Under active development — Content is continuously updated and improved

Home / Frameworks / SOC 2

SOC 2 v2017

Official AICPA Download

Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy

The Trust Services Criteria and COSO Principles are proprietary to AICPA. This tool provides independently-written summaries for educational reference only and is not affiliated with or endorsed by AICPA. For official criteria text, audit guidance, and SOC 2 reports, visit the AICPA website. Do not rely on this tool for compliance decisions.

Official AICPA SOC 2 Download Official TSC

62 All

A1 — Additional Criteria for Availability (3 criteria)

A1.1Capacity Management

A1.2Recovery Infrastructure

A1.3Recovery Testing

C1 — Additional Criteria for Confidentiality (2 criteria)

C1.1Confidential Information Identification

C1.2Confidential Information Disposal

CC1 — Control Environment (5 criteria)

CC1.1Commitment to Integrity and Ethical Values

CC1.2Board of Directors Oversight

CC1.3Management Structure and Responsibilities

CC1.4Commitment to Competence

CC1.5Accountability for Internal Control

CC2 — Communication and Information (3 criteria)

CC2.1Quality Information for Internal Control

CC2.2Internal Communication

CC2.3External Communication

CC3 — Risk Assessment (4 criteria)

CC3.1Specification of Objectives

CC3.2Risk Identification and Analysis

CC3.3Fraud Risk Assessment

CC3.4Change Impact Assessment

CC4 — Monitoring Activities (2 criteria)

CC4.1Evaluation of Internal Controls

CC4.2Communication of Deficiencies

CC5 — Control Activities (3 criteria)

CC5.1Risk Mitigation Control Activities

CC5.2Technology General Controls

CC5.3Policies and Procedures

CC6 — Logical and Physical Access Controls (8 criteria)

CC6.1Logical Access Security

CC6.2User Registration and Authorization

CC6.3Access Authorization and Modification

CC6.4Physical Access Restrictions

CC6.5Asset Disposal

CC6.6External Threat Protection

CC6.7Information Transmission Protection

CC6.8Malware Protection

CC7 — System Operations (5 criteria)

CC7.1Vulnerability Detection and Monitoring

CC7.2Anomaly Monitoring

CC7.3Security Event Evaluation

CC7.4Incident Response

CC7.5Incident Recovery

CC8 — Change Management (1 criteria)

CC8.1Change Authorization and Implementation

CC9 — Risk Mitigation (2 criteria)

CC9.1Business Disruption Risk Mitigation

CC9.2Vendor Risk Management

P1 — Privacy - Notice and Communication (2 criteria)

P1.1Privacy Notice

P1.2Privacy Commitments Communication

P2 — Privacy - Choice and Consent (1 criteria)

P2.1Choice and Consent

P3 — Privacy - Collection (2 criteria)

P3.1Personal Information Collection

P3.2Explicit Consent for Collection

P4 — Privacy - Use, Retention, and Disposal (3 criteria)

P4.1Personal Information Use Limitation

P4.2Personal Information Retention

P4.3Personal Information Disposal

P5 — Privacy - Access (2 criteria)

P5.1Access to Personal Information

P5.2Correction of Personal Information

P6 — Privacy - Disclosure and Notification (7 criteria)

P6.1Third-Party Disclosure

P6.2Authorized Disclosure Records

P6.3Unauthorized Disclosure Records

P6.4Third-Party Privacy Commitments

P6.5Third-Party Breach Notification

P6.6Breach Notification

P6.7Personal Information Accounting

P7 — Privacy - Quality (1 criteria)

P7.1Personal Information Quality

P8 — Privacy - Monitoring and Enforcement (1 criteria)

P8.1Privacy Complaints and Compliance

PI1 — Additional Criteria for Processing Integrity (5 criteria)

PI1.1Processing Information Quality

PI1.2Input Controls

PI1.3Processing Controls

PI1.4Output Controls

PI1.5Storage Controls