SOC 2 Trust Services Criteria: A Practical Guide for Australian Organisations

The SOC 2 trust services criteria are the foundation of every SOC 2 engagement. They define what auditors assess, which controls are in scope, and what evidence organisations must produce. Understanding how the trust services criteria work is therefore essential before beginning any SOC 2 or SOC2 programme, because scoping, control design, and evidence collection all flow from the criteria an organisation selects.

Developed by the American Institute of Certified Public Accountants (AICPA), the SOC 2 trust services criteria cover five distinct areas: Security, Availability, Confidentiality, Processing Integrity, and Privacy. Each criterion carries its own control objectives and evidence expectations. As a result, two organisations can both hold SOC 2 reports while having assessed entirely different sets of controls, depending on which criteria they selected.

This guide explains each of the five SOC 2 trust services criteria in practical terms, how Australian organisations select the right criteria for their services, and what implementing each one actually requires.

Organisations looking for structured, expert-led support can explore CyberPulse’s SOC 2 compliance services Australia to understand how a guided program reduces preparation time and improves audit outcomes.

What the SOC 2 Trust Services Criteria Actually Are

The SOC 2 trust services criteria replace the older Trust Services Principles that governed earlier SOC 2 reports. The AICPA updated the framework in 2017 to provide greater flexibility and to better reflect how modern technology services operate. Since then, the criteria have become the universal basis for SOC 2 and SOC2 assessments globally.

Each criterion is composed of individual control points, known as points of focus, which describe the behaviours and safeguards auditors expect to observe. Importantly, the criteria are principle-based rather than prescriptive. They do not mandate specific tools or technologies. Instead, they describe what outcomes controls must achieve, leaving organisations to determine the appropriate implementation for their environment.

This design gives organisations flexibility but also places responsibility on them to interpret the criteria correctly for their specific services, data types, and risk profile. Additionally, poor criteria selection leads to either over-scoping, which increases cost without adding assurance value, or under-scoping, which produces a report that does not satisfy customer expectations.

The Security criterion is mandatory in every SOC 2 and SOC2 engagement. The remaining four criteria are optional and selected based on the services an organisation provides and the commitments it has made to customers.

Choosing the correct Trust Criteria can be early when engaging SOC 2 Compliance Services in Australia.

The Security Criterion: Mandatory for Every SOC 2 Engagement

Security is the foundational SOC 2 trust services criterion. It is included in every engagement and consequently forms the largest portion of most SOC2 audits. The Security criterion is also referred to as the Common Criteria because it underpins the requirements of all other trust services criteria.

The Security criterion evaluates whether systems are protected against unauthorised access, both physical and logical. It covers a broad range of control areas, including risk management, logical access controls, system monitoring, change management, incident response, and vendor oversight.

Key control areas assessed under the Security criterion include:

• Risk assessment processes that identify and prioritise threats to in-scope systems
• Logical access controls, including multi-factor authentication, role-based permissions, and access reviews
• Endpoint and network monitoring to detect and respond to anomalous activity
• Change management procedures that govern modifications to systems and services
• Incident detection, response, and post-incident review processes
• Physical security controls protecting infrastructure and data centre environments
• Vendor and third-party oversight for suppliers with access to in-scope systems

For Australian organisations, the Security criterion maps closely to the ASD Essential Eight. Organisations that have already implemented patching, application control, multi-factor authentication, and backup controls as part of their Essential Eight programme will find a significant portion of SOC2 security requirements already addressed.

The Availability Criterion: Relevant for Service-Critical Systems

The Availability criterion assesses whether systems are available for operation and use as committed or agreed. It is relevant for organisations whose customers depend on consistent, reliable access to services, and where downtime creates direct commercial or operational harm.

In practice, Availability does not require perfect uptime. Instead, it evaluates whether the organisation monitors performance, manages capacity, implements resilience measures, and has tested its ability to recover from disruption. Controls under this criterion also overlap with business continuity and disaster recovery planning.

Availability criterion controls typically cover:

• System monitoring and alerting for performance and availability metrics
• Capacity management processes that address current and projected demand
• Incident and problem management procedures that minimise service disruption
• Disaster recovery plans that define recovery time and recovery point objectives
• Tested backup and restore capabilities that demonstrate practical recovery readiness

Availability is most commonly selected by SaaS platforms, managed service providers, and cloud infrastructure organisations where service continuity is a contractual commitment. It is also relevant for organisations seeking to align with backup and recovery expectations across Australian regulatory frameworks.

The Confidentiality Criterion: Protecting Sensitive Business Information

The Confidentiality criterion addresses how organisations protect information that is designated as confidential, typically including business data, intellectual property, trade secrets, and commercially sensitive customer information. It is distinct from Privacy, which specifically addresses personal information.

This criterion is relevant for organisations that handle confidential client data, proprietary business information, or commercially sensitive records on behalf of customers. Financial services providers, legal technology platforms, and advisory firms frequently include Confidentiality in their SOC2 scope.

Confidentiality criterion controls typically include:

• Data classification policies that identify and label confidential information
• Access restrictions limiting exposure of confidential data to authorised personnel
• Encryption controls protecting confidential information at rest and in transit
• Retention and disposal policies governing how confidential data is managed and eventually destroyed
• Contractual and legal obligations addressing confidentiality commitments to customers and partners

Organisations that regularly process sensitive client files, legal documents, or proprietary commercial data should carefully evaluate whether Confidentiality belongs in their SOC2 scope. Including it provides stronger assurance to enterprise customers and reflects a more complete picture of how the organisation handles information entrusted to it.

The Processing Integrity Criterion: Accuracy and Completeness of Outputs

The Processing Integrity criterion evaluates whether system processing is complete, valid, accurate, timely, and authorised. It is focused on the quality and reliability of outputs produced by a system, rather than the security of access to that system.

This criterion is specifically relevant for organisations where customers depend on the accuracy of system outputs, such as financial processing platforms, automated calculation engines, data transformation services, and transactional systems. If errors in processing create direct harm for customers, Processing Integrity belongs in scope.

Processing Integrity controls typically cover:

• Input validation controls that detect and reject erroneous or incomplete data before processing
• Processing controls that verify accuracy and completeness of outputs during execution
• Error handling procedures that identify, log, and resolve processing failures
• Reconciliation processes that confirm outputs match expected results
• Audit trails that capture processing activity for review and investigation

Processing Integrity is one of the less commonly selected SOC 2 trust services criteria in Australia, largely because it applies to a narrower category of services. However, for organisations operating in payments, financial data aggregation, or automated reporting, it is often a customer expectation rather than an optional addition.

The Privacy Criterion: Personal Information and Australian Compliance Alignment

The Privacy criterion evaluates how an organisation collects, uses, retains, discloses, and disposes of personal information in accordance with its stated privacy commitments and applicable regulations. For Australian organisations, this criterion carries particular relevance given obligations under the Privacy Act 1988 and the Australian Privacy Principles administered by the Office of the Australian Information Commissioner.

Importantly, Privacy in the SOC 2 trust services criteria framework is broader than a simple compliance checklist. It assesses whether personal information is handled consistently with the notices and commitments an organisation has made to individuals, and whether controls are in place to enforce those commitments in practice.

Privacy criterion controls typically address:

• Privacy notices that accurately describe how personal information is collected and used
• Consent and choice mechanisms that allow individuals to manage their information
• Collection limitations that ensure personal data is gathered only for stated purposes
• Use and retention controls that prevent personal information from being repurposed beyond its original scope
• Access and correction processes that allow individuals to review and update their information
• Disposal controls that ensure personal data is securely destroyed when no longer needed
• Third-party disclosure controls that govern how personal information is shared with suppliers and partners

For Australian organisations already working to align with OAIC requirements, including Privacy in the SOC2 scope creates an opportunity to demonstrate compliance with both sets of obligations through a single, evidence-based assessment. This reduces duplication and produces a more comprehensive assurance outcome for enterprise customers and regulators.

How Australian Organisations Select the Right SOC 2 Trust Services Criteria

Criteria selection is one of the first decisions in any SOC 2 engagement and one of the most consequential. The right selection reflects the nature of services provided, the commitments made to customers, and the risks most relevant to the organisation’s environment.

Security is included in every engagement without exception. Beyond that, the selection process should be driven by three questions: What have we committed to customers in contracts and privacy notices? What risks are most material to our service delivery? What are our customers and prospects actually asking to see assessed?

In practice, most Australian SaaS providers include Security and Availability as a minimum. Organisations handling sensitive client data frequently add Confidentiality. Those processing personal information in scale add Privacy. Processing Integrity is included selectively where output accuracy is a core service commitment.

Criteria selection also affects audit scope, cost, and timeline. Including additional criteria increases the number of controls assessed and the volume of evidence required. Consequently, organisations should balance comprehensive assurance with practical delivery capacity, particularly when preparing for a first SOC2 engagement.

A readiness assessment conducted prior to finalising criteria selection provides a clearer picture of control gaps and evidence maturity across each criterion. This approach reduces the risk of scope surprises during the audit itself and allows organisations to address gaps before testing begins.

SOC 2 Trust Services Criteria vs Controls: Understanding the Difference

The SOC 2 trust services criteria define what must be achieved. Controls are the specific policies, processes, and technical safeguards an organisation implements to meet those objectives. This distinction matters practically because auditors assess controls against criteria, not the criteria themselves.

An organisation may select the Availability criterion and implement a range of controls designed to satisfy it, including monitoring, disaster recovery planning, and backup testing. Auditors then test whether those controls are appropriately designed and, in a Type 2 engagement, whether they operated effectively throughout the audit period.

Because the trust services criteria are principle-based, organisations have discretion in how they design controls. However, this also means that poorly designed controls can satisfy the letter of a criterion while failing to provide meaningful assurance. Auditors look for controls that are fit for purpose given the organisation’s risk environment, not just controls that technically exist.

Furthermore, the relationship between criteria and controls is not one-to-one. Many controls, particularly those in the Security criterion, address requirements across multiple trust services criteria simultaneously. Organisations that design controls with this overlap in mind reduce total implementation effort significantly.

Maintaining Trust Services Criteria Controls Throughout the Year

For SOC 2 Type 2 engagements, controls must operate consistently across the full audit period, typically six to twelve months. This means that selecting the right trust services criteria and designing appropriate controls is only the beginning. Sustaining those controls through disciplined day-to-day operations is where most organisations encounter difficulty.

Access reviews must occur at defined intervals, not just before an audit. Change management approvals must be documented for every change, not retrospectively reconstructed. Incident response procedures must be followed consistently, not invoked selectively. Evidence must be collected continuously so that auditors have complete samples to test.

Organisations that embed trust services criteria requirements into engineering workflows, operational runbooks, and governance calendars maintain audit readiness without significant additional effort at audit time. In contrast, organisations that treat SOC2 as an annual project spend significant time and resource reconstructing evidence and addressing gaps under pressure.

Many Australian organisations address the operational burden of continuous trust services criteria compliance through Managed Compliance Services, which automate evidence collection, monitor control operation, and maintain audit readiness across the full year without disrupting internal teams.

SOC 2 Trust Services Criteria and Australian Framework Alignment

The SOC 2 trust services criteria align well with Australian regulatory and security frameworks when implemented thoughtfully. Organisations that map their criteria selection and control design against local obligations reduce duplication and strengthen the overall value of their assurance programme.

ASD Essential Eight: The Essential Eight addresses many of the technical controls required under the SOC 2 Security criterion. Patching, multi-factor authentication, application control, and backup and recovery are all directly relevant. Organisations working toward Essential Eight maturity levels therefore address a significant portion of SOC2 security requirements as part of the same programme.

OAIC Australian Privacy Principles: Where the Privacy trust services criterion is in scope, the AICPA criteria align closely with Australian Privacy Principles obligations. Organisations can design privacy controls that simultaneously satisfy both frameworks, producing evidence that supports SOC2 testing and demonstrates OAIC compliance.

APRA CPS 234: For APRA-regulated entities, CPS 234 requirements around information security capability, third-party risk, and incident notification overlap with Security and Availability trust services criteria requirements. Aligning both programmes reduces audit fatigue and creates a more coherent governance posture.

Organisations pursuing multiple frameworks benefit from cross-mapping criteria early in the programme design phase. CyberPulse’s compliance audit and advisory services include framework alignment analysis as part of the readiness process, ensuring control design serves multiple compliance objectives simultaneously.

Frequently Asked Questions: SOC 2 Trust Services Criteria

What are the SOC 2 trust services criteria?

The SOC 2 trust services criteria are the control objectives developed by the AICPA that define what auditors assess in a SOC 2 engagement. The five criteria are Security, Availability, Confidentiality, Processing Integrity, and Privacy. Security is mandatory for every SOC 2 and SOC2 audit. The remaining criteria are selected based on the nature of the services provided and the commitments made to customers.

How many SOC 2 trust services criteria must an organisation include?

Every SOC 2 engagement must include the Security criterion. Beyond that, there is no minimum requirement. Organisations select additional criteria based on their services, customer commitments, and risk profile. Including more criteria increases the scope and cost of the audit but produces more comprehensive assurance. Most Australian SaaS providers include Security and Availability as a baseline.

What is the difference between Confidentiality and Privacy in the SOC 2 trust services criteria?

Confidentiality covers information designated as sensitive for commercial or contractual reasons, such as trade secrets, business data, and proprietary client records. Privacy specifically addresses personal information collected from individuals, including how it is gathered, used, retained, and disclosed. Organisations handling large volumes of personal data typically include Privacy in scope. Those handling sensitive business information but limited personal data may include Confidentiality instead, or include both.

Do the SOC 2 trust services criteria change between Type 1 and Type 2 audits?

No. The same trust services criteria apply to both Type 1 and Type 2 engagements. The difference is in what auditors assess. A Type 1 audit evaluates whether controls are suitably designed to meet the criteria at a point in time. A Type 2 audit assesses whether those controls operated effectively over a defined period, typically six to twelve months. The criteria selection remains consistent across both report types.

How do the SOC 2 trust services criteria relate to Australian privacy law?

Where an organisation selects the Privacy trust services criterion, the AICPA framework aligns closely with the Australian Privacy Principles under the Privacy Act 1988. Both address how personal information is collected, used, retained, and disclosed. Organisations can design controls that satisfy both frameworks simultaneously, reducing duplication and creating a more defensible compliance posture. Regulatory obligations under the OAIC remain separate from the SOC2 engagement but can be addressed through the same controls.

Which trust services criterion do most Australian organisations include?

Security is universal. Beyond that, Availability is the most commonly selected criterion among Australian SaaS providers and managed service organisations. Confidentiality is frequently added by professional services technology companies and legal sector providers. Privacy is included where customer personal data is a central part of the service. Processing Integrity is less common and applies specifically to organisations where output accuracy is a core service commitment.

Can the SOC 2 trust services criteria scope change after an audit begins?

Adding criteria after an audit has commenced is possible in principle but creates practical challenges, particularly for Type 2 engagements where the observation period needs to cover control operation across all selected criteria. Organisations should finalise their trust services criteria selection before the audit period begins. Changes to scope mid-engagement typically extend the timeline and may require restarting the observation period for newly added criteria.

Related Services

• SOC 2 Compliance Services Australia
• Managed Compliance Services Australia
• Compliance Audit and Advisory Services
• ISO 27001 Audit Services Australia
• Get in Touch

Useful Links

• SOC 2 Audit Requirements Australia: A Practical Guide
• SOC 2 Audit Process: Step-by-Step Guide for Australian Companies
• SOC 2 Type I vs Type II: Key Differences for Australian Organisations
• SOC 2 Readiness Checklist for Australian SaaS Companies
• SOC 2 Certification: What It Really Means and How to Achieve It

External Resources

• AICPA Trust Services Criteria
• AICPA SOC Suite of Services
• OAIC Australian Privacy Principles
• ASD Essential Eight