Skip to main content

Overview

The Trust Services Criteria (TSC) are a set of professional standards established by the American Institute of Certified Public Accountants (AICPA) for evaluating and reporting on controls at service organizations. TSC forms the basis for SOC 2 (System and Organization Controls 2) audits, which assess the effectiveness of controls relevant to security, availability, processing integrity, confidentiality, and privacy. Wazuh helps organizations monitor technical controls that support TSC compliance.

TSC Requirements Coverage

Wazuh maps security events to Trust Services Criteria through the rule.tsc field. The compliance requirements are defined in: Source: plugins/main/common/compliance-requirements/tsc-requirements.ts

Trust Services Categories

Availability (A)

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.Control Objectives:
  • Monitor system resource utilization
  • Track capacity trends
  • Identify capacity constraints
  • Plan for capacity expansion
  • Maintain performance levels
Monitored by:
  • System resource alerts (CPU, memory, disk)
  • Performance degradation detection
  • Capacity threshold violations
  • Service availability monitoring
Wazuh Detection: Resource exhaustion alerts, performance warnings, capacity threshold breaches, system overload indicators
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.Control Objectives:
  • Implement environmental protections
  • Deploy backup systems
  • Maintain recovery infrastructure
  • Monitor protection effectiveness
  • Test backup and recovery procedures
Monitored by:
  • Backup success/failure events
  • Environmental system failures
  • Recovery system status
  • Protection mechanism alerts
Wazuh Detection: Backup failures, environmental monitoring system alerts, infrastructure availability issues

Common Criteria (CC)

CC5: Control Activities

The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.Control Objectives:
  • Design effective controls
  • Implement risk mitigation measures
  • Select appropriate control activities
  • Deploy controls consistently
  • Monitor control effectiveness
Monitored by:
  • Control failure events
  • Risk mitigation effectiveness
  • Control bypass attempts
  • Security control violations
Wazuh Detection: Control failures, security violations, risk event detection, mitigation effectiveness metrics
The entity also selects and develops general control activities over technology to support the achievement of objectives.Control Objectives:
  • Implement technology controls
  • Maintain security infrastructure
  • Deploy protective technologies
  • Monitor technology controls
Monitored by:
  • Technology control failures
  • Security technology status
  • Control effectiveness metrics
  • Technology configuration changes
Wazuh Detection: Security technology failures, configuration violations, control effectiveness indicators

CC6: Logical and Physical Access Controls

The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.Control Objectives:
  • Deploy access control systems
  • Implement authentication mechanisms
  • Maintain authorization infrastructure
  • Protect information assets
  • Monitor access attempts
Monitored by:
  • Unauthorized access attempts
  • Authentication failures
  • Access control violations
  • Authorization bypasses
  • Privilege escalation
Wazuh Detection: Failed logins, unauthorized access, access control failures, authentication errors, privilege abuse
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.Control Objectives:
  • Register users properly
  • Authorize access appropriately
  • Issue credentials securely
  • Remove access when no longer needed
  • Maintain user lifecycle
Monitored by:
  • User registration events
  • Credential issuance
  • Account creation/deletion
  • Orphaned account detection
  • Unauthorized credential usage
Wazuh Detection: Account lifecycle events, unauthorized account creation, orphaned accounts, credential misuse
The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.Control Objectives:
  • Implement role-based access
  • Apply least privilege principle
  • Enforce segregation of duties
  • Manage access changes
  • Review access appropriateness
Monitored by:
  • Permission changes
  • Role assignments
  • Privilege escalation
  • Access level modifications
  • Segregation of duties violations
Wazuh Detection: Permission changes, inappropriate privilege usage, role violations, segregation of duties breaches
The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.Control Objectives:
  • Restrict physical access
  • Control facility entry
  • Monitor physical access
  • Protect sensitive areas
  • Track access to facilities
Monitored by:
  • Physical access events
  • Badge reader logs
  • Unauthorized entry attempts
  • Facility access violations
Wazuh Detection: Physical access control system integration, unauthorized access alerts, facility security events
The entity implements logical access security measures to protect against threats from sources outside its system boundaries.Control Objectives:
  • Deploy perimeter security
  • Implement firewalls and IDS/IPS
  • Monitor external threats
  • Block malicious traffic
  • Protect against attacks
Monitored by:
  • External attack attempts
  • Firewall blocks
  • Intrusion detection alerts
  • Malicious traffic detection
  • Threat intelligence matches
Wazuh Detection: Attack attempts, intrusion alerts, firewall events, external threat indicators, malicious activity
The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.Control Objectives:
  • Encrypt data in transit
  • Control data movement
  • Monitor data transmission
  • Prevent unauthorized transfers
  • Protect data during movement
Monitored by:
  • Unencrypted transmissions
  • Unauthorized data transfers
  • Data exfiltration attempts
  • Insecure protocol usage
  • Data movement violations
Wazuh Detection: Unencrypted connections, data exfiltration, unauthorized transfers, insecure protocols
The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.Control Objectives:
  • Deploy anti-malware solutions
  • Update malware signatures
  • Scan for malicious software
  • Block malware execution
  • Remediate infections
Monitored by:
  • Malware detection events
  • Anti-virus alerts
  • Suspicious file execution
  • Malicious code indicators
  • Ransomware activity
Wazuh Detection: Malware alerts, virus detection, ransomware indicators, suspicious process execution

CC7: System Operations

To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.Control Objectives:
  • Monitor configuration changes
  • Detect new vulnerabilities
  • Track configuration drift
  • Identify security weaknesses
  • Assess vulnerability exposure
Monitored by:
  • Configuration changes
  • Vulnerability scan results
  • Security weakness detection
  • Configuration baseline deviations
  • Patch status monitoring
Wazuh Detection: Configuration changes via FIM, vulnerability detection integration, baseline deviations, missing patches
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.Control Objectives:
  • Monitor system operations
  • Detect anomalies
  • Analyze security events
  • Identify malicious activity
  • Distinguish events from incidents
Monitored by:
  • All system security events
  • Anomalous behavior patterns
  • Malicious activity indicators
  • System operational anomalies
Wazuh Detection: Wazuh provides comprehensive security monitoring and anomaly detection through real-time event analysis
This criterion describes Wazuh’s core functionality - continuous security monitoring and event analysis.
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.Control Objectives:
  • Evaluate security events
  • Identify security incidents
  • Determine impact
  • Escalate appropriately
  • Prevent further damage
Monitored by:
  • Security event severity
  • Event correlation patterns
  • Impact indicators
  • Incident classification criteria
Wazuh Detection: Event correlation, alert severity levels, incident pattern recognition, impact assessment
The entity responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate.Control Objectives:
  • Execute incident response
  • Contain security incidents
  • Remediate vulnerabilities
  • Communicate incidents
  • Document response actions
Monitored by:
  • Incident response activities
  • Containment actions
  • Remediation tracking
  • Response timeline
Wazuh Detection: Incident detection and alerting, providing data for incident response activities

CC8: Change Management

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.Control Objectives:
  • Authorize changes formally
  • Test changes before deployment
  • Document change procedures
  • Implement changes safely
  • Monitor change impacts
Monitored by:
  • Unauthorized changes
  • System modifications
  • Configuration changes
  • Software deployments
  • Infrastructure alterations
Wazuh Detection: File integrity monitoring for change detection, unauthorized modifications, system changes

Processing Integrity (PI)

The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives.Control Objectives:
  • Ensure output completeness
  • Verify output accuracy
  • Deliver outputs timely
  • Meet specification requirements
  • Monitor processing integrity
Monitored by:
  • Processing errors
  • Output validation failures
  • Delivery failures
  • Data integrity violations
Wazuh Detection: Application errors, processing failures, data integrity issues
The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives.Control Objectives:
  • Store data completely
  • Maintain data accuracy
  • Ensure timely storage
  • Meet storage specifications
  • Protect data integrity
Monitored by:
  • Storage errors
  • Data corruption
  • Integrity violations
  • Storage system failures
Wazuh Detection: File integrity monitoring, data corruption alerts, storage system errors

Using the TSC Dashboard

Accessing TSC Compliance View

1

Open TSC Module

Navigate to the TSC section in the Wazuh Dashboard overview.
2

Review Trust Services Categories

The dashboard displays criteria organized by category (A, CC, PI).
3

Filter by Criterion

Click on criterion categories (A1, CC5, CC6, CC7, CC8, PI1) to view specific controls.
4

Analyze Control Effectiveness

Review security events indicating control failures or operational issues.

Dashboard Components

The TSC dashboard includes:
  • Top criteria by alert count - Identifies areas needing attention
  • Category distribution - Shows coverage across trust services
  • Control effectiveness metrics - Tracks control implementation
  • Incident detection rates - Monitors security event trends
Source: plugins/main/public/components/overview/tsc/dashboards/dashboard-panels.ts

Data Source Implementation

The TSC data source filters events by the rule.tsc field: 
const KEY_EXIST = 'rule.tsc';
Reference: plugins/main/public/components/common/data-source/pattern/events/tsc/tsc-data-souce.ts:5

Event Columns

TSC events table displays:
  • Timestamp
  • Rule description
  • TSC criterion (rule.tsc field)
  • Alert level
  • Trust services category
  • Agent information
Source: plugins/main/public/components/overview/tsc/events/tsc-columns.tsx:8

SOC 2 Audit Support

SOC 2 Type I vs. Type II

Assesses: Control design at a specific point in timeWazuh Usage:
  • Document implemented security controls
  • Demonstrate control configuration
  • Show monitoring capabilities
  • Provide control descriptions
Evidence: Wazuh configuration, rule sets, monitoring scope

Generating SOC 2 Evidence

1

Define Audit Period

Select the SOC 2 audit period (e.g., 6 months or 12 months).
2

Export Control Evidence

Generate reports for each applicable TSC criterion showing:
  • Control implementation
  • Control effectiveness
  • Exception handling
  • Incident response
3

Document Continuous Monitoring

Demonstrate ongoing monitoring through:
  • Uptime reports
  • Alert statistics
  • Response times
  • Coverage metrics
4

Provide Exception Reports

Export security events showing:
  • Control failures
  • Remediation actions
  • Resolution timeframes

Trust Services Category Mapping

Security (All Organizations)

Criteria: CC6.1, CC6.2, CC6.3, CC6.6, CC6.7, CC6.8, CC7.1, CC7.2, CC7.3, CC7.4 Wazuh Coverage: Comprehensive - all security criteria monitored

Availability (When Applicable)

Criteria: A1.1, A1.2 Wazuh Coverage: System availability and capacity monitoring

Processing Integrity (When Applicable)

Criteria: PI1.4, PI1.5 Wazuh Coverage: Data integrity monitoring via FIM

Confidentiality (When Applicable)

Wazuh Coverage: Encryption monitoring, access control, data protection

Privacy (When Applicable)

Wazuh Coverage: Access logging, data access monitoring, consent enforcement tracking

TSC to Other Framework Mapping

TSC criteria align with other compliance frameworks:
TSC CriterionNIST 800-53PCI DSSHIPAA
CC6.1AC.68.x164.312.a.1
CC6.8SI.35.1, 5.2-
CC7.1SI.26.2, 11.2-
CC7.2AU.610.6164.312.b
CC8.1CM.3--
PI1.5SI.711.5164.312.c.2

Requirement Data Structure

The complete TSC requirements mapping: 
export const tscRequirementsFile = {
  'A1.1': 'The entity maintains, monitors, and evaluates current processing capacity...',
  'A1.2': 'The entity authorizes, designs, develops or acquires...',
  'CC5.1': 'The entity selects and develops control activities...',
  'CC5.2': 'The entity also selects and develops general control activities...',
  'CC6.1': 'The entity implements logical access security software...',
  'CC6.2': 'Prior to issuing system credentials...',
  'CC6.3': 'The entity authorizes, modifies, or removes access...',
  'CC6.4': 'The entity restricts physical access to facilities...',
  'CC6.6': 'The entity implements logical access security measures...',
  'CC6.7': 'The entity restricts the transmission, movement...',
  'CC6.8': 'The entity implements controls to prevent or detect...',
  'CC7.1': 'The entity uses detection and monitoring procedures...',
  'CC7.2': 'The entity monitors system components...',
  'CC7.3': 'The entity evaluates security events...',
  'CC7.4': 'The entity responds to identified security incidents...',
  'CC8.1': 'The entity authorizes, designs, develops or acquires...',
  'PI1.4': 'The entity implements policies and procedures to make available...',
  'PI1.5': 'The entity implements policies and procedures to store inputs...',
};
Full definition: plugins/main/common/compliance-requirements/tsc-requirements.ts:12

Best Practices for SOC 2

Continuous Monitoring

Maintain Wazuh monitoring throughout the entire audit period for Type II reports.

Log Retention

Retain Wazuh logs for the full audit period plus additional time for auditor review.

Document Exceptions

Track all security events as potential exceptions and document remediation.

Control Testing

Use Wazuh data to demonstrate control testing and effectiveness.

Incident Response

Maintain evidence of incident detection and response using Wazuh alerts.

Change Management

Use FIM data to support change management procedures (CC8.1).

Common Criteria (CC) Focus

The Common Criteria (CC) apply to all SOC 2 reports:
  • CC5 - Control Activities (foundational)
  • CC6 - Logical and Physical Access (security)
  • CC7 - System Operations (monitoring and incident response)
  • CC8 - Change Management (integrity)
Wazuh provides comprehensive monitoring for all Common Criteria.
  • Compliance Overview
  • [File Integrity Monitoring(/modules/file-integrity-monitoring) - Supports CC7.1, CC8.1, PI1.5
  • [Log Analysis(/modules/threat-hunting) - Supports CC7.2
  • [Incident Response(/guides/threat-analysis) - Supports CC7.3, CC7.4
  • [Vulnerability Detection(/modules/vulnerability-detection) - Supports CC7.1