SOC 2 Trust Services Criteria: All 5 Explained with Cost Impact

Security is the only mandatory criterion. Each additional criterion adds $5,000 to $20,000 to your audit cost and 2-6 months of preparation. Here is how to decide which ones you actually need.

Criteria CombinationAdded Audit CostAdded Prep TimeCommon For
Security onlyBase costBase timelineMost B2B SaaS startups
Security + Availability+$5K-$12K+2-3 monthsSaaS with uptime SLAs
Security + Confidentiality+$5K-$15K+2-4 monthsData platforms, fintech
Security + Privacy+$8K-$20K+3-6 monthsConsumer data, healthcare-adjacent
Security + Availability + Confidentiality+$10K-$25K+4-6 monthsMid-market SaaS, enterprise infra
All five criteria+$20K-$50K+6-12 monthsFinancial services, healthcare platforms

Security (Common Criteria)

Required
Base cost (included)~60-80 controls

Protection of information and systems against unauthorised access, both physical and logical. This is the foundation of every SOC 2 audit and the only mandatory criterion.

Who Needs This

Every company pursuing SOC 2. There is no SOC 2 without Security.

Key Control Areas

  • - Access controls and identity management
  • - Network security and firewalls
  • - Change management processes
  • - Risk assessment and management
  • - Incident response procedures
  • - Vendor and third-party management
  • - Logical and physical access controls

Evidence Examples

Access reviews, firewall configs, change management tickets, risk assessments, incident response plans, security awareness training records

Availability

+$5K-$12K to audit~10-15 additional controls

Systems are available for operation and use as committed or agreed. Focuses on uptime, disaster recovery, and business continuity.

Who Needs This

SaaS companies with uptime SLAs. Infrastructure providers. Any company whose customers depend on system availability for their own operations.

Key Control Areas

  • - Uptime monitoring and alerting
  • - Disaster recovery and failover
  • - Business continuity planning
  • - Capacity planning
  • - Backup and restore procedures

Evidence Examples

Uptime reports, DR test results, BCP documentation, capacity plans, backup logs, SLA definitions

Confidentiality

+$5K-$15K to audit~10-15 additional controls

Information designated as confidential is protected as committed or agreed. Covers data classification, encryption, and access restrictions for sensitive data.

Who Needs This

Companies handling trade secrets, financial data, or intellectual property. B2B companies whose customers share confidential business data through the platform.

Key Control Areas

  • - Data classification policies
  • - Encryption at rest and in transit
  • - Data retention and disposal
  • - Confidentiality agreements (NDAs)
  • - Access restrictions for confidential data

Evidence Examples

Data classification schemas, encryption configs, retention schedules, NDA templates, access control matrices for sensitive data

Processing Integrity

+$5K-$12K to audit~8-12 additional controls

System processing is complete, valid, accurate, timely, and authorised. Focuses on data accuracy and processing correctness.

Who Needs This

Financial services, payment processors, data analytics platforms. Any company where incorrect processing would cause direct financial harm to customers.

Key Control Areas

  • - Input validation and error handling
  • - Processing monitoring and reconciliation
  • - Output completeness checks
  • - Quality assurance procedures
  • - Transaction authorisation

Evidence Examples

Reconciliation reports, QA test results, processing logs, error rate monitoring, validation rule documentation

Privacy

+$8K-$20K to audit~15-25 additional controls

Personal information is collected, used, retained, disclosed, and disposed of in conformity with the entity's privacy notice and criteria set forth in the AICPA Privacy Management Framework.

Who Needs This

Companies processing personal data under GDPR, CCPA, or similar regulations. Healthcare-adjacent companies. Consumer-facing platforms collecting personal information.

Key Control Areas

  • - Privacy notice and consent management
  • - Data subject rights (access, deletion, portability)
  • - Data minimisation practices
  • - Cross-border data transfers
  • - Privacy impact assessments
  • - Third-party data sharing controls

Evidence Examples

Privacy policies, consent records, DSAR response procedures, data inventory, privacy impact assessments, data processing agreements

Budget Calculator

See how criteria choices affect your total cost

Readiness Checklist

50-point self-assessment for audit readiness

PCI Compliance Cost

Also need PCI DSS? Compare the requirements

Updated 2026-05-11