SOC 2 Security Controls
Version 2017
SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA based on the Trust Services Criteria. It evaluates controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy. Security (Common Criteria) is required for all SOC 2 reports.
38
Total controls
8
Critical priority
342h
Est. implementation
3
Trust service categories
Trust Services Criteria published by the American Institute of CPAs (AICPA). Criterion descriptions and implementation guidance authored by AuditRubric.
Security
33 controlsCommon Criteria (CC) — required for all SOC 2 reports. Controls covering the control environment, risk assessment, monitoring, logical and physical access, system operations, change management, and risk mitigation.
Control Environment
Commitment to integrity and ethical values is demonstrated
Board or equivalent body oversees security risk
Organizational structure and authority for security is defined
Commitment to competence in security is demonstrated
Accountability for security performance is enforced
Communication and Information
Risk Assessment
Monitoring Activities
Control Activities
Logical and Physical Access
Logical access security measures restrict access to assets
Access credentials are issued with appropriate authorization
Role-based access is used and reviewed periodically
Physical access to facilities and systems is restricted
Access is removed or modified when no longer required
Logical access security measures protect against external threats
Sensitive data is protected during transmission and storage
Controls protect against malicious software
System Operations
Vulnerability management identifies and remediates security flaws
Anomalies and security events are detected and monitored
Detected security incidents are evaluated and classified
Security incidents are responded to and contained
Incidents are recovered from and resumption of operations is documented
Availability
3 controlsAdditional criteria for organizations that commit to availability of their systems. Covers capacity management, environmental protections, and recovery planning.
Confidentiality
2 controlsAdditional criteria for organizations that handle confidential information. Covers identification, protection, and disposal of confidential data.