SOC 2 Trust Services Criteria Explained: The 5 Categories

When your healthcare application handles sensitive patient data, achieving SOC 2 compliance isn't optional, it's expected. But before you can pass an audit, you need to understand exactly what you're being evaluated against. The SOC 2 Trust Services Criteria form the foundation of every SOC 2 examination, defining the specific controls and requirements your organization must meet. At SoFaaS, we've built our SMART on FHIR integration platform on SOC 2 Type II compliant infrastructure, which means we've worked through these criteria firsthand.

There are five categories within the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Not every organization needs to address all five, your audit scope depends on your services and what you've promised to customers. Understanding each category helps you determine which ones apply to your situation and where to focus your compliance efforts.

This guide breaks down each of the five Trust Services Criteria, explains what auditors look for, and helps you identify which categories are relevant to your organization's SOC 2 journey.

Why the trust services criteria matter in SOC 2

The Trust Services Criteria serve as the specific evaluation framework that your auditor uses to assess your organization's controls. Without these standardized criteria, there would be no consistent way to measure whether your systems protect customer data adequately. Every SOC 2 audit centers on these five categories, and your report will explicitly state which ones your organization was evaluated against.

What criteria define in your audit

The SOC 2 trust services criteria translate broad security concepts into testable control points that auditors can verify. Each criterion contains specific control objectives that describe what you need to achieve, such as "the entity restricts logical access" under the Security category. Your auditor doesn't simply check if you have firewalls or encryption, they verify that you've implemented comprehensive controls that satisfy the relevant criteria defined by the American Institute of CPAs.

This framework matters because customers and partners recognize it. When you provide a SOC 2 report scoped to specific criteria, stakeholders immediately understand what aspects of your operations have been independently validated.

A SOC 2 report isn't a pass or fail certificate, it's documentation of which trust services criteria you were evaluated against and how your controls performed during the audit period.

The business value beyond compliance

Meeting the appropriate Trust Services Criteria opens doors to enterprise healthcare contracts that require SOC 2 compliance. Many health systems and medical device companies won't even begin vendor evaluations without seeing a valid SOC 2 Type II report that includes the Security criterion at minimum. You reduce sales cycles by proactively demonstrating that your organization maintains tested controls aligned with industry standards.

These criteria also create internal benefits. Working through the control requirements forces you to document processes, identify gaps, and implement systematic improvements to your security posture that protect both your customers and your business operations.

How the five criteria fit together in an audit

Your SOC 2 audit doesn't evaluate all five criteria by default. The Security criterion is mandatory for every SOC 2 engagement, while the other four categories (Availability, Processing Integrity, Confidentiality, and Privacy) remain optional. You select additional criteria based on what services you provide and what commitments you've made to customers in your contracts or terms of service.

The Security foundation with optional additions

Security forms the base of every audit because it addresses fundamental protections that apply universally: access controls, system monitoring, change management, and risk assessment. You cannot have a SOC 2 report without Security in scope. The optional criteria build on this foundation by addressing specific aspects of your operations. For example, if you guarantee 99.9% uptime in customer agreements, you need Availability criteria evaluated. Your auditor maps your service commitments to the appropriate Trust Services Criteria during the scoping phase.

The soc 2 trust services criteria you select define the boundaries of your audit and determine which control objectives your organization must satisfy.

Auditors test your controls against each selected criterion independently. Your report documents how well you meet the requirements for Security plus any optional categories you've included in scope.

Security criteria explained and what auditors test

The Security criterion evaluates whether your organization protects information and systems from unauthorized access, both external and internal. This covers everything from network security and access management to incident response and vulnerability management. Your auditor examines documented policies and actual implementation across your entire technology stack, not just customer-facing systems. At SoFaaS, our infrastructure undergoes this scrutiny as part of maintaining our SOC 2 Type II certification.

What the Security criterion covers

Security addresses five common control areas that form the backbone of the soc 2 trust services criteria. Your organization must demonstrate controls for logical and physical access restrictions, environmental protections like data center security, system operation procedures including change management and monitoring, and comprehensive risk mitigation programs that identify and address potential threats. You also need documented change management processes that prevent unauthorized system modifications.

Control areas auditors examine

Auditors verify your access controls by testing whether you grant permissions based on job roles and revoke access promptly when employees leave. They review your system monitoring logs to confirm you detect and respond to security events. Change management controls receive significant attention, including whether you test changes before production deployment and maintain audit trails of who approved what modifications. Your incident response plan gets evaluated for both documentation quality and evidence that you've actually followed it when issues occurred.

Your auditor samples specific transactions and system changes throughout the audit period to verify that your documented controls operated consistently, not just existed on paper.

Optional criteria explained with examples

The four optional categories within the soc 2 trust services criteria address specific operational commitments beyond basic security. You include Availability if you guarantee uptime, Processing Integrity if you promise accurate data handling, Confidentiality when you protect proprietary information beyond general security measures, and Privacy when you handle personal information with specific collection and usage commitments. Each criterion targets distinct aspects of how your systems operate and what you've promised customers.

Availability and Processing Integrity in practice

Availability criteria apply when you guarantee system uptime percentages in service level agreements. Your auditor verifies that you monitor system performance, maintain redundancy, and have disaster recovery procedures that actually work. Processing Integrity addresses whether your systems process data completely, accurately, and timely as designed. If your healthcare application calculates dosages, processes claims, or generates reports that customers rely on for accuracy, this criterion becomes relevant.

Confidentiality and Privacy distinctions

Confidentiality covers proprietary or restricted information that goes beyond standard security protections, such as trade secrets or sensitive business data with additional handling requirements. Privacy specifically addresses personal information collection, use, retention, and disclosure aligned with your privacy notice. Healthcare applications typically need Privacy criteria evaluated because you handle patient identifiable information with specific commitments about how you'll use and share that data.

The optional criteria you select should directly align with the specific service commitments and guarantees documented in your customer contracts and privacy policies.

How to choose the right criteria for your scope

Selecting the right soc 2 trust services criteria starts with reviewing your customer contracts and service agreements. You need to identify every specific commitment you've made about system availability, data handling, information protection, and privacy practices. Your audit scope should directly reflect these documented promises, not what you think sounds impressive or what competitors include in their reports.

Start with your service commitments

Pull together all documents where you've made operational guarantees to customers: terms of service, master service agreements, privacy policies, and service level agreements. Look for explicit promises about uptime percentages, data accuracy guarantees, confidentiality requirements beyond standard security, and specific privacy commitments about how you collect, use, or share personal information. These contractual obligations tell you which optional criteria belong in your scope.

Match criteria to what you actually guarantee

If you promise 99.9% availability in contracts, you need Availability criteria evaluated. Don't add criteria simply because they seem valuable if you haven't made corresponding commitments. Your auditor will assess whether your controls support what you've actually promised, and including unnecessary criteria adds audit costs without business benefit. Healthcare applications handling patient data typically need Security and Privacy at minimum, with Availability added if you've guaranteed uptime thresholds.

Your SOC 2 scope should match what you promise customers, not what creates the most impressive-looking report.

Final takeaways

Understanding the soc 2 trust services criteria gives you a clear roadmap for your compliance journey. Security remains mandatory for every audit, while Availability, Processing Integrity, Confidentiality, and Privacy become relevant only when you've made specific commitments to customers in your contracts or service agreements. Your audit scope should match these documented promises, not what creates an impressive-looking report.

Healthcare application developers face unique challenges when pursuing SOC 2 compliance while simultaneously building integrations with multiple EHR systems. The infrastructure requirements and compliance burden often diverts valuable engineering resources away from your core product development. Instead of building your own SOC 2 infrastructure from scratch, launch your SMART on FHIR app on SoFaaS's already-certified platform. You inherit our SOC 2 Type II compliant foundation while focusing your team on healthcare innovation rather than security audits and control documentation. Your integration timeline shrinks from months to days.