The five AICPA criteria categories underpinning SOC 2: Security, Availability, Confidentiality, Processing Integrity, Privacy.
The Trust Services Criteria (2017, revised 2022) are the AICPA's control criteria used to evaluate suitability of design and operating effectiveness in SOC 2 engagements. The Security (Common Criteria, CC1–CC9) category is mandatory; the other four (A, C, PI, P) are optional and chosen based on customer commitments.
Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.