SOC 2: Common Criteria for Controls Evaluation

Every SOC 2 audit encompasses from one to five categories while Security is a must-have. Learn more about how the common criteria are evaluated.

Suppose you’ve been involved in any type of SOC 2 engagement. In that case, you should be familiar with the five categories of Trust Service Criteria (formerly – Principles) –  Security, Availability, Processing Integrity, Confidentiality, and Privacy. These categories cover a set of internal controls related to different aspects of the entity’s information security and privacy program. Independent auditors assess the implementation of these controls in the scope of a SOC 2 audit. But there’s one hitch: SOC 2 neither provides a list of necessary controls nor states the minimum set of these controls to help ensure businesses meet all objectives of the audit. Instead, there is a set of Common Criteria that help evaluate the design and effectiveness of controls within the organization.

Thus, to succeed in a SOC 2 audit, you should understand what set of controls is relevant for your business as well as what criteria auditors will use to evaluate the design and effectiveness of these controls. 

Trust Service Criteria

Specific criteria for evaluating the controls for SOC 2 audits have been established by the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accounts (AICPA) – 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Every SOC 2 report can encompass from one to five criteria categories which cover a set of internal controls related to the organization’s security and/or privacy program. To understand the combination of controls necessary for a SOC 2 audit, you must first decide which of the five Trust Services Criteria categories to include. 

The first category, Security, is required to be in the scope of every SOC 2 audit. It is imperative, and organizations don’t have a choice about this one; however, they can decide whether to include other categories. In many cases, including the Security category is more than enough for your SOC 2 audit report. But remember, the SOC 2 typically covers a time span of 12 months – long enough for your business to expand to new operating horizons. So, the more categories you include, the more robust your SOC 2 report will be and the more likely it will satisfy more customers with growing expectations.

When evaluating and reporting on controls organizations have put in place, auditors use a particular set of criteria. Some of the criteria are shared among all trust service categories; the others respond to specific ones. One of the auditors’ handbooks for the evaluation process is the 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. This document contains common criteria applied to all five trust service categories, and the additional specific criteria applied selectively to Availability, Processing Integrity, Confidentiality, and Privacy. 

In this article, we will cover the common criteria as well as controls related to them. 

Common Criteria

The common criteria are used for evaluating the design and effectiveness of controls related to Security. At the same time, they are also used for assessing the controls covered by the remaining trust service categories. 

We are starting with a set of controls that correspond with Security since it is obligatory for all SOC 2 engagements, and it is what the other Trust Services Criteria are based on. Security refers to protecting information during its collection or creation, use, processing, transmission, and storage. It also addresses whether the system that uses electronic information is protected (both physically and logically) against unauthorized access, system failure, incorrect processing. As such, the Security category is associated with the common controls that aim to prevent data from unauthorized access, protect against malware, detect and respond to security incidents, and other general security controls. 

CC1: Organization’s Control Environment

Based on this set of control criteria, entities must implement controls that formulate an ethical and integrity framework for all subsequent controls. Entities must demonstrate their commitments to ethical values, how the authorities and responsibilities are established, as well as how essential HR practices such as recruitment and training are implemented. Some of the questions that you need to ask yourself before the SOC 2 audit: 

  • Are the processes to hire individuals and evaluate their performance in place? 
  • Are there organization’s standards defined and understood at all levels of the entity and by outsourced service providers and business partners? 
  • Are the requirements relevant to security, availability, processing integrity, confidentiality, and privacy considered when defining authorities and responsibilities?

CC2: Communication and Information

​​The CC2 set of criteria helps evaluate the effectiveness of controls that establish the entity’s obligation in collecting, generating, and using information. These criteria are also used while assessing controls regarding the dissemination of information internally and externally. Answer these (and many other) questions before the SOC 2 audit to understand what to expect:

  • Do my organization’s information systems process and transform relevant data?
  • Are processes to communicate information to all personnel for understanding and carrying out their internal control responsibilities in place?
  • Are these processes to communicate information to third parties in place? 
  • Are data classification and handling standards developed by the company?

CC3: Risk Assessment

The CC3 control series focuses on identifying, analyzing, and treating risks to achieve the organization’s main objectives. It is also related to identifying and assessing changes that could significantly affect the system or data held in that system. To understand your organization’s performance in applying risk assessment controls, ask yourself the following: 

  • Does your entity identify and assess risk resulting from your business processes and technologies on an ongoing basis?
  • Do the risk identification procedures consider both internal and external factors?

CC4: Monitoring of Controls

The CC 4 criteria are used when assessing how entities manage the necessary controls. As such, organizations must implement policies and procedures that deal with monitoring adherence to the controls themselves and communicating control deficiencies. Some of the questions that would be useful for understanding your monitoring controls include: 

  • Do you consider the rate of change in business processes when selecting and developing ongoing evaluations?
  • Do you monitor your systems and networks for intrusion attempts and unauthorized system changes?
  • Do you take actions to resolve security incidents and control failures?

CC5: Control Activities

Auditors assess what policies and procedures exist to put the controls into practice and evaluate how the entity selects the control activities over the existing technology environment. The most important element of the CC5 is the establishment of the policies themselves and identifying how these policies are distributed to personnel. Ask yourself these questions to realize whether you are on the right way:

  • Are all your business processes that require control activities determined? 
  • Are the controls activities applied at all levels of your organization? 
  • Do you use the design and current state of an internal control system to establish a baseline for ongoing and separate evaluations?
  • Do you evaluate your controls’ performances on an ongoing basis?

One of the CC 5′ statements corresponds with the COSO principle 12. It states that the entity deploys controls activities through policies that establish what is expected and procedures that put policies into practice. This allows the common criteria to extend beyond the Security category and evaluate achieving the entity’s objectives relevant to a trust services engagement. As such, there are other control criteria that help evaluate the design and effectiveness of controls related to Security as well as to Availability, Processing Integrity, Confidentiality, and Privacy. 

CC6: Logical and Physical Access Controls 

The CC6 series is by far the biggest section of controls within the Trust Services Criteria. It deals with policies and procedures related to access controls. Specifically, these criteria evaluate the design and effectiveness of controls in regards to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access. Some of the questions to ask yourself in regards to meeting these control criteria include:

  • Are your information assets identified, classified, and managed properly?
  • Do you have proper Identification and authentication mechanisms in place for individuals and systems accessing entity information, infrastructure, and software?
  • Is physical and logical access to your facilities and systems formally managed?
  • Do you use encryption to supplement other measures used to protect data at rest?

CC 7: System Operations 

Using the CC7 criteria, auditors evaluate the entity’s security architecture regarding how it manages the operation of the system and detects/mitigates logical and physical processing deviations. When evaluating your system operation controls, ask yourself the following:

  • Do you monitor infrastructure and software for noncompliance with the standards?
  • Do you monitor system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives?
  • Do you conduct vulnerability scans designed to identify potential vulnerabilities or misconfigurations periodically and after any significant change in the environment?

CC8:  Change Management 

The criteria help to evaluate a series of controls relevant to how an organization identifies the need for changes to infrastructure, data, software, and procedures to meet its objectives. They also help evaluate how the entity makes changes using a controlled change management process and prevents unauthorized changes from being made. The main question being asked yourself in this regard is:

  • Does your organization authorize, design, develop, configure, document, approve and implement changes to infrastructure, data, software, and procedures to meet its objectives?

CC 9: Risk Mitigation

The CC6 criteria are used to evaluate how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners. The common questions include:

  • Do you identify, select, and develop risk mitigation activities for risks arising from potential business disruptions?
  • Are identified risks reported to the appropriate level of authority and risk mitigation plans are developed, implemented, and monitored?

Remember that the list of questions for evaluating each of the control categories is much bigger than that mentioned above. We, however, provide only the orienting points to choose the right direction for your SOC 2 audit readiness. 

To Conclude

Thus, the Common Criteria fully cover the Security category and implicitly evaluate the Availability, Processing Integrity, Confidentiality, and Privacy. In many cases, this is more than enough to undergo a SOC 2 audit. However, if the entity’s objectives require extending beyond evaluating the security category, then additional specific criteria are necessary to use. 

This SOC 2 auditing scenario, however,  will be discussed in one of the future articles. 

If some questions regarding the common criteria or other aspects of the SOC 2 audit report are still unanswered, do not hesitate and contact our Planet 9 team. We’ll be happy to assist!



Phone:  888-437-3646


Leave a Reply