SOC 2 Trust Service Criteria Explained: Security, Availability, and Beyond
The SOC 2 trust service criteria are the foundation of every SOC 2 audit and define what your organisation needs to demonstrate to customers, partners, and auditors. There are five criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is mandatory for every SOC 2 report, while the other four are optional and chosen based on what your business does and what promises you make to customers.
For Australian businesses pursuing SOC 2 Australia compliance, understanding these criteria helps you scope your audit correctly, implement the right controls, and demonstrate to enterprise customers that you handle their data responsibly. This guide explains each criterion, what controls are required, and how to choose which criteria apply to your organisation.
What Are the SOC 2 Trust Service Criteria?
SOC 2 trust service criteria are organised into five categories that cover different aspects of information security and operational reliability. Each criterion contains specific requirements called Common Criteria (CC), which are control objectives that apply across all five categories, plus additional points of focus unique to each criterion.
The Common Criteria include control environment, communication and information, risk assessment, monitoring of controls, control activities, logical and physical access controls, system operations, change management, and risk mitigation. These form the backbone of your Information Security Management System and apply regardless of which optional criteria you choose.
You select the criteria that align with your service commitments and customer expectations. A SaaS platform might choose Security and Availability because uptime matters. A data processing service might add Processing Integrity to prove accuracy. A business handling personal information would include Privacy.
Security: The Mandatory Criterion
Security is required in every SOC 2 report and evaluates whether information and systems are protected against unauthorised access, unauthorised disclosure, and damage. This criterion demonstrates that you have implemented controls to prevent breaches, detect intrusions, and respond to incidents.
The Security criterion includes controls like multi-factor authentication, role-based access control, network segmentation, encryption at rest and in transit, vulnerability management, security monitoring and logging, incident response procedures, and penetration testing. You also need documented policies covering acceptable use, password requirements, change management, and vendor security.
Risk management is central to the Security criterion. You must maintain a formal risk register, conduct annual risk assessments, identify threats and vulnerabilities, and document risk treatment plans. Auditors expect evidence that you monitor controls continuously and perform internal audits to validate that security measures are operating effectively.
Availability: Ensuring Systems Are Accessible
Availability measures whether your systems are accessible and operational to meet customer commitments. This criterion is relevant if your business promises specific uptime levels, if downtime would impact customer operations, or if you operate platforms where reliability is part of your value proposition.
Availability controls include uptime monitoring and alerting, backup and recovery procedures, disaster recovery and business continuity plans, redundant infrastructure and failover mechanisms, capacity planning to handle demand spikes, and incident management processes. Auditors expect documented recovery time objectives (RTO) and recovery point objectives (RPO) that define how quickly systems must be restored after an outage.
You also need to demonstrate that backups are tested regularly, that disaster recovery plans are reviewed and exercised, and that you monitor system performance to detect issues before they cause downtime. For organisations running SaaS platforms or cloud services, Availability is almost always included because customers expect reliable access.
Processing Integrity: Accuracy and Completeness
Processing Integrity evaluates whether system processing is complete, valid, accurate, timely, and authorised. This criterion applies to organisations that process transactions, perform calculations, or transform data as part of their service.
If your service involves financial transactions, data transformation, automated workflows, or calculations that customers rely on for business decisions, Processing Integrity demonstrates that your systems produce correct results. Controls include input validation to prevent incorrect data entry, output reconciliation to verify accuracy, error detection and correction mechanisms, transaction logging and audit trails, and automated monitoring for processing anomalies.
You must also implement change management processes that ensure updates to systems or workflows do not introduce errors, and testing procedures that validate accuracy before changes go live. Processing Integrity is common in fintech, payment processors, payroll services, and any business where data accuracy directly affects customer outcomes.
Confidentiality: Protecting Sensitive Business Information
Confidentiality focuses on protecting sensitive information that is not publicly available. This criterion applies when you handle proprietary business data, trade secrets, intellectual property, or other confidential information that customers expect you to keep private.
Confidentiality differs from Privacy in that it covers business data rather than personal information. A manufacturing company might share proprietary product designs with a cloud service provider. A law firm might store confidential client documents on a platform. These scenarios require Confidentiality controls.
Controls include data classification schemes that identify confidential information, access restrictions that limit who can view or modify confidential data, encryption to protect data in transit and at rest, non-disclosure agreements with employees and contractors, and secure disposal procedures for confidential information. You also need monitoring and logging to detect unauthorised access attempts and audit trails that track who accessed what data and when.
If you are not sure which criteria your organisation needs or how to implement the required controls, Siege Cyber can help you scope your SOC 2 audit and build a control framework that aligns with your business. Visit siegecyber.com.au/services/soc2 to see how we support Australian businesses through SOC 2 readiness and audit preparation.
Privacy: Handling Personal Information
Privacy addresses how you collect, use, retain, disclose, and dispose of personal information. This criterion is relevant if your service processes personal data and you need to demonstrate compliance with privacy laws like Australia’s Privacy Act, GDPR, or other regulations.
Privacy controls include privacy policies that explain what data you collect and how you use it, consent mechanisms that allow individuals to control their data, data minimisation practices that limit collection to what is necessary, retention and disposal policies that define how long data is kept, and rights management processes that allow individuals to access, correct, or delete their data.
For Australian organisations, Privacy controls often align with the Australian Privacy Principles (APPs) under the Privacy Act 1988. If your customers are based in Europe, you may also need to demonstrate GDPR compliance, which has stricter requirements around consent, data subject rights, and breach notification.
Privacy is commonly chosen by businesses in healthcare, education, HR services, marketing platforms, and any service that collects customer or employee personal information. If your service processes sensitive personal data like health records or financial details, Privacy is almost always required.
SOC 2 Type 1 vs Type 2: Choosing the Right Report
Once you have selected your criteria, you need to decide between SOC 2 Type 1 and Type 2. Understanding the difference between soc 2 type 1 vs type 2 affects your timeline, cost, and what assurance your report provides.
SOC 2 Type 1 evaluates whether your controls are designed properly at a single point in time. The auditor reviews your policies, procedures, and technical safeguards to confirm they meet the Trust Service Criteria but does not test whether they operate effectively over time. Type 1 is faster, less expensive, and serves as a starting point for organisations new to SOC 2.
SOC 2 Type 2 evaluates both the design and the operating effectiveness of your controls over a period, typically six to twelve months. The auditor tests that controls are implemented as documented and that they function consistently throughout the observation period. Type 2 provides stronger assurance and is what most enterprise customers expect.
If you are pursuing SOC 2 for the first time, you can start with Type 1 to demonstrate initial readiness, then progress to Type 2 once your controls mature and you have evidence of their effectiveness. Most Australian organisations ultimately need Type 2 to satisfy customer due diligence requirements and win enterprise contracts.
How to Choose Which Criteria Apply to Your Organisation
Selecting the right criteria requires understanding your business model, customer commitments, and regulatory obligations. Start by reviewing your service level agreements (SLAs), customer contracts, and security questionnaires to identify what customers expect.
Consider what types of data you handle and what promises you make about that data. If you promise 99.9% uptime, you need Availability. If you process transactions and customers rely on accurate results, include Processing Integrity. If you handle confidential business information, add Confidentiality. If you collect personal data, include Privacy.
You should also conduct a risk assessment to identify vulnerabilities and threats specific to your systems and data. This helps determine which criteria address the highest risks to your business and customers. Engaging with legal and compliance experts can clarify regulatory obligations that might require specific criteria.
Finally, align your chosen criteria with your internal policies and ensure that your controls are designed and operating effectively. Do not choose criteria you cannot support with evidence, and do not exclude criteria that customers clearly expect based on your industry or service offering.
Building Controls That Meet the Criteria
Once you have chosen your criteria, you need to implement controls that satisfy each requirement. This involves documenting policies and procedures, deploying technical safeguards, training staff, and establishing processes for monitoring and continuous improvement.
Compliance automation platforms like Vanta and Drata help by continuously collecting evidence, monitoring control performance, and tracking your progress toward audit readiness. Siege Cyber is an official partner of both platforms, which means we can help you use these tools effectively while providing the expert guidance that automation cannot replace. We bridge the gap between what the platform automates and what still requires human expertise, like risk assessments, policy development, and audit preparation.
Whether you are starting from scratch or refining an existing control framework, the key is to treat SOC 2 as an ongoing compliance effort rather than a one-time audit. Controls must operate consistently, evidence must be collected continuously, and your team must understand their responsibilities for maintaining compliance.
Getting Started with SOC 2 in Australia
If you are considering SOC 2 for your Australian business, start by defining your scope and selecting the criteria that align with your service commitments and customer expectations. Conduct a readiness assessment to identify gaps, implement the necessary controls, and begin collecting evidence.
Siege Cyber specialises in SOC 2 readiness and audit preparation for Australian businesses. We help you scope your audit, implement controls, develop policies and procedures, and prepare for both Type 1 and Type 2 examinations. Our fixed-price SOC 2 packages include everything you need to pass your audit with no hourly billing or surprises. Visit siegecyber.com.au/#compliance-pricing to see detailed pricing and what is included.
Siege Cyber has been helping businesses across Australia with penetration testing, compliance, and cyber risk for over 20 years. If you’d like to discuss what type of testing makes sense for your organisation, or if you’re preparing for an ISO 27001 or SOC 2 audit and need testing as part of that process, get in touch.
You can reach us at siegecyber.com.au or email [email protected] directly. We’re based in Brisbane but work with clients across the country.