When the American Institute of Certified Public Accountants (AICPA) released the SOC 2 Trust Services Criteria in 2017, it replaced the older Trust Services Principles framework with a structure aligned to COSO Internal Control. The change was more than nomenclature. The new framework introduced “points of focus” providing specific implementation guidance for each criterion. Organizations that had built programs on the old principles discovered their controls needed remapping, not because the controls changed, but because the evidence expectations shifted.
The same pattern repeats in 2026 with the five Trust Services Categories. GRC consultants recommend selecting all five for “full coverage.” The engagement letter expands to include Security, Availability, Confidentiality, Processing Integrity, and Privacy. In practitioner experience, the audit fee then increases by roughly 40 percent over Security-only scope, evidence requirements expand in proportion, and engineering spends an additional 60 to 100 hours documenting controls for categories no customer contract requested.
Only Security (Common Criteria) is mandatory. Each additional category typically adds $3,000 to $15,000 in audit fees, 20 to 40 hours of engineering labor, and 5 to 25 new controls with corresponding evidence requirements. The decision to add categories should follow customer contracts, not consultant recommendations.
SOC 2 defines five Trust Services Categories: Security (mandatory), Availability, Confidentiality, Processing Integrity, and Privacy (all optional) (AICPA TSC 2017). Only Security is required for a SOC 2 report. Each additional category typically adds $3,000 to $15,000 in audit fees and 20 to 40 hours of evidence collection. Select categories based on customer contract requirements, not compliance ambition. Most B2B SaaS companies pass their first audit with Security-only scope.
How Does Trust Services Category Scope Creep Increase Audit Costs?
Every Trust Services Category added to the engagement letter creates a compounding cost. The audit fee increases because the auditor tests additional criteria. Evidence requirements expand because each category has distinct control objectives. Exception risk increases because more controls create more opportunities for failure. The structure of the framework (AICPA TSC 2017) is fixed; the fee impact is a function of scope, hours, and your auditor’s rate card, not a published AICPA figure.
| Category | Added Cost (practitioner range) | Criteria and typical controls |
|---|---|---|
| Security (CC) | Included in base fee | 33 criteria (CC1.1 through CC9.2), 35 to 50 controls typical |
| Availability (A) | $3,000 to $8,000 in fees, plus 20 to 30 hours | 3 criteria (A1.1 through A1.3): uptime monitoring, disaster recovery testing, capacity planning |
| Confidentiality (C) | $3,000 to $7,000 in fees, plus 20 to 25 hours | 2 criteria (C1.1 and C1.2): data classification, encryption, and disposal |
| Processing Integrity (PI) | $5,000 to $12,000 in fees, plus 30 to 40 hours | 5 criteria (PI1.1 through PI1.5): input validation, processing accuracy, output verification |
| Privacy (P) | $8,000 to $15,000 in fees, plus 40 or more hours | 18 criteria (P1.0 through P8.1) across 8 GAPP themes: Notice and Communication, Choice and Consent, Collection, Use/Retention/Disposal, Access, Disclosure to Third Parties, Quality, and Monitoring and Enforcement |
The cumulative effect: in practitioner experience, selecting all five categories for a first-time audit typically increases total cost by 40 to 60 percent over Security-only scope. The additional categories also raise qualified-opinion risk because each new control is another potential exception point.
The audit fix. 1. Before signing the engagement letter, ask your top five enterprise customers: “Which Trust Services Categories do you require in our SOC 2 report?” Document their responses. Most will say “Security” or “Security and Availability.”
2. Review your customer contracts for specific TSC requirements. If no contract explicitly requires Availability, Confidentiality, Processing Integrity, or Privacy, start with Security only.
3. Add categories in Year 2 if customers request them. The observation period for added categories begins when you implement those controls, not retroactively.
The Five Trust Services Categories: What the Auditor Tests
The Security category alone contains 33 criteria with 150+ points of focus across nine Common Criteria domains (AICPA TSC 2017). Understanding each category from the auditor’s testing perspective prevents scope mismatches. Each category definition describes what the auditor verifies during fieldwork, not the marketing descriptions used by GRC platforms.
Security (Common Criteria): Mandatory
Security covers the nine Common Criteria domains (CC1 through CC9): control environment, communication and information, risk assessment, monitoring activities, control activities, logical and physical access controls, system operations, change management, and risk mitigation. This is the baseline for every SOC 2 report. The auditor tests whether your system is protected against unauthorized access, unauthorized changes, and unauthorized destruction (AICPA TSC CC1.1 through CC9.2). CC9.2 specifically covers vendor and business-partner risk management; an article that stops the range at CC9.1 is under-counting the Security baseline.
Security alone satisfies the requirements of most enterprise security questionnaires. It covers access controls, change management, incident response, vulnerability management, and vendor oversight. Adding optional categories is unnecessary unless customer contracts explicitly require them.
Availability: Optional
Availability is not “uptime monitoring.” The auditor tests whether the system meets its documented performance commitments: disaster recovery testing with verified Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), offsite backup validation with restoration testing, capacity planning with documented thresholds and scaling procedures, and incident communication to affected customers (AICPA TSC A1.1 through A1.3).
Select Availability when: your platform provides mission-critical infrastructure (cloud hosting, payment processing, core business applications), your customer contracts include Service Level Agreement (SLA) commitments with financial penalties for downtime (99.9 percent or higher uptime), or your customers explicitly require Availability in their vendor security questionnaire.
Confidentiality: Optional
Confidentiality protects business data shared under contractual obligations: trade secrets, intellectual property, M&A data, customer lists, and proprietary algorithms. The auditor tests data classification schemes, encryption of confidential data at rest and in transit, access restrictions based on classification, and data disposal procedures when the contract ends (AICPA TSC C1.1, C1.2).
Select Confidentiality when: you hold data covered by Non-Disclosure Agreements (NDAs) or confidentiality agreements, your customers share proprietary business data (not consumer Personally Identifiable Information), or your contracts include data handling obligations for classified information. Do not confuse Confidentiality with Privacy.
Processing Integrity: Optional
Processing Integrity applies to systems where the accuracy of the output is the primary product. The auditor tests input validation controls, processing accuracy verification, output reconciliation, and error handling procedures (AICPA TSC PI1.1 through PI1.5).
Select Processing Integrity when: your platform performs financial calculations (payroll, billing, tax), processes transactions that affect customer financial statements, or generates output used as the basis for business decisions where errors cause financial loss. A project management tool, CRM, or document storage platform does not need Processing Integrity. Processing data is not the same as processing it with accuracy as the primary deliverable.
Privacy: Optional
Privacy applies to Personally Identifiable Information (PII) collected directly from consumers. The auditor tests against the AICPA’s Generally Accepted Privacy Principles (GAPP), which the TSC 2017 framework organizes into 18 criteria (P1.0 through P8.1) across 8 themes: Notice and Communication, Choice and Consent, Collection, Use and Retention and Disposal, Access, Disclosure to Third Parties, Quality, and Monitoring and Enforcement. P1.0 is the privacy commitment criterion that frames the rest of the category. This category requires consent management workflows, opt-out mechanisms, data subject access request procedures, and privacy impact assessments (AICPA TSC P1.0 through P8.1).
Select Privacy when: your platform collects PII directly from consumers (B2C), you handle Protected Health Information (PHI), or your customers explicitly require GAPP compliance. Healthcare SaaS companies frequently add Privacy prematurely when Confidentiality covers their actual data flows. B2B SaaS companies that process business data rarely need Privacy. If you hold client business data under NDAs, you need Confidentiality, not Privacy.
The audit fix. 1. Map each Trust Services Category to your business model using the selection matrix. If your model does not appear, default to Security only.
2. If a customer requests a category you have not included, evaluate the cost (additional fee, engineering hours, exception risk) before adding it to the engagement letter.
3. Confirm your category selection with your auditor during the planning phase. Category changes after the engagement letter is signed trigger re-scoping fees and may require a new observation period.
Which Trust Services Categories Does Your Business Model Require?
Most B2B SaaS companies pass their first audit with Security-only scope. The selection matrix below reflects the minimum scope that satisfies customer requirements without creating unnecessary audit burden, matched to common business models.
| Business Model | Recommended Scope | Rationale |
|---|---|---|
| General B2B SaaS | Security only | Covers access controls, change management, and incident response. Sufficient for most enterprise questionnaires. |
| Cloud Hosting / Infrastructure | Security + Availability | Customers depend on your uptime. SLA commitments require documented DR and capacity planning. |
| Enterprise Data Storage | Security + Confidentiality | You hold IP, trade secrets, or M&A data under NDA. Data classification and disposal controls required. |
| FinTech / Payroll / Billing | Security + Processing Integrity | Calculation accuracy is the primary product. Input validation and output reconciliation controls required. |
| B2C / Consumer Health App | Security + Privacy | You collect consumer PII or PHI directly. GAPP compliance with consent and access request controls required. |
The audit fix. 1. Identify which row in the selection matrix matches your business model. If multiple rows apply, combine the recommended scopes.
2. If your business model is General B2B SaaS and no customer contract requires additional categories, start with Security only. You save $6,000 to $30,000 and 40 to 80 hours in first-year costs.
3. Plan to add categories incrementally. Year 1: Security only. Year 2: add Availability or Confidentiality if customers request them. This staged approach reduces first-year cost and exception risk.
The Privacy vs. Confidentiality Trap
Confusion between Privacy and Confidentiality is among the most common scoping errors in first-time B2B SaaS examinations. The confusion costs thousands in unnecessary scope because Privacy triggers GAPP compliance requirements (consent management, data subject access requests, privacy impact assessments) that B2B platforms rarely need.
The distinction is straightforward:
- Confidentiality protects business data (B2B): client customer lists, financial records, source code, trade secrets, and proprietary data shared under NDA.
- Privacy protects consumer data (B2C): Social Security numbers, home addresses, health records, and other PII collected directly from individuals.
If you are a B2B SaaS platform storing business data under NDAs, you need Confidentiality, not Privacy. Selecting Privacy by mistake forces implementation of consumer consent workflows, opt-out mechanisms, and data subject access request procedures that have no relevance to B2B data processing.
The Pushback Script
When an enterprise prospect’s security questionnaire asks for Privacy, but your platform is B2B, respond with this language: “Our SOC 2 scope covers Security and Confidentiality. As a B2B data processor, we protect your data under Confidentiality controls including data classification, encryption, access restrictions, and disposal procedures. We do not act as a data controller for consumer PII, so the Privacy criteria (GAPP) are not applicable to our service model.”
The audit fix. 1. Review your current engagement letter. If Privacy is selected but you are a B2B platform, discuss de-scoping with your auditor before the next audit period.
2. Prepare the pushback script for your sales team. When prospects request Privacy in questionnaires, the sales team should redirect to Confidentiality with the explanation above.
3. If you process both B2B business data and B2C consumer data, you need both Confidentiality and Privacy. Segment the system description to clarify which data flows fall under each category.
Start with Security only. Most B2B SaaS companies pass their first audit with Security-only scope. It is faster, cheaper, and produces a cleaner report. Add Availability or Confidentiality in Year 2 if customer contracts require them. Do not volunteer for Privacy unless you collect consumer PII directly. Scope discipline is the single most impactful cost control in SOC 2 compliance.
Frequently Asked Questions
Is Availability mandatory for SOC 2?
No. Availability is an optional Trust Services Category covering 3 criteria (AICPA TSC A1.1 through A1.3) that typically adds 5 to 10 controls. In practitioner experience the cost addition is roughly $3,000 to $8,000. Include it only if you have contractual SLA commitments with financial penalties for downtime, provide mission-critical infrastructure, or your customers explicitly require it in their vendor questionnaire.
How much does adding a Trust Services Category cost?
In practitioner experience, each additional category adds roughly $3,000 to $15,000 in audit fees and 20 to 40 hours of internal engineering labor for evidence collection. Privacy is the most expensive addition ($8,000 to $15,000) because it requires GAPP compliance with 18 criteria across 8 themes. The cumulative cost of selecting all five categories typically runs 40 to 60 percent above Security-only scope. The AICPA publishes the framework, not the fees; the dollar ranges here are field observations, not framework citations.
What is the difference between Confidentiality and Privacy?
Confidentiality protects business data shared under contractual obligations (trade secrets, IP, customer lists under NDA). Privacy protects consumer PII collected directly from individuals (Social Security numbers, health records, home addresses). B2B SaaS companies that hold business data need Confidentiality. B2C companies that collect consumer data need Privacy. Selecting the wrong category creates unnecessary scope and costs.
Do I need Processing Integrity?
Only if your platform’s primary function is performing calculations or transactions where accuracy is the deliverable. Payroll processors, billing engines, tax calculators, and automated trading systems need Processing Integrity. Project management tools, CRMs, and document storage platforms do not. Processing data is not the same as processing it with accuracy as the primary deliverable (AICPA TSC PI1.1 through PI1.5).
Can I add Trust Services Categories after the audit starts?
Adding categories during an active audit period is operationally difficult. For Type 2 audits, controls must operate throughout the entire observation period to produce valid evidence. If you add a category mid-period, you lack historical evidence for the portion before the addition. Plan category additions for the next audit cycle and begin the observation period at least three months before the new audit start date.
Which Trust Services Categories do enterprise customers require?
Most enterprise procurement teams require Security at minimum. A meaningful minority also request Availability (for infrastructure and platform services) or Confidentiality (for data storage and analytics platforms). Far fewer request Processing Integrity or Privacy unless the platform handles financial calculations or consumer PII directly. Ask before assuming.
Should I select all five categories to be safe?
No. Selecting all five Trust Services Categories doubles evidence requirements and raises exception risk without improving report quality or enterprise buyer perception. A clean report with Security-only scope is more valuable than a report with five categories and multiple exceptions. Start lean and add categories when customers contractually require them.
How do Trust Services Categories relate to SOC 2 controls?
The Security category (Common Criteria CC1.1 through CC9.2) forms the baseline of 33 criteria and 35 to 50 controls. Each additional category adds its own criteria and corresponding controls. The categories are not overlapping: Availability controls (A1.1 through A1.3) are distinct from Confidentiality controls (C1.1 and C1.2), which are distinct from Privacy controls (P1.0 through P8.1). See the full SOC 2 security controls guide for the Common Criteria breakdown.
Subscribe to The Authority Brief for next week’s analysis.
