
Compliance

Compliance, Without the Chaos

Combines expert insight with intelligent automation – removing the risk from compliance, keeping you aligned in real time, and audit-ready.

The Trusted Security Testing Platform

Security Testing, Without the Guesswork

Reimagined security testing – automated speed, expert precision, and real-time insights in one powerful, collaborative platform.
Resources
  • All Resources

    Your central hub for security and compliance content.

  • Blog

    Stay informed with expert insights and practical advice on cybersecurity, privacy, and compliance challenges.

  • News

    Get the latest company updates, industry developments, and regulatory changes impacting the cybersecurity landscape.

  • Whitepapers

    Access in-depth research and strategic guidance on risk management, regulatory compliance, and cybersecurity best practices.

  • Case Studies

    See how organizations like yours solved complex cybersecurity and compliance challenges with TrustNet’s solutions.

Knowledge Hub
Guides
  • All Guides

    Get practical step-by-step guides designed to help you navigate audits, improve security posture, and meet compliance requirements.

Edit Template
Login

Secure login to iTrust Platform

Talk to an Expert
  • Blog, SOC 2

SOC 2 Principles

Expert Security Insights

Stay informed with expert-driven security content

SOC 2 Principles

During a SOC 2 examination, an auditor will thoroughly evaluate the risks and privacy protocols you have put in place to protect the data that flows through and is stored by your information systems. The assessor uses several measures to benchmark your system’s security and effectiveness. These are known as the Trust services criteria.

You must meet one or more of these controls that assess the opportunities and risks in your information systems to receive a passing grade on your SOC 2 report.

What Are the Common SOC 2 Criteria?

The Trust Services Framework is a theoretical infrastructure put in place by the American Institute of Certified Public Accountants (AICPA) that contains five underlying Trust Principles. Although the first criterion of security must be addressed in all SOC 2 audits, companies can judge for themselves which of the other criteria should be focused upon during the fact-finding process. This flexibility allows organizations to use SOC 2 to its ultimate advantage in assisting them toward attaining their organizational goals.

The five Trust Services Criteria include:

  • Security. Also known as the SOC 2 common criteria, this refers to what you have done to protect your systems and data against unauthorized access and modification by internal users. This criterion must be satisfied by all organizations filing a SOC 2 report, explaining its designation as “common.”
  • Availability. You must show that applications or systems are accessible to stakeholders and meet their objectives. To that end, you should demonstrate that data is being upgraded and backed up and that you have a disaster readiness plan in place.
  • Processing integrity. This has to do with data accuracy and what you do to protect information as it moves through your systems and devices. 
  • Confidentiality. All sensitive data must be correctly stored and disposed of to prevent it from being exposed or stolen. 
  • Privacy. You must show that you are collecting, storing, and using data only as agreed upon.

Security, the criterion common to all SOC 2 reports, should be evaluated in terms of the following:

  • How you protect information. Data must be shielded from corruption or theft when it is collected or created and throughout its use, transmission, processing, and storage.
  • How you protect your systems. Systems are defined as anything that uses electronic technology to store, process, or transmit the information that an organization provides. 

SOC 2 Common Criteria Mapping

The SOC 2 common criteria described above align seamlessly with the internal control framework designed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). For an organization’s internal controls to be considered in compliance with the SOC 2 Trust Services Criteria on which they have chosen to focus, they can perform mapping using the COSO components and sub-principles. This SOC 2 common criteria mapping includes the following areas:

  • The control environment. This contains all of the information security policies, practices, and procedures the company has put in place.
  • Communication and information. Facts and data must be disseminated internally and externally to specify responsibilities, share intelligence, establish boundaries and respond to crises. This includes training, incident response procedures, contracts, and disclosure of system changes.
  • Risk assessment. This involves what the organization has put in place to evaluate vulnerabilities, determine their likelihood of occurrence and address them proactively. Controls include policies, a risk register, management buy-in, mitigation action plans, and vendor risk protocols.
  • Monitoring activities. These look at the controls in place to determine if objectives are being attained. Where necessary, corrective measures are implemented. Controls include incident alerts, action plans for disaster response and recovery, and third-party audits.
  • Control activities. These actions that stem from an organization’s policies and procedures are implemented to attain security objectives. These include technologically based monitoring and require buy-in from all levels. Controls include logical and physical access, systems operations, change management, risk mitigation, segregation of duties, access protocols, incident management, and backup procedures.

When the Trust Services Criteria are aligned with the COSO principles, they combine to form the backbone of common criteria under the Trust Services criteria for all SOC 2 reports.

Conclusion

Taking steps to protect the information that companies collect, store and transmit is crucial for all service organizations. However, it is equally important that they undergo third-party SOC 2 audits that provide objective proof of the strength and comprehensiveness of their controls. The SOC 2 Trust Services framework, including SOC 2 common criteria and SOC 2 common criteria mapping, provides the infrastructure that makes this possible.

Dedicating time and both human and financial resources to mounting a robust information security infrastructure whose efficacy is regularly assessed by an objective auditor provides transparency to investors, management, subcontractors, and even potential customers. This clarity can help to bolster your company’s credibility and position, placing you in a favorable position.

 

Related Posts

Request Your Cybersecurity and Compliance Quote

Previous Post
Does SOC 2 require data to be encrypted “at rest” or only “in transit“?
Next Post
Top Managed Security Services Company 2021

Straightforward pricing. Proven strategies.

No hidden fees. Just what you need to get secure and stay compliant.
Get Pricing
AICPA SOC
HIPAA Compliant
PCI Qualified Security Assessor
Compliance
Security
Resources
Privacy
COMPANY

Copyright © 2025 TrustNet. All Rights Reserved.