August 30, 2023

SOC 2 Controls

By
Full name
Share this post

To achieve SOC-2 compliance, The AICPA’s SOC-2 framework outlines five Trust Services Principles and Criteria. The criteria are made up of 64 SOC-2 controls:

  • Security Controls
  • Privacy Controls
  • Confidentiality Controls
  • Processing Integrity Controls
  • Availability Controls

Security controls, known as common criteria, are required in every audit, and you may need to implement privacy, confidentiality, processing integrity or availability controls, known as additional criteria. You don’t need to implement all the SOC-2 controls for your audit. The SOC-2 controls you need to implement will be based on the Trust Services Criteria you focus on and included in the scope of your audit.

SOC-2 Controls: Common Criteria

Of the 64 SOC-2 controls, there are nine Common Criteria. Also known as the CC-Series, these SOC-2 controls are outlined below:

CC1 – Control Environment

The control environment criteria require that the organisation demonstrates a commitment to integrity and ethical values. The board of directors should show independence from management and supervise the development and performance of internal control.

Management should establish structures, reporting lines, appropriate authorities, and responsibilities with board oversight. The organisation should also be committed to attracting, developing, and retaining capable employees in alignment with its objectives.

Accountability is also key for these criteria – the organisation should be able to demonstrate how individuals are accountable for their control responsibilities.

Learn more about CC1 Control Environment criteria

CC2 – Communication and Information

Communication and information criteria require that your organisation or entity obtain (or generate) and use appropriate, quality information to support internal control. Internal communications should include the internal control objectives and responsibilities necessary to support the functioning of internal control.

The organisation should also communicate with external parties regarding any matters impacting the functioning of internal control.

Learn more about CC2 Communication and Information criteria

CC3 – Risk Assessment

The organisation should clearly identify objectives to enable the identification and assessment of risks related to your objectives. This includes identifying risks to achieving your objectives across the full organisation and analysing risks to determine how they should be managed.

You should also be able to demonstrate that your organisation considers the potential for fraud when assessing risks to achieving your objectives and identify and assess changes that could significantly impact the internal control system.

Learn more about CC3 Risk Assessment criteria

CC4 – Monitoring Activities

Your organisation should choose, develop and execute ongoing and/or separate assessments to determine whether the elements of internal control are present and operational.

The business should also evaluate and communicate any identified internal control deficiencies quickly and effectively to whomever in your organisation is responsible for taking corrective action, including senior management and the board of directors.

Learn more about CC4 Monitoring Activities criteria

CC5 – Control Activities

The organisation should choose and develop control activities that contribute to the mitigation of risks to the attainment of its objectives to satisfactory levels. It should also choose and develop general control activities over technology to support achieving its objectives.

Your organisation should deploy control activities through policies that outline what is expected and in procedures that put policies into action.

Learn more about CC5 Control Activities criteria

CC6 – Logical and Physical Access Controls

Your business or organisation must implement logical access security software, infrastructure, and architectures for information assets. This process protects assets from security events, enabling your organisation to meet its objectives.

You should register and authorise any new internal and external users whose access is administered by your organisation. This should be done prior to issuing system credentials or granting access to the system to these users. User system credentials should be removed when that user’s access is no longer authorised.

In line with this, your organisation must authorise, modify or remove access to data, software, functions and other protected information assets based on user roles and responsibilities, or on the system design and changes. In doing so, your organisation should consider the concepts of least privilege and segregation of duties in order to meet objectives.

To meet its objectives, the organisation should restrict physical access to facilities and protected information assets, e.g., data centre facilities, backup media storage, and other sensitive locations, to only authorised personnel.

Your organisation should also discontinue logical and physical protections over physical assets only after the ability to read or recover information from those assets has been diminished and is no longer required to meet objectives.

Your business should implement logical access security measures to protect against threats from sources outside your organisation’s system boundaries. It should also restrict the transmission, movement, and removal of information to authorised internal and external users and processes and protect it during those processes.

In addition, you should execute controls to prevent or detect and act upon the introduction of unauthorised or malicious software to meet your objectives.

Learn more about CC6 Logical and Physical Access Controls criteria

CC7 – System Operations

Your organisation should use detection and monitoring procedures to identify:

  • Changes to configurations that result in the introduction of new vulnerabilities
  • Susceptibilities to newly discovered vulnerabilities.

It’s also important that your organisation monitors system components and the operation of those components for anomalies that are indicative of:

  • Malicious acts
  • Natural disasters
  • Errors affecting your organisation’s ability to meet objectives.

You should analyse anomalies to determine whether they correspond to security events.

The organisation should evaluate security events to determine whether they could or have resulted in a failure to meet security objectives, and if so, your organisation should take action to prevent or address these failures.

If your organisation identifies a security incident, it should respond by executing a defined incident response programme to understand, contain, remediate, and communicate the incident as appropriate. It should also identify, develop, and implement activities to recover from identified security incidents.

Learn more about CC7 System Operations criteria

CC8 – Change Management

Your organisation should:

  • Authorise
  • Design
  • Develop/acquire
  • Configure
  • Record
  • Test
  • Approve
  • Execute

Changes to infrastructure, data, software and procedures to meet objectives.

Learn more about CC8 Change Management criteria

CC9 – Risk Mitigation

The organisation should assess and manage risks related to vendors and business partners.

Learn more about CC9 Risk Mitigation criteria

SOC-2 Controls: Additional Criteria

Organisations can also add Additional Criteria to their SOC-2 audit to allow themselves to align with other relevant security regulations. These SOC-2 controls can potentially reduce costs and efforts for businesses during the compliance process.

Based on the services they offer, the Additional Criteria recommended to businesses by the AICPA include:

A1 – Additional Criteria for Availability

Your organisation should maintain, examine and assess the current processing capacity and use of system components: infrastructure, data and software. This is to manage capacity demand and to support the employment of additional capacity to meet your organisation’s objectives.

In addition, the organisation should:

  • Authorise
  • Design
  • Develop or acquire
  • Implement
  • Operate
  • Approve
  • Maintain
  • Monitor

Environmental protection, software, data backup processes, and recovery infrastructure. It should also test recovery plan procedures supporting system recovery to meet its objectives.

C1 – Additional Criteria for Confidentiality

Your organisation should identify and maintain confidential information to meet its confidentiality objectives. You should also dispose of confidential information to meet these objectives.

PI1 – Additional Criteria for Processing Integrity

Your organisation should obtain, generate, use, or communicate relevant, quality information regarding the objectives related to processing. This includes definitions of data processed and product and service specifications, to support the use of products and services.

The organisation should put in place policies and procedures for system inputs. This includes controls over completeness and accuracy to result in products, services, and reporting to meet your objectives. Policies and procedures over system processing should also be implemented, to result in products, services, and reporting to meet your objectives.

You also need to implement policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet your objectives and implement policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet your objectives.

SOC-2 Controls: Additional Criteria for Privacy

P1 – Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy

The organisation or business should notify data subjects about its privacy practices to meet its privacy-related objectives. The notice should be updated and communicated to data subjects in a timely manner for changes to your organisation’s privacy practices, including changes in the use of personal information, to meet your objectives related to privacy.

P2 – Privacy Criteria Related to Choice and Consent

You should communicate choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and any consequences of each choice.

The organisation must obtain explicit consent for the collection, use, retention, disclosure, and disposal of personal information from data subjects or other authorised individuals. This consent should be obtained only for the intended purpose of the information to meet your organisation’s privacy objectives.

In addition, your organisation should document its basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information.

P3 – Privacy Criteria Related to Collection

Your organisation should collect personal information in a way that is consistent with your privacy objectives.

P4 – Privacy Criteria Related to Use, Retention, and Disposal

The business or organisation limits the use of personal information to the purposes outlined in your privacy objectives.

P5 – Privacy Criteria Related to Access

You should grant identified and authenticated data subjects the ability to access their stored personal information for review. Upon request, your organisation should provide physical or electronic copies of that information to data subjects to meet your privacy objectives. If access is denied, data subjects must be informed of the denial and the reason for denial.

P6 – Privacy Criteria Related to Disclosure and Notification

The organisation discloses personal information to third parties with the explicit consent of data subjects. Such consent should be obtained prior to disclosure to meet your privacy objectives.

P7 Privacy Criteria Related to Quality

Your organisation should collect and maintain accurate, up-to-date, complete, and relevant personal information to meet its privacy objectives

P8 – Privacy Criteria Related to Monitoring and Enforcement

You should implement a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitor compliance to meet your privacy objectives. Corrections and other necessary actions related to identified deficiencies should be made or taken in a timely manner.

Understanding SOC-2 controls with Hicomply

We hope this information on the SOC-2 controls, particularly the Common Criteria and Additional Criteria, has been useful. If you want to learn more about the SOC-2 standard and its requirements, visit our SOC-2 hub.

Are you looking to achieve SOC-2 certification for your business? The process is simple with Hicomply - book your demo to learn more.

Risk Management
Compliance Reporting
Policy Management
Incident Management
Audits and Assessments

Ready to Take Control of Your Privacy Compliance?

Book a demo and experience the difference with Hicomply.

By providing your email, you agree that Hicomply may contact you for scheduling and marketing purposes, subject to Hicomply’s Privacy Policy. You can unsubscribe at any time.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Risk Management
Compliance Reporting
Policy Management
Incident Management
Audits and Assessments