When the AICPA released the Trust Service Criteria in 2017, it replaced the older Trust Service Principles framework with a structure aligned to COSO Internal Control. The change was more than nomenclature. The new framework introduced “points of focus” providing specific implementation guidance for each criterion. Organizations that had built programs on the old principles discovered their controls needed remapping, not because the controls changed, but because the evidence expectations shifted.
The same pattern repeats in 2026 with the five Trust Service Categories. GRC consultants recommend selecting all five for “comprehensive coverage.” The engagement letter expands to include Security, Availability, Confidentiality, Processing Integrity, and Privacy. The audit fee increases by 40%. Evidence requirements double. Engineering spends an additional 80 hours documenting controls for categories no customer contract requested [AICPA TSC 2017].
Only Security (Common Criteria) is mandatory. Each additional category adds $3,000 to $15,000 in audit fees, 20 to 40 hours of engineering labor, and 5 to 25 new controls with corresponding evidence requirements. The decision to add categories should follow customer contracts, not consultant recommendations.
SOC 2 defines five Trust Service Categories: Security (mandatory), Availability, Confidentiality, Processing Integrity, and Privacy (all optional) [AICPA TSC 2017]. Only Security is required for a SOC 2 report. Each additional category increases audit fees by $3,000-$15,000 and adds 20-40 hours of evidence collection. Select categories based on customer contract requirements, not compliance ambition. 80% of B2B SaaS companies pass their first audit with Security only.
How Does Trust Service Category Scope Creep Increase Audit Costs?
Selecting all five categories increases total audit cost by 40-60% over Security-only scope [AICPA TSC 2017], and every Trust Service Category added to the engagement letter creates a compounding cost. The audit fee increases because the auditor tests additional criteria. Evidence requirements expand because each category has distinct control objectives. Exception risk increases because more controls create more opportunities for failure. The cost breakdown by category reveals how each addition compounds the audit burden.
| Category | Added Cost | Added Controls |
|---|---|---|
| Security (CC) | Included in base fee | 33 criteria (CC1-CC9), 35-50 controls typical |
| Availability (A) | $3,000-$8,000 in fees + 20-30 hours | 3 criteria: uptime monitoring, DR testing, capacity planning |
| Confidentiality (C) | $3,000-$7,000 in fees + 20-25 hours | 2 criteria: data classification, encryption, disposal |
| Processing Integrity (PI) | $5,000-$12,000 in fees + 30-40 hours | 5 criteria: input validation, processing accuracy, output verification |
| Privacy (P) | $8,000-$15,000 in fees + 40+ hours | 8 criteria (GAPP): consent, notice, access, disclosure, quality, monitoring, use |
The cumulative effect: selecting all five categories for a first-time audit increases total cost by 40-60% over Security-only scope. The additional categories also increase qualified opinion risk because each new control is another potential exception point.
1. Before signing the engagement letter, ask your top five enterprise customers: “Which Trust Service Categories do you require in our SOC 2 report?” Document their responses. Most will say “Security” or “Security and Availability.”
2. Review your customer contracts for specific TSC requirements. If no contract explicitly requires Availability, Confidentiality, Processing Integrity, or Privacy, start with Security only.
3. Add categories in Year 2 if customers request them. The observation period for added categories begins when you implement those controls, not retroactively.
The Five Trust Service Categories: What the Auditor Tests
The Security category alone contains 33 criteria with 150+ points of focus across nine Common Criteria domains [AICPA TSC 2017]. Understanding each category from the auditor’s testing perspective prevents scope mismatches. The definitions below describe what the auditor verifies during fieldwork, not the marketing descriptions used by GRC platforms.
Security (Common Criteria): Mandatory
Security covers the nine Common Criteria categories (CC1-CC9): control environment, communication, risk assessment, monitoring, control activities, logical and physical access, system operations, change management, and risk mitigation. This is the baseline for every SOC 2 report. The auditor tests whether your system is protected against unauthorized access, unauthorized changes, and unauthorized destruction [AICPA TSC CC1.1-CC9.1].
Security alone satisfies the requirements of most enterprise security questionnaires. It covers access controls, change management, incident response, vulnerability management, and vendor oversight. Adding optional categories is unnecessary unless customer contracts explicitly require them.
Availability: Optional
Availability is not “uptime monitoring.” The auditor tests whether the system meets its documented performance commitments: disaster recovery testing with verified RTOs and RPOs, offsite backup validation with restoration testing, capacity planning with documented thresholds and scaling procedures, and incident communication to affected customers [AICPA TSC A1.1-A1.3].
Select Availability when: your platform provides mission-critical infrastructure (cloud hosting, payment processing, core business applications), your customer contracts include SLA commitments with financial penalties for downtime (99.9%+ uptime), or your customers explicitly require Availability in their vendor security questionnaire.
Confidentiality: Optional
Confidentiality protects business data shared under contractual obligations: trade secrets, intellectual property, M&A data, customer lists, and proprietary algorithms. The auditor tests data classification schemes, encryption of confidential data at rest and in transit, access restrictions based on classification, and data disposal procedures when the contract ends [AICPA TSC C1.1, C1.2].
Select Confidentiality when: you hold data covered by NDAs or confidentiality agreements, your customers share proprietary business data (not consumer PII), or your contracts include data handling obligations for classified information. Do not confuse Confidentiality with Privacy.
Processing Integrity: Optional
Processing Integrity applies to systems where the accuracy of the output is the primary product. The auditor tests input validation controls, processing accuracy verification, output reconciliation, and error handling procedures [AICPA TSC PI1.1-PI1.5].
Select Processing Integrity when: your platform performs financial calculations (payroll, billing, tax), processes transactions that affect customer financial statements, or generates output used as the basis for business decisions where errors cause financial loss. A project management tool, CRM, or document storage platform does not need Processing Integrity. Processing data is not the same as processing it with accuracy as the primary deliverable.
Privacy: Optional
Privacy applies to Personally Identifiable Information (PII) collected directly from consumers. The auditor tests against the AICPA’s Generally Accepted Privacy Principles (GAPP): notice, choice and consent, collection limitation, use and retention, access, disclosure, quality, and monitoring. This category requires consent management workflows, opt-out mechanisms, data subject access request procedures, and privacy impact assessments [AICPA Privacy Criteria P1.1-P8.1].
Select Privacy when: your platform collects PII directly from consumers (B2C), you handle health data (PHI), or your customers explicitly require GAPP compliance. Healthcare SaaS companies frequently add Privacy prematurely when Confidentiality covers their actual data flows. B2B SaaS companies that process business data rarely need Privacy. If you hold client business data under NDAs, you need Confidentiality, not Privacy.
1. Map each Trust Service Category to your business model using the selection matrix below. If your model does not appear, default to Security only.
2. If a customer requests a category you have not included, evaluate the cost (additional fee, engineering hours, exception risk) before adding it to the engagement letter.
3. Confirm your category selection with your auditor during the planning phase. Category changes after the engagement letter is signed trigger re-scoping fees and may require a new observation period.
Which Trust Service Categories Does Your Business Model Require?
80% of B2B SaaS companies pass their first audit with Security only [AICPA TSC 2017]. Match your business model to the recommended Trust Service Category scope. This matrix reflects the minimum scope that satisfies customer requirements without creating unnecessary audit burden.
| Business Model | Recommended Scope | Rationale |
|---|---|---|
| General B2B SaaS | Security only | Covers access controls, change management, and incident response. Sufficient for most enterprise questionnaires. |
| Cloud Hosting / Infrastructure | Security + Availability | Customers depend on your uptime. SLA commitments require documented DR and capacity planning. |
| Enterprise Data Storage | Security + Confidentiality | You hold IP, trade secrets, or M&A data under NDA. Data classification and disposal controls required. |
| FinTech / Payroll / Billing | Security + Processing Integrity | Calculation accuracy is the primary product. Input validation and output reconciliation controls required. |
| B2C / Consumer Health App | Security + Privacy | You collect consumer PII/PHI directly. GAPP compliance with consent and access request controls required. |
1. Identify which row in the selection matrix matches your business model. If multiple rows apply, combine the recommended scopes.
2. If your business model is “General B2B SaaS” and no customer contract requires additional categories, start with Security only. You save $6,000-$30,000 and 40-80 hours in first-year costs.
3. Plan to add categories incrementally. Year 1: Security only. Year 2: add Availability or Confidentiality if customers request them. This staged approach reduces first-year cost and exception risk.
The Privacy vs. Confidentiality Trap
B2B SaaS companies confuse Privacy and Confidentiality in 30% of first-time audit engagements. This confusion costs thousands in unnecessary scope because Privacy triggers GAPP compliance requirements (consent management, data subject access requests, privacy impact assessments) that B2B platforms rarely need.
The distinction is straightforward:
- Confidentiality protects business data (B2B): client customer lists, financial records, source code, trade secrets, and proprietary data shared under NDA.
- Privacy protects consumer data (B2C): Social Security numbers, home addresses, health records, and other PII collected directly from individuals.
If you are a B2B SaaS platform storing business data under NDAs, you need Confidentiality, not Privacy. Selecting Privacy by mistake forces implementation of consumer consent workflows, opt-out mechanisms, and data subject access request procedures that have no relevance to B2B data processing.
The Pushback Script
When an enterprise prospect’s security questionnaire asks for Privacy, but your platform is B2B, respond with this language: “Our SOC 2 scope covers Security and Confidentiality. As a B2B data processor, we protect your data under Confidentiality controls including data classification, encryption, access restrictions, and disposal procedures. We do not act as a data controller for consumer PII, so the Privacy criteria (GAPP) is not applicable to our service model.”
1. Review your current engagement letter. If Privacy is selected but you are a B2B platform, discuss de-scoping with your auditor before the next audit period.
2. Prepare the pushback script for your sales team. When prospects request Privacy in questionnaires, the sales team should redirect to Confidentiality with the explanation above.
3. If you process both B2B business data and B2C consumer data, you need both Confidentiality and Privacy. Segment the system description to clarify which data flows fall under each category.
Start with Security only. 80% of B2B SaaS companies pass their first audit with Security alone. It is faster, cheaper, and produces a cleaner report. Add Availability or Confidentiality in Year 2 if customer contracts require them. Do not volunteer for Privacy unless you collect consumer PII directly. Scope discipline is the single most impactful cost control in SOC 2 compliance.
Frequently Asked Questions
Is Availability mandatory for SOC 2?
Availability is an optional Trust Service Category that adds 3 criteria, 5-10 controls, and $3,000-$8,000 in audit fees [AICPA TSC A1.1-A1.3]. Include it only if you have contractual SLA commitments with financial penalties for downtime, provide mission-critical infrastructure, or your customers explicitly require it. Availability adds 3 criteria, 5-10 controls, and $3,000-$8,000 in audit fees [AICPA TSC A1.1-A1.3].
How much does adding a Trust Service Category cost?
Each additional category adds $3,000 to $15,000 in audit fees and 20 to 40 hours of internal engineering labor for evidence collection. Privacy is the most expensive addition ($8,000-$15,000) because it requires GAPP compliance with 8 distinct criteria. The cumulative cost of selecting all five categories is 40-60% above Security-only scope.
What is the difference between Confidentiality and Privacy?
Confidentiality protects business data shared under contractual obligations (trade secrets, IP, customer lists under NDA). Privacy protects consumer PII collected directly from individuals (SSNs, health records, home addresses). B2B SaaS companies that hold business data need Confidentiality. B2C companies that collect consumer data need Privacy. Selecting the wrong category creates unnecessary scope and costs.
Do I need Processing Integrity?
Only if your platform’s primary function is performing calculations or transactions where accuracy is the deliverable. Payroll processors, billing engines, tax calculators, and automated trading systems need Processing Integrity. Project management tools, CRMs, and document storage platforms do not. “Processing data” is not the same as “processing with accuracy as the product” [AICPA TSC PI1.1].
Can I add Trust Service Categories after the audit starts?
Adding Trust Service Categories during an active audit period is operationally difficult because Type 2 controls must operate throughout the entire observation period to produce valid evidence. For Type 2 audits, controls must operate throughout the entire observation period. If you add a category mid-period, you lack historical evidence for the portion before the addition. Plan category additions for the next audit cycle and begin the observation period at least 3 months before the new audit start date.
Which Trust Service Categories do enterprise customers require?
Most enterprise procurement teams require Security at minimum, with approximately 30% also requesting Availability or Confidentiality depending on the platform’s function. Approximately 30% of enterprise customers also request Availability (for infrastructure and platform services) or Confidentiality (for data storage and analytics platforms). Fewer than 10% request Processing Integrity or Privacy unless the platform handles financial calculations or consumer PII directly. Ask before assuming.
Should I select all five categories to be safe?
Selecting all five Trust Service Categories increases audit cost by 40-60%, doubles evidence requirements, and raises exception risk without improving report quality or enterprise buyer perception., doubles evidence requirements, and raises exception risk. It does not improve report quality or enterprise buyer perception. A clean report with Security-only scope is more valuable than a report with five categories and multiple exceptions. Start lean and add categories when customers contractually require them.
How do Trust Service Categories relate to SOC 2 controls?
The Security category (Common Criteria CC1-CC9) forms the baseline of 33 criteria and 35-50 controls. Each additional category adds its own criteria and corresponding controls. The categories are not overlapping: Availability controls (A1.1-A1.3) are distinct from Confidentiality controls (C1.1-C1.2). See the full SOC 2 security controls guide for the Common Criteria breakdown.
Get The Authority Brief
Weekly compliance intelligence for security leaders and technology executives. Frameworks decoded. Audit strategies explained. Regulatory updates analyzed.
