SOC 2: Security Security Controls
Common Criteria (CC) — required for all SOC 2 reports. Controls covering the control environment, risk assessment, monitoring, logical and physical access, system operations, change management, and risk mitigation.
Control Environment
Commitment to integrity and ethical values is demonstrated
The organization sets the tone for security through visible leadership behaviour and documented ethi...
Board or equivalent body oversees security risk
Someone at the governance level — a board, an audit committee, or a named executive — must formally ...
Organizational structure and authority for security is defined
Employees need to know who is responsible for security decisions, who they report issues to, and who...
Commitment to competence in security is demonstrated
People with security responsibilities need to actually know how to execute them. This control requir...
Accountability for security performance is enforced
Controls only work when people are held responsible for executing them. This means performance measu...
Communication and Information
Relevant security information is obtained and used
Good security decisions require good information. The organization must have processes to gather rel...
Security information is communicated internally
Employees and relevant stakeholders need to receive security information appropriate to their role. ...
Security information is communicated to external parties
Customers, regulators, and other external parties need relevant security information to make decisio...
Risk Assessment
Security objectives are defined to enable risk identification
You cannot assess risk without first knowing what you are trying to protect. This control requires t...
Security risks are identified and analyzed
A formal risk assessment process identifies what can go wrong, how likely it is, and how severe the ...
Fraud risk is identified and assessed
Fraud risk — the risk that someone intentionally circumvents controls to misuse the system or its da...
Significant changes are assessed for security impact
Major changes to the organization, technology, or environment can invalidate existing controls or in...
Monitoring Activities
Security controls are evaluated on an ongoing basis
Controls degrade over time. People leave, configurations drift, systems change, and previously effec...
Control deficiencies are identified, evaluated, and communicated
Finding a control gap is only valuable if something is done about it. This control requires a proces...
Control Activities
Control activities are selected and developed to mitigate risks
Controls must be chosen and designed with specific risks in mind. A control that exists without a cl...
General controls over technology are selected and developed
Technology infrastructure requires its own layer of controls. This criterion addresses the foundatio...
Controls are deployed through policies and procedures
Controls that exist only in someone's head or as informal practices are not reliable. This criterion...
Logical and Physical Access
Logical access security measures restrict access to assets
Access to systems, data, and infrastructure must be restricted to authorized users only. This is the...
Access credentials are issued with appropriate authorization
New access should require explicit approval before it is granted. Access that is provisioned without...
Role-based access is used and reviewed periodically
Access permissions accumulate over time. People change roles, projects end, and permissions granted ...
Physical access to facilities and systems is restricted
Logical access controls protect systems from remote compromise, but physical access bypasses all of ...
Access is removed or modified when no longer required
Access that is not actively removed when a person leaves or changes roles becomes a standing vulnera...
Logical access security measures protect against external threats
Systems exposed to the internet face a constant stream of automated attacks: brute force login attem...
Sensitive data is protected during transmission and storage
Data that is intercepted in transit or extracted from storage is useless to an attacker if it is enc...
Controls protect against malicious software
Malware: ransomware, trojans, and spyware represent a persistent threat to systems and data. Endpoin...
System Operations
Vulnerability management identifies and remediates security flaws
Software has vulnerabilities. New ones are discovered every day. Without a process to identify, prio...
Anomalies and security events are detected and monitored
Controls that are never tested and logs that are never reviewed provide no protection. This criterio...
Detected security incidents are evaluated and classified
Not every alert is an incident, and not every incident has the same severity. This criterion require...
Security incidents are responded to and contained
When a security incident is confirmed, the speed and quality of the response determines the ultimate...
Incidents are recovered from and resumption of operations is documented
Getting through an incident is only half the work. The other half is returning to normal operations ...
Change Management
Risk Mitigation
Risk mitigation strategies are identified and implemented
Identifying risks through the risk assessment process (CC3) is only half the work. This criterion re...
Third-party vendor risk is assessed and managed
Your security posture is only as strong as the vendors and partners you rely on. Data breaches frequ...