Everything you need to know
Security and customers first

Request a demo

Find out today the difference that Hicomply’s unique solution can make to your business.


Thank you for your request


In the meantime, connect with Hicomply for insights on authentication and fraud prevention


ROI Calculator

See how much you could save with Hicomply

Hicomply feature Yearly saving
Automated scoping Easily scope your ISMS with the Hicomply platform
Asset register autogeneration A shorter learning curve for organisations and a simplified process
Risk assessment Autogenerate your risk register and risk treatment plan
Extended policy templates 90% of the essential are already written out of the box
Controls framework All controls are pre-loaded and already linked to the risks they mitigate
Task management Automate all actions, administration and setup time of your ISMS
Real time monitoring Understand status and progress across your ISMS with the Hicomply dashboard
Compliance & Training Your whole team, on the same page
Audit readiness Hicomply makes sure you have everything in place for your audit
Auditor access Give auditors a dedicated login to access and audit your ISM
Back to Resource Hub

SOC 2 Controls: CC5 Control Activities


SOC 2 CC5.1 requires that your organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

CC5.1 highlights the following points of focus:

Integrates With Risk Assessment

Your organisation’s control activities should help ensure that risk responses that both address and alleviate risks are undertaken.

Considers Organisation-Specific Factors

The management team should consider how the environment, complexity, nature, and scope of its operations, as well as the specific attributes of the organisation, impact the selection and progression of control activities.

Determines Appropriate Business Processes

Your management team should determine which relevant business procedures require control activities.

Considers a Mix of Control Activity Types

Your organisation’s control activities should include a range and variety of controls, and may include a balance of approaches to mitigate risks. This may include considering both manual and automated controls as well as preventive and detective controls.

Considers at What Level Activities Are Applied

The management team should consider control activities at multiple levels in the organisation.

Addresses Segregation of Duties

Your management team should separate incompatible duties and, where such separation is not practical, management should select and develop alternate control activities.


SOC 2 CC5.2 requires that your organisation selects and develops general control activities over technology to support the achievement of objectives.

CC5.2 highlights the following points of focus:

Determines Reliance Between the Use of Technology in Business Processes and Technology General Controls

The management team should understand and establish the dependency and connection between business processes, automated control activities, and technology general controls.

Determines Relevant Technology Infrastructure Control Activities

Management should select and develop control activities over the technology infrastructure. These control activities should be designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.

Establishes Appropriate Security Management Process Controls Activities

The management team should select and develop control activities that are designed and implemented to restrict technology access rights to authorised users in line with with their job responsibilities and to protect your organisation’s assets from external threats.

Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities

Management should select and develop control activities pertaining to the acquisition, development, and maintenance of technology and its infrastructure to achieve the management team’s objectives.


SOC 2 CC5.2 requires that your organisation deploys control activities through policies that establish what is expected and in procedures that put policies into action.

CC5.3 highlights the following points of focus:

Creates Policies and Procedures to Support Implementation of Management’s Directives

Management should establish control activities that are built into business procedures as well as employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions.

Establishes Responsibility and Accountability for Executing Policies and Procedures

The management team should establish responsibility and accountability for control activities with management (or other appointed employees) of the business unit or function in which the related risks reside.

Performs in a Timely Manner

Responsible personnel should undertake control activities in a timely manner, as defined by the organisation’s policies and procedures.

Takes Remedial Action

Responsible personnel should investigate and act on matters identified as a result of undertaking control activities.

Performs Using Skilled Personnel

Competent personnel with sufficient authority should perform control activities conscientiously and with ongoing focus.

Reexamines Policies and Procedures

The management team should regularly review control activities to determine their continued relevance and refresh them when needed.

SOC 2 Hub

More Resource Hub

NIST Controls For Supply Chain Risk Management
ISO 9001 Hub
NIST 800-53 Hub