Which SOC 2 Categories Should You Include? A Comprehensive Guide

As organizations prioritize data security and privacy and regulatory requirements become more prevalent, companies need measures to report upon and provide assurance to stakeholders over their data security posture. SOC 2 is a widely recognized standard to provide that security assurance. However, scoping a SOC 2 can be intimidating without a baseline understanding of how to approach it.

An organization can include five categories within the Trust Service Criteria in a SOC 2 report: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

During the planning phase of a SOC 2 examination, it is critical to scope in the appropriate category or categories within your SOC 2 report to maximize its value. To scope the appropriate categories in your examination, you should focus on the commitments made to the broad base of your customers (known as the Principal Service Commitments) and the type of service(s) your organization provides to your customers.

Let’s review the 5 Trust Service Criteria categories and how they may apply to your organization while planning a SOC 2 examination:



The Security category, also known as the Common Criteria, is the foundational category of SOC 2. Regardless of whether your organization provides services or hosts an application in the cloud, generally, every issued SOC 2 report includes the Security category.

In this category, the auditor will test controls related to the governance of your security program, your risk assessment and mitigation process, your monitoring activities, logical and physical access controls over pertinent systems and data, vulnerability identification and management, event and incident management processes, change management, and vendor management.



The Availability category focuses on performance and capacity management, monitoring your systems or platform, business continuity, disaster recovery plans and infrastructure, and testing your resiliency and recovery protocols.

Typically, the Availability Category is scoped into the SOC 2 report if you are making commitments to your users regarding system or platform uptime, meeting service level agreements (SLAs), etc.

If your users are worried about service availability, we recommend that the Availability category be in-scope for your SOC 2 report.


Processing Integrity

The Processing Integrity category will include controls that help ensure your customers’ data or transactions are processed in a complete, accurate, and timely manner, in accordance with any such commitments you have made.

Processing Integrity evaluates the inputs, processing activities, and outputs to achieve your processing requirements. Payroll companies, transaction processors, claims processors, etc., are examples of companies that may include the Processing Integrity category.



The Confidentiality category requires your organization to demonstrate how it identifies, handles, and classifies confidential information throughout its lifecycle. This includes the collection, storage, and disposal of confidential information.

The Confidentiality category should be in-scope in your SOC 2 report if you are making commitments around handling confidential data, such as the disposal or deletion of customer data within a given timeframe after the customer leaves the service, upon contract termination, or predefined retention policies.



The Privacy category includes controls around how your organization collects, handles, updates, communicates, and provides rights to data subjects over personally identifiable information (PII). If your organization has commitments around collecting or processing PII, then the Privacy category may be a consideration.

The Privacy category contains a set of generally accepted privacy principles that your organization should consider and implement controls around. If your organization is a personal data processor but does not deal directly with data subjects, then aspects of the Privacy criteria may not be applicable. However, adding the Category to convey details about your privacy program to your users can still be beneficial.

Choosing the SOC 2 categories that best fit your organization’s products, services, and customer commitments is crucial. It helps organizations mature their processes while assuring customers that their trust is well-placed. Each category defines the scope of the SOC 2 examination and should include the relevant controls the company has put into operation.

Organizations should work with their SOC 2 auditor to define the appropriate categories and ensure a comprehensive examination to maximize the effectiveness of their SOC 2 program.

Contact us today to get started.

Written By:

Ryan Whitehead

Ryan Whitehead is a Manager with AssurancePoint based out of San Diego, California. He is responsible for managing SOC examination engagements and is AssurancePoint’s healthcare practice lead. Ryan is focused on building exceptional client relationships and maximizing the value of his clients’ compliance initiatives. Prior to AssurancePoint Ryan’s experience includes security auditing across various industries and firms including the Big 4. Ryan earned a Bachelor of Information Science and Technology from the University of Wisconsin, Milwaukee and a Master’s in Information Systems from Auburn University. Ryan has also achieved the Certified Information System Audit (CISA), Certified in Cloud Knowledge (CCSK), and the Advanced SOC certifications.
What Are SOC Reports – The Basics 2

SOC 1 vs SOC 2: Choosing the Right Examination

System and Organization Controls 1 and 2 (SOC 1 and SOC 2) reports are both related tointernal controls within organizations, but they serve different purposes and audiences. Whichone is right for your organization? It will depend on the use case of the report and...

Security Events vs. Security Incidents

Security Events vs. Security Incidents

In the world of cybersecurity, a common misunderstanding often exists within organizations - the distinction between security events and security incidents. We audit a lot of organizations’ incident management protocols, and the lack of a distinction between event...

How to Evaluate Auditors 2

How to Evaluate Auditors

Selecting an audit firm can, and probably should, feel daunting. After all, you hopefully will work with this firm for many years to come, so it shouldn’t be a rushed decision. Many organizations make the mistake of letting cost be the primary driver of choosing an...

Factors That Create a Positive Compliance Experience

Factors That Create a Positive Compliance Experience

There is no doubt in my mind that I have seen vastly more audit horror stories and unsatisfied auditees on public forums and social media than I have seen people raving about a positive audit experience. Auditing is an extremely tough profession, and we auditors...

How to Prepare for a SOC 2 Security Assessment 2

How to Prepare for a SOC 2 Security Assessment

Security assessments, such as SOC 2 reports, are increasingly becoming a requirement in modern business. Organizations often approach us needing a SOC 2 but need help knowing where to start. So, let's break down the significant steps in preparing for a SOC 2....

What Are SOC Reports – The Basics 2

What Are SOC Reports – The Basics

Introduction System and Organization Controls (SOC) reports have become one of the most common methods for organizations to demonstrate their services and provide stakeholders assurance over their internal control environments. SOC reports can seem like a very...

What Is A SOC 1 And Do You Need One

What Is a SOC 1 and Do You Need One?

So, you have a customer telling you they need your SOC 1 report, but you do not currently have one and you need guidance on how to obtain one. This is a common problem we see in clients and is generally a positive sign that your firm is growing and obtaining larger...