Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

SOC-2 CC1: Control Environment

The first SOC-2 requirement in the CC-Series is Control Environment.

CC1.1

SOC 2 CC1.1 requires that the organisation demonstrates a commitment to integrity and ethical values.

CC1.1 highlights the following points of focus:

Sets the Tone at the Top

Your board of directors and management should demonstrate the importance of integrity and ethical values in supporting the functioning of the system of internal control through their directives, actions, or conduct.

Establishes Standards of Conduct

Your organisation’s standards of conduct convey and define the expectations of the board of directors and senior management regarding integrity and ethical values. This should be understood throughout the organisation, as well as by service providers and business partners.

Assesses Adherence to Standards of Conduct

Processes must be in place to evaluate the performance of people and teams against the organisation’s standards of conduct.

Addresses Deviations in a Timely Manner

Any deviations from the entity’s expected standards of conduct should be identified and resolved quickly and consistently.

An additional point of focus specifically related to all engagements using the trust services criteria:

Considers Contractors and Vendor Employees in Demonstrating its Commitment

When establishing standards of conduct, your management team and the board of directors should consider the use of contractors and vendor employees in the organisation’s processes. They should also evaluate adherence to those standards and address deviations quickly and consistently.

CC1.2

Your board of directors should demonstrate independence from management and exercise oversight of the development and operation of internal control.

CC1.2 highlights the following points of focus:

Determines Oversight Responsibilities

Your board of directors should recognise and accept its oversight responsibilities in line with your established requirements and expectations.

Applies Relevant Expertise

Your board of directors should define, maintain, and regularly evaluate the skills and expertise needed among its members to enable them to ask probing questions of senior management and take appropriate action.

Operates Independently

To ensure objective evaluations and decision-making, your board of directors should have sufficient members independent from management.

An additional point of focus specifically related to all engagements using the trust services criteria:

Supplements Board Expertise

Your board of directors should supplement its expertise relevant to security, availability, processing integrity, confidentiality, and privacy as needed. This may be done through a subcommittee or consultants.

CC1.3

With board oversight, your management team should establish structures, reporting lines, and appropriate authorities and responsibilities.

CC1.3 highlights the following points of focus:

[H3] Takes into Account All Structures of the Business

Management and the board of directors should consider the organisation’s multiple structures to support achieving objectives. This includes:

  • Operating units
  • Legal entities
  • Geographic distribution
  • Outsourced service providers

Generates Reporting Lines

Your management team should design and assess reporting lines for each organisational structure to enable the execution of authorities and responsibilities and the flow of information.

Outlines, Assigns, and Controls Authorities and Responsibilities

Management and the board of directors should delegate authority, outline responsibilities, and use appropriate processes and technology to allocate responsibility and separate duties at the various levels of the organisation.

Additional points of focus specifically related to all engagements using the trust services criteria:

Addresses Specific Requirements When Defining Authorities and Responsibilities

When identifying authorities and responsibilities, your board of directors and management team should consider security, availability, processing integrity, confidentiality, and privacy requirements.

Considers Interactions with External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities

Management and the board of directors should consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities and responsibilities.

CC1.4

Your organisation should demonstrate a commitment to attract, develop, and retain competent individuals in alignment with your objectives.

CC1.4 highlights the following points of focus:

Establishes Policies and Practices

Policies and practices reflect expectations of competence necessary to achieve objectives.

Evaluates Competence and Addresses Shortcomings

The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings.

Attracts, Develops, and Retains Individuals

To achieve its objectives, your organisation should offer the mentoring and training needed to attract, develop, and retain capable personnel and outsourced service providers.

Plans and Prepares for Succession

Your senior management team and the board of directors should develop contingency plans for important responsibility assignments that affect internal control.

Additional points of focus:

Considers the Background of Individuals

The organisation should consider the background of prospective and current employees, contractors, and vendors when determining whether to employ and retain them.

Considers the Technical Competency of Individuals

Your organisation should consider the technical competency of prospective and current employees, contractors, and vendors when determining whether to employ or retain them.

Provides Training to Maintain Technical Competencies

The business should provide training programmes to ensure that the skillsets and technical competency of current employees, contractors, and vendors are established and maintained.

CC1.5

Your organisation should hold individual employees accountable for their internal control responsibilities, per your objectives.

CC1.5 highlights the following points of focus:

Ensures Culpability Through Structures, Authorities, and Responsibilities

Your organisation’s board of directors and management team should establish the processes to convey and hold people responsible for performing internal control responsibilities. They should also undertake remedial action if needed.

Creates Performance Measures and Incentives

The management team and board of directors should establish methods of measuring performance, incentives, and rewards appropriate for responsibilities at all levels. This should reflect appropriate dimensions of performance and expected standards of conduct and consider the success of short-term and long-term goals.

Evaluate Performance Measures and Incentives for Continuing Relevance

Your organisation’s management team and board of directors should align incentives and rewards with fulfilling internal control obligations.

Considers Excessive Demands

The senior team should evaluate and adjust pressures associated with achieving objectives as they allocate responsibilities, develop performance measures, and assess performance.

Assesses Implementation and Rewards or Disciplines Individuals

Your board of directors and management team should assess the performance of internal control duties, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action as needed.