SOC2 - Trust Services Criteria

AICPA Trust Services Standard for Safeguarding Customer Information

Meet the requirements of the SOC2 – Trust Services Criteria while managing compliance with ALL your IT Security requirements . . . regardless of source. Experience true Cybersecurity Risk Management based on the guidelines set forth by the Trust Services Criteria.


What is the AICPA Trust Services Criteria?

System and Organization Controls (SOC) as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called the Trust Service Criteria. These control criteria are to be used by the practitioner/examiner (Certified Public Accountant, CPA) in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service.

But if you don’t want to get into the weeds of a ton of regulatory lingo, we’ll summarize what you need to know, and how our software can help you navigate the waters of the regulation, and comply with all its requirements, without having to be a regulatory expert.

The Trust Services Criteria Standard for Safeguarding Customer Information.

The Trust Services Criteria, authored by the AICPA, outlines industry standards for managing customer data based on five principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Achieving SOC2 compliance signals to your clients and partners that your organization is committed to maintaining high levels of data security and integrity.

Pick Your Trust Services Criteria

Compliance Manager GRC gives you the option of preparing for all five SOC 2 Trust Service Criteria at once, or using the built-in variants to work on just the selected criteria you need.  Here’s the summary of the five different Trust Services Criteria that make up the SOC 2 standard, and what’s covered by Compliance Manager GRC:

Security Criteria Standard Variant –  information and systems are protected against unauthorized access and disclosure, and damage to the system that could compromise the availability, confidentiality, integrity and privacy of the system.

  • Firewalls
  • Intrusion detection
  • Multi-factor authentication

This variant comprises 265 controls, specifically designed for the “Security” category of SOC 2. It addresses the crucial need for robust protection against unauthorized access, data breaches, and system threats. The technical depth of this variant lies in its comprehensive coverage of security measures, from firewall management to intrusion detection, ensuring a fortified defense against cyber threats. The benefit of this focused variant is the streamlined assurance of stringent security protocols, vital for safeguarding sensitive information.

Availability Criteria Standard Variantinformation and systems are available for operational use.

  • Performance monitoring
  • Disaster recovery
  • Incident handling

With 19 controls, this variant focuses on the importance of system reliability and uptime, a critical factor for operational continuity. This variant incorporates technical aspects such as performance monitoring and disaster recovery planning, emphasizing the resilience of systems and services. The key benefit here is the reinforced assurance of operational availability, crucial for maintaining service dependability and business continuity.

Confidentiality Criteria Standard Variant information is protected and available on a legitimate need to know basis. Applies to various types of sensitive information.

  • Encryption
  • Access controls
  • Firewalls

This variant, with 7 controls, focuses on the protection of sensitive information, accessible only on a legitimate need-to-know basis. Technical measures such as advanced encryption and access controls form the core of this variant, safeguarding confidential data against unauthorized disclosure. The benefit here is the enhanced protection of sensitive information, crucial for maintaining trust and complying with data privacy regulations.

Processing Integrity Criteria Standard Variant – system processing is complete, valid, accurate, timely and authorized.

  • Quality assurance
  • Process monitoring
  • Adherence to principle

Encompassing 28 controls, this variant ensures that system processing is accurate, timely, and valid, an essential aspect of data integrity. The technical exposition includes quality assurance measures and process monitoring controls, providing a framework for maintaining the accuracy and reliability of system processing. The advantage of this variant is in ensuring that all processing activities are performed correctly and efficiently, reducing the risk of errors and data mismanagement.

Privacy Criteria Standard Variant – personal information is collected, used, retained, disclosed and disposed according to policy. Privacy applies only to personal information.

  • Access control
  • Multi-factor authentication
  • Encryption

Featuring 84 controls, this variant addresses the management of personal information. It includes technical controls for the collection, use, retention, disclosure, and disposal of personal data in compliance with privacy policies. This variant’s benefit is in its comprehensive approach to privacy management, ensuring that personal data is handled responsibly and in accordance with legal and ethical standards.

Jurisdiction and Penalties

SOC 2 Audits can be conducted only by either a Certified Public Accountant (CPA) or a certified technical expert belonging to an audit firm licensed by the AICPA.

The SOC 2 Audit provides the organization’s detailed internal controls reports made in Compliance Manager GRC with the 5 trust service criteria. It shows how well the organization safeguards customer data and assures them that the organization provides services in a secure and reliable way. SOC 2 reports are therefore intended to be made available for the customers and other stakeholders only.

Navigate the AICPA SOC 2 Standard with Compliance Manager GRC, your trusted partner in managing IT compliance.

Featured Product Highlights for This Standard

You can use your existing IT security and privacy tools to implement the required safeguards specified by the Rule, but Compliance Manager GRC includes some additional specialized functionality you will need to fully comply.

Here are a few of the value-added features included with Compliance Manager GRC the apply to this standard:

  • Rapid Baseline Assessments – Quickly identify gaps according to the Trust Services Criteria.
  • Technical Risk Assessments – Full risk assessment (based on five principles—Security, Availability, Processing Integrity, Confidentiality, and Privacy).
  • Policies & Procedures Manual – Required documentation.
  • Employee Awareness Training Portal – Tracking and reporting.
  • Customizable standards and controls – Modify your procedures to match your specific way of complying.
  • Role-based access — Helps involve others in complying with AICPA SOC 2.
  • Automated Documentation & Reporting – Provides documentation for AICPA SOC 2 audits.
  • Vendor Management Portal —  Perform vendor assessments against the AICPA SOC 2 standard.
  • Auditor’s Checklist – Essential in the event of an audit or breach.


Best of all, you can use this same platform to manage compliance with all your other IT requirements — including compliance other government and industry rules and regs, with the security terms of your cyber insurance policy, and even compliance with your own internal IT policies.


Whether complying with the SOC2 – Trust Services Criteria, tracking terms of your cyber risk insurance policy, or making sure your own IT policies and procedures are being followed, Compliance Manager GRC helps you Get IT All Done at the same time, and in the same place. No other Compliance Management software gives you this kind of flexibility.


Assuring compliance with the SOC2 – Trust Services Criteria – and all your other IT requirements – is easy with Compliance Manager GRC. You can get more work done with less labor, thanks to automated data collection, automated management plans, and automated document generation.


Compliance Manager GRC is priced to be affordable for the smallest organizations, yet boasts the power and functionality most often found in expensive, enterprise-class governance, risk and compliance platforms. Whether you are managing compliance for your own organization or are an MSP delivering compliance-as-a-service, there’s a sensible subscription for you.

Request a Demo today and discover the advantages of Compliance Manager GRC — the purpose-built compliance process management platform for multifunctional IT professionals.

Overcome the Biggest IT Challenges and Responsibilities

  • Reduce Risk
  • Reduce Complexity
  • Save Money
Get a Demo