Loading...
background

SOC 2 Type 1:Security

2025-10-22
By Not Exists
SOC 2 Type 1:Security

SOC 2 Type 1:Security

SOC 2 Common Criteria (Security) refers to the mandatory security category within the SOC 2 Trust Services Criteria (TSC) framework, which evaluates how an organization protects its systems and data from unauthorized access and disclosure.

Controls:
Commitment to Integrity and Ethical Values - CC1.1

The entity demonstrates a commitment to integrity and ethical values.

  • Sets Tone at the Top - CC1.1.POF1

    CC1.1.POF1

  • Establishes Standards of Conduct - CC1.1.POF2

    CC1.1.POF2

  • Evaluates Adherence to Standards - CC1.1.POF3

    CC1.1.POF3

Board of Directors Oversight - CC1.2

The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

  • Establishes Oversight Responsibilities - CC1.2.POF1

    CC1.2.POF1

  • Exercises Oversight - CC1.2.POF2

    CC1.2.POF2

Management's Structures and Responsibilities - CC1.3

Management establishes; with board oversight; structures; reporting lines; and appropriate authorities and responsibilities in the pursuit of objectives.

  • Establishes Structures and Reporting Lines - CC1.3.POF1

    CC1.3.POF1

  • Defines and Assigns Responsibilities - CC1.3.POF2

    CC1.3.POF2

  • Defines Responsibilities of Oversight Bodies - CC1.3.POF3

    CC1.3.POF3

Commitment to Competence - CC1.4

The entity demonstrates a commitment to attract; develop; and retain competent individuals in alignment with objectives.

  • Establishes Policies and Practices for Competence - CC1.4.POF1

    CC1.4.POF1

  • Evaluates Competence and Addresses Shortcomings - CC1.4.POF2

    CC1.4.POF2

Enforcing Accountability - CC1.5

The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

  • Enforces Accountability - CC1.5.POF1

    CC1.5.POF1

  • Establishes Performance Measures and Incentives - CC1.5.POF2

    CC1.5.POF2

Information and Communication - CC2.1

The entity obtains or generates and uses relevant; quality information to support the functioning of internal control.

  • Identifies Information Requirements - CC2.1.POF1

    CC2.1.POF1

  • Captures Internal and External Data - CC2.1.POF2

    CC2.1.POF2

  • Processes Data into Quality Information - CC2.1.POF3

    CC2.1.POF3

Internal Communication - CC2.2

The entity internally communicates information; including objectives and responsibilities for internal control; necessary to support the functioning of internal control.

  • Communicates Internal Control Information - CC2.2.POF1

    CC2.2.POF1

  • Provides Dedicated Communication Lines - CC2.2.POF2

    CC2.2.POF2

External Communication - CC2.3

The entity communicates with external parties regarding matters affecting the functioning of internal control.

  • Communicates with External Parties - CC2.3.POF1

    CC2.3.POF1

  • Provides Dedicated External Communication Lines - CC2.3.POF2

    CC2.3.POF2

Risk Assessment Objectives - CC3.1

The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

  • Specifies Objectives - CC3.1.POF1

    CC3.1.POF1

  • Defines Risk Tolerances - CC3.1.POF2

    CC3.1.POF2

  • Specifies Objectives for External Service Providers - CC3.1.POF3

    CC3.1.POF3

Risk Identification and Analysis - CC3.2

The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

  • Identifies Risks - CC3.2.POF1

    CC3.2.POF1

  • Involves Relevant Personnel in Risk Identification - CC3.2.POF2

    CC3.2.POF2

  • Considers Risk at the Service-Provider Level - CC3.2.POF3

    CC3.2.POF3

Fraud Risk Assessment - CC3.3

The entity considers the potential for fraud in assessing risks to the achievement of objectives.

  • Considers Types of Fraud - CC3.3.POF1

    CC3.3.POF1

  • Considers Fraud Risk Factors - CC3.3.POF2

    CC3.3.POF2

Identifies Significant Changes - CC3.4

The entity identifies and assesses changes in the internal and external environment that could significantly impact the system of internal control.

  • Identifies and Assesses Changes - CC3.4.POF1

    CC3.4.POF1

  • Assesses Changes in Management - CC3.4.POF2

    CC3.4.POF2

Monitoring - Ongoing Evaluations - CC4.1

The entity selects; develops; and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

  • Performs Ongoing and Separate Evaluations - CC4.1.POF1

    CC4.1.POF1

  • Uses Knowledgeable Personnel for Evaluations - CC4.1.POF2

    CC4.1.POF2

Monitoring - Evaluating and Communicating Deficiencies - CC4.2

The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action; including senior management and the board of directors; as appropriate.

  • Evaluates and Communicates Deficiencies - CC4.2.POF1

    CC4.2.POF1

  • Monitors Corrective Action - CC4.2.POF2

    CC4.2.POF2

Control Activities Selection and Development - CC5.1

The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

  • Integrates Control Activities with Risk Assessment - CC5.1.POF1

    CC5.1.POF1

  • Considers Entity-Specific Factors - CC5.1.POF2

    CC5.1.POF2

Technology Controls Selection and Development - CC5.2

The entity selects and develops general control activities over technology to support the achievement of objectives.

  • Addresses Technology Infrastructure - CC5.2.POF1

    CC5.2.POF1

  • Addresses Security; Availability; Confidentiality; and Privacy - CC5.2.POF2

    CC5.2.POF2

Policies and Procedures - CC5.3

The entity deploys control activities through policies that establish what is expected and procedures that put policies into action.

  • Establishes Policies and Procedures - CC5.3.POF1

    CC5.3.POF1

Logical and Physical Access - Identity and Access Management - CC6.1

The entity implements logical access security measures to protect against threats to the system.

  • Implements Logical Access Security Measures - CC6.1.POF1

    CC6.1.POF1

  • Manages Issuance of Credentials - CC6.1.POF2

    CC6.1.POF2

  • Authorizes; Modifies; and Removes Access - CC6.1.POF3

    CC6.1.POF3

Logical and Physical Access - Physical Access - CC6.2

The entity restricts physical access to facilities and protected information assets (for example; data center facilities; backup media storage; and other sensitive locations) to authorized personnel to protect against threats to the system.

  • Restricts Physical Access - CC6.2.POF1

    CC6.2.POF1

  • Authorizes; Modifies; and Removes Physical Access - CC6.2.POF2

    CC6.2.POF2

Logical and Physical Access - Protection of Data - CC6.3

The entity implements controls to protect data from unauthorized access; use; and disclosure during its transmission; storage; and processing.

  • Protects Data at Rest and in Transit - CC6.3.POF1

    CC6.3.POF1

  • Disposes of Data - CC6.3.POF2

    CC6.3.POF2

Logical and Physical Access - Protecting Publicly Available Information - CC6.4

The entity protects information not classified as confidential or restricted from unauthorized alteration.

  • Protects Publicly Available Information - CC6.4.POF1

    CC6.4.POF1

  • Authorizes and Manages Public Postings - CC6.4.POF2

    CC6.4.POF2

Logical and Physical Access - Data Classification - CC6.5

The entity implements controls to classify information assets to determine the appropriate level of protection.

  • Classifies Data - CC6.5.POF1

    CC6.5.POF1

  • Applies Controls Based on Classification - CC6.5.POF2

    CC6.5.POF2

Logical and Physical Access - Network and System Protection - CC6.6

The entity implements logical access security measures to protect the transmission of data.

  • Implements Network Security Measures - CC6.6.POF1

    CC6.6.POF1

  • Performs Vulnerability Scans - CC6.6.POF2

    CC6.6.POF2

  • Protects Against Malware - CC6.6.POF3

    CC6.6.POF3

  • Performs Penetration Tests - CC6.6.POF4

    CC6.6.POF4

Logical and Physical Access - Secure Configuration - CC6.7

The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software.

  • Prevents Unauthorized Software - CC6.7.POF1

    CC6.7.POF1

  • Configures Secure Baselines - CC6.7.POF2

    CC6.7.POF2

Logical and Physical Access - Restricting Access - CC6.8

The entity restricts logical access to protected information assets to authorized personnel.

  • Restricts Access Based on Role - CC6.8.POF1

    CC6.8.POF1

System Operations - Monitoring for Anomalies - CC7.1

The entity monitors system components and the operation of the system for anomalies that are indicative of malicious acts; natural disasters; and errors affecting the entity's ability to meet its objectives.

  • Monitors System Components - CC7.1.POF1

    CC7.1.POF1

  • Manages Physical and Environmental Monitoring - CC7.1.POF2

    CC7.1.POF2

  • Monitors External Service Providers - CC7.1.POF3

    CC7.1.POF3

System Operations - Detecting Changes and Incidents - CC7.2

The entity detects changes to system components (for example; data; software; and infrastructure) that are not authorized; in accordance with the entity's change management process; to meet its objectives.

  • Detects Changes - CC7.2.POF1

    CC7.2.POF1

System Operations - Responding to Incidents - CC7.3

The entity responds to identified security incidents by executing a defined incident response program to understand; contain; remediate; and communicate the security incident.

  • Evaluates and Responds to Security Incidents - CC7.3.POF1

    CC7.3.POF1

  • Handles Incidents from External Parties - CC7.3.POF2

    CC7.3.POF2

System Operations - Managing Vulnerabilities - CC7.4

The entity identifies and addresses vulnerabilities in its systems; including those in third-party components; arising from internal and external sources (for example; security researchers; software vendors; or regulators).

  • Identifies and Responds to Vulnerabilities - CC7.4.POF1

    CC7.4.POF1

  • Defines and Implements Remediation Activities - CC7.4.POF2

    CC7.4.POF2

System Operations - Backup and Recovery - CC7.5

The entity performs; monitors; and tests backup and recovery procedures for data; software; and infrastructure for impacted systems and takes corrective action.

  • Performs Backup and Recovery - CC7.5.POF1

    CC7.5.POF1

Change Management - CC8.1

The entity authorizes; designs; develops; configures; documents; tests; approves; and implements changes to the system.

  • Authorizes and Manages Changes - CC8.1.POF1

    CC8.1.POF1

  • Applies Segregation of Duties in Changes - CC8.1.POF2

    CC8.1.POF2

  • Tests Changes - CC8.1.POF3

    CC8.1.POF3

  • Implements Changes - CC8.1.POF4

    CC8.1.POF4

Risk Mitigation - CC9.1

The entity identifies; selects; and develops risk mitigation activities.

  • Identifies and Mitigates Risks - CC9.1.POF1

    CC9.1.POF1

  • Considers Business Context in Mitigation - CC9.1.POF2

    CC9.1.POF2

Risk Mitigation - Vendor Risk - CC9.2

The entity assesses and manages risks associated with vendors and business partners.

  • Assesses Vendor Risks - CC9.2.POF1

    CC9.2.POF1

  • Includes Risk Requirements in Contracts - CC9.2.POF2

    CC9.2.POF2

  • Monitors Vendor Risk - CC9.2.POF3

    CC9.2.POF3