Pillar / Real cost drivers (scope-as-cost-lever)

SOC 2 Trust Services Criteria: how each one changes your audit cost.

Security is mandatory. The other four (Availability, Confidentiality, Processing Integrity, Privacy) are scope choices. Each adds roughly 18 percent to audit fees and proportionate readiness time. This page sets out the per-criterion cost lever.

Section 01

Per-criterion cost section

Security (mandatory). The baseline. Common Criteria controls cover access management, change management, risk assessment, system operations, and communication. Every SOC 2 report includes Security. There is no SOC 2 without it.

Confidentiality. Adds controls around classification of confidential information, retention and disposal, and protection during transmission. Audit fee impact: roughly 18 percent. Readiness time impact: 10 to 12 percent. Customer-driven where contractual confidentiality clauses are common.

Availability. Adds controls around system monitoring, capacity planning, incident response for availability events, backup and restoration. Audit fee impact: roughly 18 percent. Readiness time impact: 10 to 12 percent. Customer-driven where uptime SLAs are part of the contract.

Processing Integrity. Adds controls around data input completeness and accuracy, processing accuracy, and quality assurance procedures. Audit fee impact: roughly 18 percent. Readiness time impact: 10 percent. Mostly relevant for transaction-processing platforms (payments, billing, data pipelines).

Privacy. Adds controls around notice, choice and consent, collection, retention, disclosure, access, quality, and monitoring of personal information. Audit fee impact: roughly 18 percent. Readiness time impact: 15 to 20 percent (heavier than the other three). Adding the Privacy criterion to a SOC 2 scope formalises controls that are already required for any processor under GDPR. For teams that are also building a privacy budget independently, the GDPR-specific cost drivers are detailed at gdprcompliancecost.com.

Section 02

Minimum-viable scope

For a first-time SOC 2 with no specific customer driver, Security only is sufficient. It produces a complete SOC 2 attestation, costs the least, and leaves room to add criteria in year 2 if customers ask. For B2B SaaS where customer contracts already include confidentiality language, add Confidentiality from the start to avoid a year-2 scope expansion. For platforms with uptime SLAs, add Availability.

Resist the temptation to add criteria you do not yet need. Each one adds cost, readiness time, and ongoing maintenance. Scope can always grow at renewal; it cannot easily shrink once customers expect it.

Section 03

Cost-modelled scope examples

Scope-driven audit fee, mid-tier CPA, 25 to 50 employee SaaS, Type 2

Scope	Audit fee	Year-1 all-in
Security only	£22,000 – £32,000	£32,000 – £58,000
Security + Confidentiality	£26,000 – £38,000	£37,000 – £67,000
Security + Confidentiality + Availability	£30,000 – £43,000	£42,000 – £75,000
Security + Confidentiality + Privacy	£33,000 – £47,000	£48,000 – £85,000
All five criteria	£37,000 – £52,000	£55,000 – £100,000

Section 04

Try the scope toggle

Tick Security plus any subset of the optional four to see the audit-fee delta update live. The numbers shown are the audit-fee component only; readiness and tooling lines move at similar but smaller rates per added criterion.

Scope toggle: TSC cost impact

Audit fee delta only

Pick your scope

Security (mandatory baseline)

Always in scope. The other four are optional and customer-driven.

Confidentiality

Common where customer data carries NDAs or contractual confidentiality clauses.

Availability

Common where uptime SLAs are part of the customer contract.

Processing Integrity

Less common, mostly for transaction-processing platforms.

Privacy

Aligns closely with GDPR processor obligations for EU/UK data.

Audit fee, 25 to 50 employee SaaS, mid-tier CPA, Type 2

£22,000 – £32,000

Security only baseline.

Note

Each additional TSC adds roughly 18 percent to the audit-fee line. Readiness time is also affected, by 8 to 12 percent per criterion. Numbers above show the audit fee delta only.

Cross-reference

For the readiness component that scales with each criterion, see the readiness cost page. For the audit-fee tier that scales with the criteria total, see the audit firm fees page. For the scale-up bracket where adding criteria becomes a budget conversation in itself, see the scale-up cost page.

Section 05

FAQ

How many Trust Services Criteria do most companies pick?+

Two or three. Security is mandatory. Confidentiality is added in roughly 70 percent of B2B SaaS reports because customer data carries contractual confidentiality. Availability is added in roughly 30 to 40 percent where uptime SLAs are part of the contract. Processing Integrity and Privacy are less common, each appearing in 10 to 20 percent of reports.

Can we add Trust Services Criteria mid-engagement?+

Technically yes, but it adds 10 to 25 percent to the audit fee for that year. The scope expansion has to be reflected in the engagement letter, the readiness work has to extend, and the observation window has to be re-validated against the new criteria. It is consistently cheaper to scope correctly at the start.

Does the Privacy criterion replace GDPR compliance?+

No. The Privacy TSC and GDPR overlap materially but are separate frameworks. The Privacy criterion attests that controls are in place to meet AICPA Privacy criteria; GDPR compliance is a UK or EU regulatory obligation. The two complement each other and share evidence, but neither replaces the other.

Which TSC adds the most cost?+

Privacy typically adds the most readiness work because of the documentation depth required (data inventories, processor relationships, DSAR handling). Audit-fee impact is broadly comparable across the four optional criteria, around 18 percent each, but readiness time is materially heavier on Privacy.