Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first
Hicomply I
Hicomply app


SOC 2 CC4.1 requires that your organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning

CC4.1 highlights the following points of focus:

Considers a Mix of Ongoing and Individual Evaluations

Your organisation’s management should include a balance of continuing and separate evaluations.

Considers Rate of Change

The management team should consider the rate of change in business and business procedures when selecting and developing ongoing and individual evaluations.

Determines Baseline Understanding

The design and current state of an internal control system should be used to set up a baseline for ongoing and individual evaluations.

Uses Knowledgeable Personnel

Management should ensure that evaluators performing ongoing and individual evaluations have sufficient knowledge to understand what is being evaluated.

Integrates With Business Processes

Ongoing evaluations should be built into the business procedures and should be adjusted to changing conditions.

Adjusts Scope and Frequency

The management team should vary the scope and frequency of separate evaluations depending on risk.

Objectively Evaluates

Separate evaluations should be performed periodically to provide objective feedback.

Additional point of focus specifically related to all engagements using the trust services criteria:

Considers Different Types of Ongoing and Separate Evaluations

The management team should use a range of different types of ongoing and separate evaluations. This includes penetration testing, independent certification made against recognised specifications (e.g. ISO certifications), and internal audit assessments.


SOC 2 CC4.2 requires that your organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

CC4.2 highlights the following points of focus:

Assesses Results

Management and the board of directors, as appropriate, should assess results of ongoing and separate evaluations.

Communicates Deficiencies

Any identified deficiencies should be properly communicated to parties responsible for taking corrective action and to senior management and the board of directors as appropriate.

Monitors Corrective Action

The management team should track whether deficiencies are remedied on a timely basis.