All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base
Company Security and customers first
About News Partners Careers Contact
Hicomply I
Hicomply app
Solutions Get a demo

CC1.1

SOC 2 CC1.1 requires that the organisation demonstrates a commitment to integrity and ethical values.

CC1.1 highlights the following points of focus:

Sets the Tone at the Top

Your board of directors and management should demonstrate the importance of integrity and ethical values to support the functioning of the system of internal control, whether this be through their directives, actions or conduct.

Establishes Standards of Conduct

Your organisation’s standards of conduct convey and define the expectations of the board of directors and senior management when it comes to integrity and ethical values. This should be understood throughout the organisation, as well as by service providers and business partners.

Assesses Adherence to Standards of Conduct

Processes must be in place to evaluate the performance of people and teams against the organisation’s standards of conduct.

Addresses Deviations in a Timely Manner

Any deviations from the entity’s expected standards of conduct should be identified and resolved quickly and consistently.

An additional point of focus specifically related to all engagements using the trust services criteria:

Considers Contractors and Vendor Employees in Demonstrating Its Commitment

When establishing standards of conduct, your management team and the board of directors should consider the use of contractors and vendor employees in the organisation’s processes. They should also evaluate adherence to those standards and address deviations quickly and consistently.

CC1.2

Your board of directors should demonstrate independence from management and exercise oversight of the development and operation of internal control.

CC1.2 highlights the following points of focus:

Determines Oversight Responsibilities

Your board of directors should recognise and accept its oversight responsibilities in line with your established requirements and expectations.

Applies Relevant Expertise

Your board of directors should define, maintain, and regularly evaluate the skills and expertise needed among its members to enable them to ask probing questions of senior management and take appropriate action.

Operates Independently

To ensure objective evaluations and decision-making, your board of directors should have sufficient members who are independent from management.

Additional point of focus specifically related to all engagements using the trust services criteria:

Supplements Board Expertise

As needed, your board of directors should supplement its expertise relevant to security, availability, processing integrity, confidentiality, and privacy. This may be through the use of a subcommittee or consultants.

CC1.3

With board oversight, your management team should establish structures, reporting lines, and appropriate authorities and responsibilities.

CC1.3 highlights the following points of focus:

Takes Into Account All Structures of the Business

Management and the board of directors should consider the organisation’s multiple structures to support the achievement of objectives. This includes:

  • Operating units
  • Legal entities
  • Geographic distribution
  • Outsourced service providers

Generates Reporting Lines

Your management team should design and assess lines of reporting for each organisational structure to enable execution of authorities and responsibilities and flow of information.

Outlines, Assigns, and Controls Authorities and Responsibilities

Management and the board of directors should delegate authority, outline responsibilities, and use appropriate processes and technology to allocate responsibility and separate out duties at the various levels of the organisation.

Additional points of focus specifically related to all engagements using the trust services criteria:

Addresses Specific Requirements When Defining Authorities and Responsibilities

Your board of directors and management team should consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when identifying authorities and responsibilities.

Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities

Management and the board of directors should consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities and responsibilities.

CC1.4

Your organisation should demonstrate a commitment to attract, develop, and retain competent individuals in alignment with your objectives.

CC1.4 highlights the following points of focus:

Establishes Policies and Practices

Policies and practices reflect expectations of competence necessary to support the achievement of objectives.

Evaluates Competence and Addresses Shortcomings

The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings.

Attracts, Develops, and Retains Individuals

To achieve its objectives, your organisation should offer the mentoring and training needed to attract, develop, and retain capable personnel and outsourced service providers.

Plans and Prepares for Succession

Your senior management team and the board of directors should develop contingency plans for assignments of responsibility important for internal control.

Additional points of focus:

Considers the Background of Individuals

The organisation should consider the background of prospective and current employees, contractors, and vendors when determining whether to employ and retain them.

Considers the Technical Competency of Individuals

Your organisation should consider the technical competency of prospective and current employees, contractors, and vendors when determining whether to employ and retain them.

Provides Training to Maintain Technical Competencies

The business should provide training programmes to ensure skill sets and technical competency of current employees, contractors, and vendors are established and maintained.

CC1.5

Your organisation should hold individual employees accountable for their internal control responsibilities, in line with your objectives.

CC1.5 highlights the following points of focus:

Ensures Culpability Through Structures, Authorities, and Responsibilities

Your organisation’s board of directors and management team should establish the processes to convey and hold people responsible for performance of internal control responsibilities. They should also undertake remedial action if needed.

Creates Performance Measures and Incentives

The management team and board of directors should establish methods of measuring performance as well as incentives and rewards appropriate for responsibilities at all levels. This should reflect appropriate dimensions of performance and expected standards of conduct, and consider the success of short-term and long-term goals.

Evaluates Performance Measures and Incentives for Continuing Relevance

Your organisation’s management team and board of directors should align incentives and any rewards with the fulfillment of internal control obligations.

Considers Excessive Demands

The senior team should evaluate and adjust pressures associated with the achievement of objectives as they allocate responsibilities, develop performance measures, and assess performance.

Assesses Implementation and Rewards or Disciplines Individuals

Your board of directors and management team should assess performance of internal control duties, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action as needed.