SOC 2 Trust Services Criteria

AICPA SOC 2 Trust Services Criteria (TSP Section 100, 2017 criteria with Revised Points of Focus 2022) covering Security (Common Criteria CC1-CC9), Availability (A1), Confidentiality (C1), Processing Integrity (PI1), and Privacy (P1-P8). Standard for US-facing SaaS and service organisations; increasingly required by Indian fintech, AI/ML SaaS, and healthcare vendors selling into US enterprise procurement.

Composition

65 controls currently indexed; participates in 32 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Anti-malware protection with EDR and email/web safeguards
• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies
• Business continuity and ICT recovery readiness
• Cloud shared responsibility — CSC/CSP RACI
• Continuous monitoring of networks, systems, applications, and outsourced development
• Cyber risk assessment — technology, process, people, third-party, supply chain, post-quantum
• Cyber security roles, responsibilities, and authority — Board through operational team
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Data subject / Data Principal rights — operational rights mechanism
• Incident response execution — detection through eradication, recovery, and lessons learned
• Incident response plan preparation, independent review, and risk-response planning
• Logical and physical access restriction — least privilege baseline
• Multi-factor authentication — universal MFA across access types
• Network protection — segmentation, monitoring, perimeter, and data leak prevention
• PCI DSS PAN protection — storage minimisation, masking, encryption
• PCI DSS Targeted Risk Analysis (TRA) — flexibility and customised approach
• PCI DSS e-skimming protection — payment page script integrity
• PCI DSS v4.0.1 customised approach with targeted risk analysis
• PCI DSS v4.0.1 universal MFA expansion to all CDE access
• Personal data erasure — trigger-driven with propagation
• Physical access controls — secure areas, entry monitoring, asset protection
• Privacy governance — legal, regulatory, contractual, and algorithmic obligations
• Privileged access management and access rights lifecycle
• Processing integrity — change management, redundancy, clock synchronisation, storage integrity
• Ransomware-resilient backup architecture
• Secure SDLC — threat modelling, secure coding, SAST/DAST, dependency scanning, DevSecOps
• Secure configuration baselines and hardening discipline
• Secure disposal of equipment, media, and personal information
• Security reporting governance — CISO, DPO, incident reporting, compliance reporting
• Vulnerability management programme — discovery, prioritisation, remediation
• Workforce security awareness, role-based training, and human-factor controls