SOC 2: Trust Services Criteria and Secure IT in 2022

With COVID-19, always-online eCommerce and the migration to remote, distributed workforces, IT security is more important now than ever. In some industries, regulations can dictate the privacy and security requirements that every organization must meet. In others, those regulations may be less rigorous or even non-existent. That’s why many organizations turn to additional frameworks to shore up their approach to security. That’s where SOC 2 comes in. 

Service Organization Control (SOC) is a standard put into place by the American Institute of Certified Professional Accountants (AICPA) to help financial institutions protect client and customer data. Because the framework is robust and focused, many organizations opt to achieve certification as part of a larger security and customer relationship strategy. 

In 2022, after such dynamic shifts in our lives (particularly those tied to digital information), SOC 2 is more important than ever. Specifically, the five Trust Criteria can serve as the backbone of modern privacy and compliance strategies. 

What Is the CIA Triad in SOC 2?

Before digging into the criteria that make up SOC 2, it’s essential to understand the operational priorities that inform them. Fortunately, SOC 2 draws from a relatively well-known grouping of approaches that can serve as the foundation of most security strategies. 

These priorities are:

• Confidentiality: Information must remain secure and private. This can mean protecting customer information from outside, unauthorized access or partitioning data access internally to avoid unauthorized employees from exposing confidential information to the outside world. Confidentiality is the cornerstone of any security compliance framework–including the SOC 2 security. 
• Integrity: Data moves through IT systems in complex and often unintended ways. Because of this fact, that information can become corrupted or unintentionally (or even maliciously) modified. SOC 2 and its focus on data integrity is meant to foreground that, no matter the system, information must remain intact, auditable and traceable. 
• Accessibility: Information should be secure, of course. But data isn’t of use to anyone, customer or organization, if it isn’t accessible. This priority emphasizes the capacity of an organization to provide secure access to data so that it can be processed by that organization or managed by the customer. 

These three aspects aren’t isolated–hence their arrangement into a unit of three. A robust and secure system must be able to manage privacy and security controls across the entirety of their IT infrastructure and associated practices, many of which will touch on two or all three of these priorities. 

What Are the Five Trust Services Criteria?

Now, with the CIA priorities in place, SOC 2 defines different approaches for compliance with the framework. These approaches, called the Trust Services Criteria (TSA), address specific aspects of SOC 2 attestation that organizations must meet for certification. Each criterion addresses a group of controls and practices the organization must meet or follow.

The Five Trust Services Criteria are:

Security

These controls impact how your organization protects system data and resources from unauthorized access. Specifically, security measures under this criteria should prevent any damage to information that could affect confidentiality, integrity or availability. 

Measures in this criteria can include technologies like vulnerability scanning, endpoint security, penetration testing, multi-factor authentication (MFA), anti-malware and firewalls. 

Availability

Like the CIA triad, this version of availability emphasizes the ability of authorized businesses users and customers to access relevant data. Practices and measures in this criteria can include those that maintain system backups and disaster recovery, system uptime, redundancy technologies and performance monitoring. 

Processing Integrity

This criterion refers to the ability of your IT system and associated practices to ensure that information is complete, valid, accurate and authorized as it travels through different technology. Tools include error-checking tools, content and data audits and data storage. 

Ensuring processing integrity includes programs like data Quality Assurance/Quality Control (QA/QC) and process monitoring. 

Confidentiality

Unlike security, which focuses on keeping unauthorized users out of a system, confidentiality protects certain kinds of data from unauthorized viewing. These forms of data can vary between organizations and can include business plants, transactional information, technical schematics or intellectual property. 

Confidentiality is ensured through data encryption, Identity and Access Management (IAM), MFA and other security measures. 

Privacy

Privacy, like confidentiality, focuses on keeping data out of the hands of outsiders. Privacy specifically applies to personal information for individuals, including Personal Identifiable Information (PII) such as names, addresses, ID numbers, Personal Health Information (PHI) and other information. 

That means obfuscating information appropriate data encryption and using typical security measures, IAM security and MFA controls. 

The critical thing to understand about SOC 2 attestation is that while these criteria are in place in the language of the framework, how an organization meets these criteria depends on their operations and lines of business. SOC 2 reports released by an organization will address how their specific infrastructure and practices meet these requirements. While some controls (encryption, etc.) will be standardized across organizations, others (data integrity) may vary. 

When an organization undergoes an audit, they may choose to comply (and become certified under) one or more of these criteria. However, all organizations seeking SOC 2 compliance must, at minimum, meet requirements for the Security TSC. Accordingly, the SOC 2 Security attestation is the most common.

Are SOC 2 and the TSC Similar to Other Regulations?

Adhering to the Trust Services Criteria in SOC 2 serves several positive purposes:

1. Meeting SOC 2 requirements aligns business practices and IT infrastructure with best practices for protecting confidentiality, integrity and accessibility. 
2. Partners and customers wanting assurance that a business associate takes the security of their information seriously will often appreciate, if not require, that businesses they work with meet SOC 2 standards. 
3. SOC 2 requirements can align with other challenging regulations, particularly if your organization meets all five. For example, meeting SOC 2 TSC requirements can readily position an organization to adapt to regulations and frameworks like HIPAA security, PCI DSS, NIST 800-53 security and privacy controls and ISO 27000 series security standards (specifically ISO 27001 and ISO 27002). 

Prepare For and Meet SOC 2 Attestation Requirements

SOC 2 certification calls for a good understanding of requirements, internal IT configurations, and aligning the latter with the former. Lazarus Alliance has decades of experience and a proven track record of helping our clients meet their SOC 2 certification and continuing audit demands. 

Ready to Start Your SOC 2 Audits?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→