The Trust Service Criteria (TSC) are the standards used in SOC 2 audits. The Security TSC is mandatory and covers 33 criteria across nine categories: CC1 through CC9. The other four TSC categories - Availability, Processing Integrity, Confidentiality, and Privacy - are optional and included based on the service organization's customer commitments.
The nine Security TSC common criteria categories are: CC1 (Control Environment), CC2 (Communication and Information), CC3 (Risk Assessment), CC4 (Monitoring Activities), CC5 (Control Activities), CC6 (Logical and Physical Access Controls), CC7 (System Operations), CC8 (Change Management), and CC9 (Risk Mitigation).
CC6 and CC7 are typically where auditors find the most gaps in first-time engagements.
Organizations should review the AICPA's TSC document and work with their auditor to identify which additional TSC categories apply based on customer commitments. Including optional TSC categories adds audit scope and cost - select only those your customer contracts actually require.
Keep Exploring