Governance. Risk. Compliance. Cybersecurity.
MAST Consulting Group - Governance, Risk, Compliance and Cybersecurity Logo
SOC 2 · Checklist

Picking the right Trust Services Criteria — beyond Security.

When to add Availability, Confidentiality, Processing Integrity or Privacy without bloating the audit.

AuthorAICPA-aligned LeadPublishedApr 2026Read time6 min readFormatChecklist
SOC 2ChecklistCybersecurityAudit
SOC 2 insight — Picking the right Trust Services Criteria — beyond Security.
MAST Consulting Group · SOC 2 practice

Use this checklist as a working artefact. Every item is something MAST Consulting Group has watched pass or fail under audit on a SOC 2 programme — not theoretical good practice. The order matters: the early items are gating, the later items are refinements that only pay off once the basics are in place.

Definition

The AICPA Trust Services Criteria (TSC) define five categories for SOC 2: Security (CC series, mandatory), Availability (A1), Processing Integrity (PI1), Confidentiality (C1) and Privacy (P series). Organisations select applicable categories based on system commitments and user entity expectations; each additional category adds 8–20 criteria and increases audit scope, cost and evidence burden.

Why it matters

The pressure on SOC 2 programmes is shifting in specific, observable ways:

  • Availability (A1) criteria are required by BFSI customers with contractual SLA obligations (e.g. 99.9% uptime) — without A1, the SOC 2 report does not cover the dimension most important to infrastructure-dependent buyers.
  • Processing Integrity (PI1) is mandated by payment processors and fintech customers using the service for transaction handling — SAMA-regulated payment service providers require PI1 coverage in vendor SOC 2 reports.
  • Privacy (P series, aligned to AICPA Privacy Management Framework) overlaps significantly with DIFC PDPL Article 10–14 obligations — including Privacy in the SOC 2 scope provides dual-use evidence for UAE regulator inquiries.
  • Each additional TSC category adds AED 25K–60K in CPA audit fees and 40–80 hours of internal evidence preparation — selecting categories without clear buyer demand wastes capital at early-stage companies.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

  • Customer commitment matrix — spreadsheet listing each enterprise customer's contractual SLAs (uptime, processing accuracy, confidentiality clauses) mapped to the TSC category that covers them
  • System description (SOC 2 Section 3) — narrative description of the system boundaries, principal service commitments and the TSC categories selected, reviewed and approved by management
  • SLA monitoring dashboard exports — availability metrics (uptime %, MTTR, MTBF) from tools like Datadog, New Relic or PagerDuty covering the observation period (A1 evidence)
  • Data classification policy and data flow diagram — identifying confidential data flows that trigger C1 criteria applicability; reviewed by CPA during fieldwork
  • Privacy notice and consent management records — OneTrust or Cookiebot exports showing consent capture timestamps, data subject request log with response times (P series evidence)

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

  • Day 0–30: Compliance Manager reviews top-10 enterprise customer MSAs and RFP security questionnaires to identify which TSC categories are explicitly required; conducts a 2-hour workshop with Sales and Legal to confirm selection.
  • Day 31–60: For each selected TSC category beyond Security, map existing controls to the criteria using the AICPA mapping guide; identify gaps (e.g. no formal availability testing procedure for A1.2) and assign remediation owners.
  • Day 61–90: Implement gap controls for selected categories: configure Datadog SLA dashboard for A1, implement data handling procedures for C1, conduct DPIA for P series; collect initial evidence samples.
  • Day 90+: Confirm TSC selection with CPA firm before observation window begins; document the rationale for excluded categories in writing (e.g. 'PI1 excluded — no transaction processing in scope') for management sign-off.
  • Ongoing: Annually review TSC selection against evolving customer base and product scope; add categories proactively if ≥3 enterprise customers request them in the next contract cycle.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

  • TSC selection accuracy: 0 customer escalations citing a missing TSC category in the SOC 2 report within 12 months of issuance
  • Availability uptime coverage: system uptime ≥99.9% documented over the observation period for A1 inclusion
  • Additional audit cost per TSC category: AED 25K–60K — tracked against incremental revenue from customers requiring that category
  • Gap closure before observation window: 100% of identified TSC-specific control gaps remediated before observation period start date
  • Privacy request response time: ≤30 days for data subject requests — 100% compliance rate for P series applicability

The working checklist

Use this list during your next SOC 2 review cycle. The phrasing is intentionally observable — every item is something a reviewer can sample for, not an aspiration.

  • Verify: the controls library mapped to TSC.
  • Verify: evidence samples per control.
  • Verify: exception log.
  • Verify: the Type II report (Sections I–V).
  • Verify: controls that are designed but operated inconsistently across the window.
  • Verify: user access reviews completed late or without independent reviewer.

Pitfalls we keep seeing

Across MAST Consulting Group's SOC 2 portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

  • Pattern: sub-service organisations not disclosed in Section III. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
  • Pattern: incident response runbooks that don't reference the in-scope environment. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
  • Pattern: controls that are designed but operated inconsistently across the window. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
  • Pattern: user access reviews completed late or without independent reviewer. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on SOC 2 engagements because the integrations are cheap and the evidence is defensible:

  • Drata / Vanta / Secureframe for evidence collection — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
  • GitHub / GitLab for change evidence — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
  • Okta / Entra for access reviews — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs SOC 2 programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this checklist is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for SOC 2 programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.

SOC 2

Get SOC 2 Type II without slowing engineering.

An opinionated control library, evidence cadence and audit-firm coordination tuned for SaaS teams selling into US and Gulf enterprises.

  • Trust Services Criteria selection workshop
  • Pre-mapped control library and evidence templates
  • Auditor-of-record introductions

Prefer email? info@mastcgroup.com

Plan your SOC 2

Reply within one business day from a senior consultant.

By submitting you agree to be contacted by a MAST consultant. We never share your details.

Related insights

Matched on service area and shared topics.

Briefing5 min read
Sub-service organisations and the carve-out trap.When inclusive coverage costs you, when carve-out is honest, and how auditors will judge either choice.
SOC 2CybersecurityAudit
Field note5 min read
Surviving the SOC 2 observation window without burnout.Cadence, ownership and tooling that keep evidence collection a 4-hour-a-week job, not an emergency.
SOC 2CybersecurityAudit
Playbook7 min read
A 90-control SOC 2 library tuned for early-stage SaaS.Opinionated control set ready to drop into a Series A/B engineering org without slowing shipping.
SOC 2Cybersecurity
Briefing4 min read
Type I vs Type II — what your enterprise buyers actually accept.Procurement teams in BFSI no longer accept Type I beyond pilot. Here's the negotiation script.
SOC 2Cybersecurity
Benchmark6 min read
Where SOC 2 and ISO 27001 overlap — and where they don't.A side-by-side control map showing the 70% reusable, the 20% adaptable and the 10% net-new.
SOC 2Cybersecurity
Checklist4 min read
The annual audit calendar for multi-framework programmes.A 12-month wheel covering ISO surveillance, SOC 2, PCI, regulator submissions and management reviews.
SOC 2CybersecurityAudit

Back to all insights