SOC 2 Controls CC5: Control Activities

CC5.1

SOC 2 CC5.1 requires that your organisation selects and develops control activities that contribute to mitigating risks to achieving objectives to acceptable levels.

CC5.1 highlights the following points of focus:

Integrates With Risk Assessment

Your organisation’s control activities should help ensure that risk responses that both address and alleviate risks are undertaken.

Considers Organisation-Specific Factors

The management team should consider how the environment, complexity, nature, and scope of its operations, as well as the specific attributes of the organisation, impact the selection and progression of control activities.

Determines Appropriate Business Processes

Your management team should determine which relevant business procedures require control activities.

Considers a Mix of Control Activity Types

Your organisation’s control activities should include a range of controls and a balance of approaches to mitigate risks. This may include considering both manual and automated controls and preventive and detective controls.

Considers at What Level Activities Are Applied

The management team should consider control activities at multiple levels in the organisation.

Addresses Segregation of Duties

Your management team should separate incompatible duties, and where such separation is not practical, management should select and develop alternate control activities.

CC5.2

SOC 2 CC5.2 requires that your organisation selects and develops general control activities over technology to support achieving objectives.

CC5.2 highlights the following points of focus:

Determines Reliance Between the Use of Technology in Business Processes and Technology General Controls

The management team should understand and establish the dependency and connection between business processes, automated control activities, and general technology controls.

Determines Relevant Technology Infrastructure Control Activities

Management should select and develop control activities over the technology infrastructure. These control activities should be designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.

Establishes Appropriate Security Management Process Controls Activities

The management team should select and develop control activities that are designed and implemented to restrict technology access rights to authorised users in line with their job responsibilities and to protect your organisation’s assets from external threats.

Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities

Management should select and develop control activities pertaining to the acquisition, development, and maintenance of technology and its infrastructure to achieve the management team’s objectives.

SOC 2 CC5.2 requires that your organisation deploys control activities through policies that establish what is expected and in procedures that put policies into action.

CC5.3

CC5.3 highlights the following points of focus:

Creates Policies and Procedures to Support Implementation of Management’s Directives

Management should establish control activities that are built into business procedures as well as employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions.

Establishes Responsibility and Accountability for Executing Policies and Procedures

The management team should establish responsibility and accountability for control activities with management (or other appointed employees) of the business unit or function in which the related risks reside.

Performs in a Timely Manner

Responsible personnel should undertake control activities in a timely manner, as defined by the organisation’s policies and procedures.

Takes Remedial Action

Responsible personnel should investigate and act on matters identified because of undertaking control activities.

Performs Using Skilled Personnel

Competent personnel with sufficient authority should perform control activities conscientiously and with ongoing focus.

Reexamines Policies and Procedures

The management team should regularly review control activities to determine their continued relevance and refresh them when needed.