SOC 2 (AICPA TSP-100)

International

5 domains

51 controls

AICPA Trust Services Criteria 2017 with 2022 Points of Focus. Used in SOC 2 Type 1 and Type 2 examinations.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (5)

Availability

3 controls

Controls in the Availability domain of SOC 2 (AICPA TSP-100) — 3 controls
Code	Title	Description
A1.1	Capacity Management	Entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity de...
A1.2	Environmental Protections, Backups, Recovery Infrastructure	Entity authorizes, designs, develops, implements, operates, approves, maintains, and monitors environmental protections,...
A1.3	Recovery Plan Testing	Entity tests recovery plan procedures supporting system recovery to meet its objectives.

Common Criteria

33 controls

Controls in the Common Criteria domain of SOC 2 (AICPA TSP-100) — 33 controls
Code	Title	Description
CC1.1	Commitment to Integrity and Ethical Values	Entity demonstrates a commitment to integrity and ethical values through tone at the top, codes of conduct, and processe...
CC1.2	Board Independence and Oversight	Board of directors demonstrates independence from management and exercises oversight of the development and performance...
CC1.3	Management Structures, Reporting Lines, Authorities	Management establishes structures, reporting lines, authorities, and responsibilities in pursuit of objectives with appr...
CC1.4	Commitment to Competence	Entity demonstrates commitment to attract, develop, and retain competent individuals in alignment with objectives.
CC1.5	Accountability for Internal Control	Entity holds individuals accountable for their internal control responsibilities in pursuit of objectives.
CC2.1	Information Quality	Entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
CC2.2	Internal Communication	Entity internally communicates information, including objectives and responsibilities for internal control, to support f...
CC2.3	External Communication	Entity communicates with external parties regarding matters affecting the functioning of internal control.
CC3.1	Objective Clarity	Entity specifies objectives with sufficient clarity to enable identification and assessment of risks relating to objecti...
CC3.2	Risk Identification and Analysis	Entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determi...
CC3.3	Fraud Risk Assessment	Entity considers the potential for fraud in assessing risks to the achievement of objectives.
CC3.4	Change Assessment	Entity identifies and assesses changes that could significantly impact the system of internal control.
CC4.1	Ongoing and Separate Evaluations	Entity selects, develops, and performs ongoing and separate evaluations to ascertain whether components of internal cont...
CC4.2	Deficiency Communication	Entity evaluates and communicates internal control deficiencies in a timely manner to parties responsible for taking cor...
CC5.1	Control Selection and Development	Entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectiv...
CC5.2	Technology General Controls	Entity selects and develops general control activities over technology to support the achievement of objectives.
CC5.3	Policy Deployment	Entity deploys control activities through policies that establish what is expected and procedures that put policies into...
CC6.1	Logical Access Security Software and Infrastructure	Entity implements logical access security software, infrastructure, and architectures over protected information assets.
CC6.2	User Registration and Authorization	Prior to issuing system credentials, entity registers and authorizes new internal and external users whose access is adm...
CC6.3	Role-Based Access and Least Privilege	Entity authorizes, modifies, or removes access to data, software, functions, and other resources based on roles, respons...
CC6.4	Physical Access Restrictions	Entity restricts physical access to facilities and protected information assets to authorized personnel.
CC6.5	Asset Disposal and Data Destruction	Entity discontinues logical and physical protections over physical assets only after the ability to read or recover data...
CC6.6	Boundary Protection	Entity implements logical access security measures to protect against threats from sources outside its system boundaries...
CC6.7	Data Transmission and Movement Controls	Entity restricts the transmission, movement, and removal of information to authorized internal and external users and pr...
CC6.8	Unauthorized or Malicious Software Prevention	Entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to m...
CC7.1	Vulnerability and Configuration Management	To meet objectives, entity uses detection and monitoring procedures to identify changes to configurations that result in...
CC7.2	Security Event Monitoring	Entity monitors system components and the operation of those components for anomalies that are indicative of malicious a...
CC7.3	Security Event Evaluation	Entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its...
CC7.4	Incident Response	Entity responds to identified security incidents by executing a defined incident-response program to understand, contain...
CC7.5	Incident Recovery	Entity identifies, develops, and implements activities to recover from identified security incidents.
CC8.1	Change Management	Entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infr...
CC9.1	Business Disruption Risk Mitigation	Entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruption...
CC9.2	Vendor and Business Partner Risk Management	Entity assesses and manages risks associated with vendors and business partners.

Confidentiality

2 controls

Controls in the Confidentiality domain of SOC 2 (AICPA TSP-100) — 2 controls
Code	Title	Description
C1.1	Identification and Maintenance of Confidential Information	Entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality.
C1.2	Disposal of Confidential Information	Entity disposes of confidential information to meet the entity's objectives related to confidentiality.

Privacy

8 controls

Controls in the Privacy domain of SOC 2 (AICPA TSP-100) — 8 controls
Code	Title	Description
P1.1	Notice to Data Subjects	Entity provides notice to data subjects about its privacy practices to meet the entity's objectives related to privacy.
P2.1	Choice and Consent	Entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal inf...
P3.1	Collection Limitation	Personal information is collected consistent with the entity's objectives related to privacy and limited to that which i...
P4.1	Use, Retention, and Disposal of Personal Information	Entity limits the use, retention, and disposal of personal information to the purposes identified in its objectives rela...
P5.1	Access by Data Subjects	Entity provides data subjects with access to their personal information for review and updates, and responds to requests...
P6.1	Disclosure and Notification	Entity discloses personal information with the consent of data subjects or as required, and notifies affected parties an...
P7.1	Quality of Personal Information	Entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity's obj...
P8.1	Monitoring and Enforcement of Privacy	Entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related inquir...

Processing Integrity

5 controls

Controls in the Processing Integrity domain of SOC 2 (AICPA TSP-100) — 5 controls
Code	Title	Description
PI1.1	Quality Information for Processing	Entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to pr...
PI1.2	Input Completeness and Accuracy	Entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to resu...
PI1.3	Processing Completeness, Accuracy, Timeliness, Authorization	Entity implements policies and procedures over system processing to result in products, services, and reporting to meet...
PI1.4	Output Completeness, Accuracy, Distribution	Entity implements policies and procedures to make available or deliver output completely, accurately, and timely in acco...
PI1.5	Storage Integrity of Records and Outputs	Entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and...

Frequently Asked Questions

What is SOC 2 (AICPA TSP-100)?

SOC 2 (AICPA TSP-100) is a compliance framework from International with 5 domains and 51 controls. AICPA Trust Services Criteria 2017 with 2022 Points of Focus. Used in SOC 2 Type 1 and Type 2 examinations. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does SOC 2 (AICPA TSP-100) have?

SOC 2 (AICPA TSP-100) has 51 controls organised across 5 domains. The largest domains are Common Criteria (33 controls), Privacy (8 controls), Processing Integrity (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does SOC 2 (AICPA TSP-100) map to?

SOC 2 (AICPA TSP-100) does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with SOC 2 (AICPA TSP-100) compliance?

Start your SOC 2 (AICPA TSP-100) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about SOC 2 (AICPA TSP-100) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 51 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required