TSC Crosswalk Guide

Cross-reference Trust Services Criteria to your policies and control activities.

SOC 2 TSC crosswalk template preview (SOC-023)
.xlsx SOC-023

TSC Crosswalk

Cross-reference Trust Services Criteria to your policies and control activities.

Get SOC 2 Phase 3 Audit & Evidence Bundle
How to Fill Out This TSC Crosswalk

SOC 2 TSC crosswalk template — Maps each TSC point to internal documents — foundation for SOC-024 ownership.

Recommended Owner: Compliance Lead

What this file is for

Document purpose

Crosswalk Trust Services Criteria to policies and typical evidence.

In your program: In Scope? column drives SOC-024 and SOC-022 — only Yes rows need full mapping.

Before you start

Getting Started

  • Enable Editing; read the Instructions sheet first for tab order and version metadata.
  • Use dropdowns in validated columns; delete gray sample rows before auditor samples.
  • Check Dashboard after updates — formulas flag gaps and acceptance rates.

Document tour

Fill out the file section by section

Work through the sections below in order. Each block matches a heading or tab in the downloaded SOC-023 file.

Instructions
  • Import in-scope criteria from SOC-003A; do not delete seed CC rows without Legal review.
  • After editing Instructions, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
TSC Crosswalk
  • Requirement Summary can be abbreviated but Criteria ID must stay exact (CC6.1, etc.).
  • Typical Evidence Examples = what you will actually provide (export names, report titles).
  • In Scope? dropdown Yes/No — No rows excluded from SOC-022 unless auditor agrees.

TSC Criteria

  • Fill TSC Criteria for every in-scope row on TSC Crosswalk — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Requirement Summary

  • Fill Requirement Summary for every in-scope row on TSC Crosswalk — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Policy / Procedure Ref

  • Fill Policy / Procedure Ref for every in-scope row on TSC Crosswalk — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Typical Evidence Examples

  • Fill Typical Evidence Examples with a URL, ticket, or export path auditors can open — not a local-only path.
  • Re-verify links before fieldwork; broken evidence links are a common audit finding.

In Scope?

  • Fill In Scope? for every in-scope row on TSC Crosswalk — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Notes

  • Fill Notes for every in-scope row on TSC Crosswalk — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Quality check

Before You Finalize

  • Every Yes row has Policy/Procedure Ref and Typical Evidence filled.
  • Out-of-scope criteria documented with Notes (carve-out rationale).

Evidence

Where to Store It

  • Store the completed file in your compliance evidence folder (signed PDF for policies).
  • Register the document in COR-013 with version, owner, and next review date.
  • Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.

Next Steps

After customizing TSC Crosswalk:

  1. 1Complete the file: Finish every section or tab in SOC-023.
  2. 2Register: Add version and owner to COR-013.
  3. 3Operationalize: Train owners listed in the document.
  4. 4Evidence: Keep exports auditors can sample during fieldwork.
Get SOC 2 Phase 3 Audit & Evidence Bundle See what’s included