SOC 2 has no fixed control count. The AICPA defines 61 Trust Services Criteria — 33 mandatory Common Criteria across CC1-CC9, plus 28 in the four optional categories: Availability (3), Confidentiality (2), Processing Integrity (5), and Privacy (~18 across P1-P8). Each organization designs its own controls — commonly 60 to 100+ — to satisfy the criteria in its chosen scope. The AICPA publishes criteria, not a control list.
Key takeaways
- There is no official AICPA control checklist. The 2017 Trust Services Criteria (TSP section 100) define 61 criteria supported by roughly 300 points of focus; you design controls to meet them.
- Security is the only mandatory category. Its nine Common Criteria series (CC1-CC9) appear in every SOC 2 report; Availability, Confidentiality, Processing Integrity, and Privacy are optional add-ons.
- CC1-CC5 map directly to the COSO 2013 framework (5 components, 17 principles); CC6-CC9 are supplemental criteria unique to the Trust Services framework.
- The 2022 revision changed only the points of focus, not the criteria. The 61 criteria are unchanged from 2017, so a well-built control set stays current in 2026.
Criteria vs. controls vs. points of focus — what the AICPA actually publishes
The single most common misconception about SOC 2 is that the AICPA hands out a master control list you tick off. It does not. The AICPA publishes the 2017 Trust Services Criteria (With Revised Points of Focus — 2022) in TSP section 100 — a set of objectives your system must meet. You then design controls that satisfy those objectives, and a licensed CPA firm tests whether your controls meet the criteria. Two companies with identical scope can pass with completely different control sets.
This distinction matters because your control count is a design decision, not a fixed number. It also explains why a "SOC 2 controls list PDF" downloaded from a vendor is really a starter template mapped to the criteria — useful, but not authoritative. Four terms are worth keeping straight before you read the tables below.
| Concept | Who defines it | Example | How the auditor uses it |
|---|---|---|---|
| Criterion | AICPA (2017 TSC) | CC6.1 — logical access security over protected information assets | The objective tested; the report opinion is expressed against the criteria |
| Point of focus | AICPA (revised 2022) | "Manages credentials for infrastructure and software" | Illustrative guidance; helps assess whether a criterion is met, but is not itself required |
| Control | Your organization | "MFA is enforced on all administrator accounts; access is provisioned via ticketed approval" | The safeguard the auditor inspects and tests |
| Evidence | Your organization | IdP configuration export, access-request tickets, a quarterly access review | Proof the control was designed (Type I) and operated over the period (Type II) |
One more clarification a CPA firm makes that generic guides skip: the Trust Services Criteria are a separate document from the AICPA's 2018 Description Criteria (also revised in 2022, published in the DC section). The Description Criteria govern how you write the system description and management assertion — the narrative sections of the report — while the Trust Services Criteria govern the controls the auditor opines on. This page is about the Trust Services Criteria.
The 5 SOC 2 Trust Services Criteria categories at a glance
SOC 2 organizes its criteria into five Trust Services Categories. Security — the Common Criteria — is the baseline present in every report; the other four are elective and chosen to match the commitments you make to customers. This examination is performed by a CPA firm under the AICPA's SOC 2 audit attestation standards; whether it tests design only or design plus operating effectiveness is the Type I vs Type II distinction.
| Category | TSC code range | # of criteria | Mandatory? | Who typically selects it |
|---|---|---|---|---|
| Security (Common Criteria) | CC1.1-CC9.2 | 33 | Yes — always | Every organization |
| Availability | A1.1-A1.3 | 3 | Optional | SaaS with uptime/SLA commitments |
| Confidentiality | C1.1-C1.2 | 2 | Optional | Vendors handling sensitive data or IP |
| Processing Integrity | PI1.1-PI1.5 | 5 | Optional | Fintech, payments, data-processing platforms |
| Privacy | P1-P8 series | ~18 | Optional | Companies handling personal data (GDPR/CCPA) |
| Total (all categories) | — | 61 | — | Supported by ~300 points of focus |
A quick word on currency: the "2022" in the document title refers only to revised points of focus. The AICPA did not change any criterion in 2022 — the 61 criteria are identical to the 2017 set. So if a checklist says "2017 TSC," it is not out of date; the criteria simply have not changed.
The Common Criteria (CC1-CC9): the full index
The Common Criteria are the security backbone of every SOC 2 report. They comprise 33 individual criteria organized into nine series. Critically, CC1 through CC5 map one-to-one to the five components and 17 principles of the COSO 2013 Internal Control — Integrated Framework, while CC6 through CC9 are supplemental criteria the AICPA added for the Trust Services framework specifically. The centerpiece index below is the map most teams work from.
| Series | Name | # criteria | COSO mapping | Example controls | Typical evidence |
|---|---|---|---|---|---|
| CC1 | Control Environment | 5 | Principles 1-5 | Code of conduct, org chart, board oversight, background checks | Signed policies, board minutes, HR records |
| CC2 | Communication & Information | 3 | Principles 13-15 | Security policy distribution, internal & external comms channels | Policy acknowledgments, status pages, training logs |
| CC3 | Risk Assessment | 4 | Principles 6-9 | Annual risk assessment, fraud consideration, change-risk analysis | Risk register, risk-assessment report |
| CC4 | Monitoring Activities | 2 | Principles 16-17 | Ongoing evaluations, internal audit, deficiency remediation | Monitoring reports, remediation tracker |
| CC5 | Control Activities | 3 | Principles 10-12 | Control selection, technology controls, policy deployment | Control matrix, procedure documents |
| CC6 | Logical & Physical Access | 8 | Supplemental | Provisioning/deprovisioning, MFA, encryption, boundary protection | Access reviews, IdP config, encryption settings |
| CC7 | System Operations | 5 | Supplemental | Vulnerability scanning, monitoring, incident response | Scan reports, alerts, incident tickets, IR tests |
| CC8 | Change Management | 1 | Supplemental | Change authorization, testing, approval, rollback | Change tickets, PR approvals, CI/CD logs |
| CC9 | Risk Mitigation | 2 | Supplemental | Risk-mitigation activities, vendor/subservice risk management | Vendor reviews, insurance, subservice SOC reports |
The three sections that trip teams up most are CC6, CC7, and CC9. CC1-CC5 are largely governance and documentation; CC6-CC9 are where operational engineering evidence lives, and where auditors spend the most time. The two deep-dive tables below expand CC6 and CC7 to the individual-criterion level.
CC1 — Control Environment
CC1 (five criteria, CC1.1-CC1.5) establishes the tone at the top: commitment to integrity and ethics, board independence and oversight, management's organizational structure and authority, commitment to competence, and accountability. It is the foundation the technical criteria rest on, and maps to COSO principles 1-5.
CC2 — Communication and Information
CC2 (three criteria) requires that relevant, quality information supports internal control, that it is communicated internally, and that it is communicated externally to parties such as customers. Example controls include distributing security policies and maintaining a public status page or trust portal.
CC3 — Risk Assessment
CC3 (four criteria) requires specifying objectives clearly enough to identify and assess risk, identifying and analyzing risk, assessing fraud risk, and evaluating how changes could affect the control system. The core artifact is a documented, periodically refreshed risk register.
CC4 — Monitoring Activities
CC4 (two criteria) requires ongoing and separate evaluations to confirm controls are present and functioning, and communication of deficiencies for timely correction. This is where internal audit, control self-assessments, and — for technical controls — penetration testing and continuous monitoring provide evidence.
CC5 — Control Activities
CC5 (three criteria) requires selecting and developing control activities that mitigate risk, selecting technology-based control activities, and deploying controls through policies and procedures. It is the bridge from risk assessment to the specific technical and operational controls in CC6-CC9.
CC8 — Change Management
CC8 contains a single criterion, CC8.1, but it carries heavy weight: the entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures. In practice this is your change-management and SDLC control — evidenced by change tickets, pull-request approvals, and CI/CD pipeline records.
CC9 — Risk Mitigation
CC9 has two criteria. CC9.1 covers identifying and developing risk-mitigation activities for business disruptions (including consideration of insurance). CC9.2 covers vendor and business-partner risk management — how you assess and monitor subservice organizations such as AWS, GCP, or Azure. This is the criterion that connects directly to the CUECs and subservice controls discussed below.
CC6 deep-dive: Logical & Physical Access Controls (CC6.1-CC6.8)
CC6 is the largest common-criteria series (eight criteria) and the most heavily tested area of any SOC 2 examination. The 2022 revision expanded its points of focus notably — for example, clarifying that logical access should be managed across employees, contractors, vendors, and business partners, and adding guidance on recovering devices such as laptops and phones. Below is each criterion with example control language and the artifact an auditor typically requests.
| Criterion | Focus | Example control language | Example evidence artifact |
|---|---|---|---|
| CC6.1 | Logical access security & provisioning | Access to systems is provisioned via approved request; least privilege enforced; MFA required | Access-request tickets, IdP/RBAC config, MFA policy export |
| CC6.2 | Registration & authorization of new users | New user access is authorized before granting; credentials issued to identified users only | Onboarding approvals, joiner tickets |
| CC6.3 | Modification & removal of access | Access is modified on role change and revoked on termination within SLA | Deprovisioning tickets, quarterly access review |
| CC6.4 | Physical access | Physical access to facilities/data centers is restricted and logged | Badge logs, data-center provider SOC report |
| CC6.5 | Disposal of physical assets | Data is securely wiped before hardware is repurposed or destroyed | Certificates of destruction, wipe logs |
| CC6.6 | Boundary protection | Perimeter is protected against threats from outside the system boundary (firewalls, WAF) | Firewall rules, security-group config, WAF logs |
| CC6.7 | Data transmission & movement | Data is encrypted in transit; movement to/from the system is controlled | TLS config, encryption settings, DLP policy |
| CC6.8 | Malicious software prevention | Unauthorized or malicious software is prevented and detected on endpoints/servers | EDR/anti-malware config, endpoint compliance report |
A fully worked example: CC6.1
To show what a real report row looks like, here is CC6.1 traced end to end. Criterion: the entity implements logical access security software, infrastructure, and architectures over protected information assets. Control: "MFA is enforced for all administrative access, and privileged access is provisioned only through a ticketed, manager-approved request." Test of control (Type II): the auditor selects a sample of accounts granted during the period and inspects the approval and MFA enrollment. Evidence: IdP configuration export plus the sampled access-request tickets. Result: "No exceptions noted" — or, if an approval is missing, an exception that may lead to a qualified opinion.
CC7 deep-dive: System Operations (CC7.1-CC7.5)
CC7 is the operational-security series: how you detect, respond to, and recover from vulnerabilities and incidents. It sits just behind CC6 in audit attention, and the 2022 points of focus strengthened its guidance around handling confidential information during operations. Two criteria draw the most scrutiny — CC7.2 (security monitoring) and CC7.4 (incident response).
| Criterion | Focus | Example control language | Example evidence artifact |
|---|---|---|---|
| CC7.1 | Vulnerability detection & configuration | Configurations are monitored against a baseline; vulnerabilities are scanned for regularly | Vulnerability-scan reports, config-baseline evidence |
| CC7.2 | Security monitoring | Anomalies and security events are monitored, logged, and analyzed | SIEM/alert config, sample alerts, log-retention settings |
| CC7.3 | Evaluation of security events | Detected events are evaluated to determine whether they are incidents | Triage records, severity-classification procedure |
| CC7.4 | Incident response | A defined incident-response plan governs containment, remediation, and communication | IR plan, incident tickets, post-incident review |
| CC7.5 | Recovery from incidents | The entity identifies, develops, and implements activities to recover from incidents | Recovery runbooks, incident-closure records |
A frequent design gap here mirrors the one in Availability: a written incident-response plan exists (CC7.4) but there is no evidence it has ever been exercised. Auditors increasingly expect a tabletop or live test, not just a document.
The four additional categories and their criteria
Beyond Security, you add categories that reflect the promises you make to customers. Each brings its own criteria, controls, and evidence. Note the recurring nuance in Availability's A1.3: the recovery plan must be tested, not merely documented — a written DR/BCP with no test evidence is one of the most common exceptions in the whole framework.
| Category | Criteria IDs | What it evaluates | Example control | Example evidence |
|---|---|---|---|---|
| Availability | A1.1-A1.3 | Capacity, environmental protection, backup & recovery testing | Backups run daily; DR plan tested annually (A1.3) | Backup logs, DR test report, capacity monitoring |
| Confidentiality | C1.1-C1.2 | Identifying, retaining, and disposing of confidential information | Confidential data is classified and disposed of per policy | Data-classification policy, disposal records |
| Processing Integrity | PI1.1-PI1.5 | Complete, valid, accurate, timely, authorized processing | Input validation and reconciliation over processed transactions | Validation rules, reconciliation reports, error logs |
| Privacy | P1-P8 series (~18) | Lifecycle of personal information: notice, consent, collection, use/retention, access, disclosure, quality, monitoring | Privacy notice published; consent captured; DSAR process | Privacy policy, consent records, DSAR log |
Availability (A1.1-A1.3)
Availability has three criteria: A1.1 (capacity management), A1.2 (environmental protections, backup, and recovery infrastructure), and A1.3 (testing recovery-plan procedures). Most SaaS companies that publish uptime SLAs add Availability. The A1.3 testing requirement is the one to watch.
Confidentiality (C1.1-C1.2)
Confidentiality has two criteria: C1.1 (identifying and maintaining confidential information) and C1.2 (disposing of it). It applies when you commit to protecting non-personal sensitive data — customer datasets, source code, or IP. It crosswalks naturally to HIPAA safeguards when the confidential data is health information.
Processing Integrity (PI1.1-PI1.5)
Processing Integrity has five criteria covering whether processing is complete, valid, accurate, timely, and authorized. It is most relevant to fintech, payments, and analytics platforms where customers rely on the correctness of outputs, not just their confidentiality.
Privacy (P1-P8 series)
Privacy is the largest optional category — roughly 18 criteria organized into eight series covering the full personal-information lifecycle: P1 notice, P2 choice and consent, P3 collection, P4 use/retention/disposal, P5 access, P6 disclosure to third parties, P7 quality, and P8 monitoring and enforcement. It is the natural on-ramp for organizations already subject to GDPR or CCPA, and its access and disclosure criteria map closely to GDPR data-subject rights.
How to choose which categories to include
Selecting categories is a scoping decision, not a compliance formality — every category you add multiplies controls and evidence. The rule of thumb: include a category only if you make a commitment to customers that it covers. When you are ready to formalize this, our guide to scoping your SOC 2 systems walks through the mechanics.
| Your business type | Recommended categories beyond Security | Rationale | Common customer trigger |
|---|---|---|---|
| General B2B SaaS | Availability | You publish uptime commitments and SLAs | "What's your SLA / status page?" |
| Fintech / payments | Availability, Processing Integrity, Confidentiality | Customers rely on accurate, complete transaction processing | Procurement + financial-controls review |
| Healthtech | Availability, Confidentiality (+ Privacy) | PHI demands confidentiality; often paired with HIPAA | BAA and security questionnaire |
| Privacy-regulated / consumer data | Privacy, Confidentiality | You process personal data under GDPR/CCPA | DPA and privacy due-diligence review |
| Infrastructure / data platform | Availability, Confidentiality, Processing Integrity | You are a subservice provider others depend on | Downstream customers' own SOC 2 scope |
Once categories are set, the practical next step is turning criteria into an operating plan — our SOC 2 readiness checklist maps each criterion to owners and evidence, and the SOC 2 audit timeline shows how it sequences.
SOC 2 to ISO 27001 & NIST CSF crosswalk
If you already run — or plan to run — ISO 27001 or NIST, the good news is significant overlap. Roughly 70% of SOC 2 controls satisfy ISO 27001 Annex A requirements, so a single control library can serve both with modest additions. The mapping below is directional (it links CC series to their closest counterparts) and is a common reason teams pursue the two frameworks together.
| SOC 2 series | ISO 27001:2022 Annex A (closest) | NIST CSF 2.0 function |
|---|---|---|
| CC1 Control Environment | A.5 Organizational controls; leadership (Cl. 5) | Govern (GV) |
| CC2 Communication | A.5 policies; A.6 people controls | Govern / Identify |
| CC3 Risk Assessment | Clause 6.1 risk assessment | Identify (ID) |
| CC4 Monitoring | Clause 9 performance evaluation | Identify / Detect |
| CC5 Control Activities | A.5 / A.8 technological controls | Protect (PR) |
| CC6 Access Controls | A.5.15-A.5.18, A.8.2-A.8.5 (access, crypto) | Protect (PR.AA, PR.DS) |
| CC7 System Operations | A.8.15-A.8.16 logging/monitoring; A.5.24-A.5.28 incidents | Detect (DE) / Respond (RS) |
| CC8 Change Management | A.8.32 change management | Protect (PR) |
| CC9 Risk Mitigation | A.5.19-A.5.23 supplier relationships | Govern / Recover (RC) |
Treat this as a starting point, not a substitute for a formal mapping exercise. The exact Annex A control depends on how you have written each SOC 2 control, but the CC6 → access/cryptography and CC9 → supplier-relationship links are stable across frameworks.
CUECs and subservice controls — the controls that aren't yours
A complete controls list includes controls you don't operate but depend on. SOC 2 reports formalize two such categories, both tied to CC9.2's vendor-risk criterion.
Complementary User Entity Controls (CUECs) are controls the report assumes your customers operate for the overall control objectives to be met — for example, "user entities are responsible for provisioning and deprovisioning their own end-user accounts in the application." If your customers don't perform them, the assurance is incomplete on their side.
Complementary Subservice Organization Controls (CSOCs) are controls the report assumes your subservice providers operate — most commonly your cloud platform (AWS, GCP, Azure). When you use the "carve-out" method, you exclude the subservice provider's controls from your description but list the CSOCs you rely on and monitor them (typically by reviewing the provider's own SOC 2 report). This is exactly the vendor-monitoring evidence CC9.2 expects.
Common exceptions by criterion — and how to fix them
Certain criteria generate the same findings audit after audit. Knowing them in advance is the cheapest insurance; for the full playbook see our guide to common SOC 2 findings.
| Criterion | Common exception | Root cause | Fix |
|---|---|---|---|
| CC6.1 / CC6.2 | Access granted without documented approval | Ad-hoc provisioning outside the ticketing flow | Enforce access requests through an approval workflow; sample-test monthly |
| CC6.3 | Terminated user retained access | Deprovisioning not tied to HR offboarding | Automate revocation on termination; run quarterly access reviews |
| CC7.4 | IR plan exists but was never tested | Plan treated as a document, not a drill | Run an annual tabletop; retain the after-action record |
| CC8.1 | Emergency changes lack approval trail | Hotfixes bypass change control | Define an emergency-change path that still captures approval |
| A1.3 | Backups exist but recovery was never tested | DR plan documented but not exercised | Perform and document an annual restore/DR test |
| CC9.2 | Critical vendors not reviewed | No cadence for reviewing subservice SOC reports | Maintain a vendor register; review key providers' SOC 2s annually |
A note on tooling: platforms such as Vanta, Drata, and Secureframe ship prebuilt control libraries mapped to these criteria and automate evidence collection. They accelerate the work, but they collect evidence — they don't create your controls or replace the auditor's independent testing. The control design and its operation are still yours to own, tested under our audit methodology.
Frequently asked questions
How many SOC 2 controls are there?
SOC 2 has no fixed control count. The AICPA defines 61 Trust Services Criteria — 33 mandatory Common Criteria across CC1-CC9, plus 28 in the optional Availability, Confidentiality, Processing Integrity, and Privacy categories. Each organization designs its own controls, typically 60 to 100 or more, to satisfy the criteria in its chosen scope.
What are the SOC 2 Common Criteria (CC1-CC9)?
The nine Common Criteria series are CC1 Control Environment, CC2 Communication and Information, CC3 Risk Assessment, CC4 Monitoring Activities, CC5 Control Activities, CC6 Logical and Physical Access Controls, CC7 System Operations, CC8 Change Management, and CC9 Risk Mitigation. All apply to the mandatory Security category, and CC1-CC5 map to the COSO 2013 framework.
What are the five SOC 2 Trust Services Criteria categories?
The five categories are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security (the Common Criteria) is mandatory in every SOC 2 report; the other four are optional and selected based on the service commitments a company makes to customers and what enterprise buyers require.
Is there an official SOC 2 controls checklist from the AICPA?
No. The AICPA publishes the 2017 Trust Services Criteria (with 2022 revised points of focus), not a control checklist. Criteria are the objectives an auditor tests; controls are the specific safeguards each organization designs to meet them, so the exact control list is unique to every company's scope.
What is the difference between a SOC 2 criterion and a control?
A criterion (for example CC6.1) is an AICPA-defined objective a system must meet. A control is the specific safeguard your organization implements to satisfy that criterion, such as enforcing MFA on all administrator accounts. Points of focus are AICPA examples that clarify a criterion, and evidence proves the control operated.
Which SOC 2 Trust Services Criteria should my company include?
Every SOC 2 report includes Security. Add Availability if you make uptime commitments (most SaaS), Confidentiality for sensitive customer data or IP, Processing Integrity for fintech and data-processing platforms, and Privacy when you handle personal information under laws such as GDPR or CCPA.
Did the 2022 update change the SOC 2 Trust Services Criteria?
No. The 2022 revision updated only the points of focus — the illustrative guidance beneath each criterion — not the criteria themselves. The 61 criteria are unchanged from the 2017 Trust Services Criteria, so a control set built to the 2017 criteria remains current in 2026.
Sources & further reading
- AICPA & CIMA — 2017 Trust Services Criteria (With Revised Points of Focus — 2022), TSP section 100.
- AICPA & CIMA — SOC 2® — SOC for Service Organizations: Trust Services Criteria.
- COSO — Internal Control — Integrated Framework (2013).
- AICPA — Statement on Standards for Attestation Engagements No. 18 (SSAE 18); SOC 2 examinations are performed under AT-C section 205 (SOC 1 under AT-C section 320). Note SSAE 21 has since been issued, but AT-C 205 remains the operative citation for SOC 2 examinations in 2026.
Map your controls to the criteria — with a CPA firm
Auditsuisse is a US & Swiss licensed CPA firm. We'll help you select the right categories, design controls that satisfy each criterion, and test them under our SOC 2 audit services — with a fixed fee quoted after a short scoping call.
Request Consultation