An In-Depth Guide to SOC 2 Security Common Criteria

SOC 2 common criteria featured

While typically not mandatory outside financial sectors, SOC 2 is a reliable security compliance model that any organization can follow. This can be seen in its security assessments, which include a robust list of “Common Criteria,” or broad areas of focus that any secure organization should follow. The recent revision of these criteria in 2023 serves businesses and their security partners to have a handle on what they are and what they mean for security. 

This article will cover the SOC 2 Security Common Criteria in detail and discuss what they mean for your organization and attestation.

The SOC 2 Security Common Criteria

SOC 2 common criteria

These criteria are divided into nine categories, each focusing on a specific security aspect. While each category may overlap, it’s still important to view each as a separate and critical category to follow for SOC 2 compliance. 


CC1: Organization and Management

CC1 promotes governance and management across the organization, ensuring practical and ethical values are embedded within their corporate culture and third-party relationships (and, following that, their security efforts): 

To effectively implement CC1, an organization should take several key steps:

  • Define Governance Structures: The organizational structure, roles, and lines of authority should clearly show that they allow decision-making and accountability to move through the organization.
  • Manage Third-Party Risk: Maintain a process of choosing, managing, and monitoring third-party vendors or service providers in an organization to enforce contract terms, including security and privacy compliance, and monitor third-party performance and compliance.
  • Establish Communication Channels: Ensure effective communication channels to disseminate governance, risk management, and compliance information. 
  • Monitor and Review: Regularly review and assess the effectiveness of the governance structure and management practices. This may involve internal audits, external assessments, and feedback from employees and third parties.


CC2: Communications and Information

CC2 ensures an unimpeded flow of information supporting the organization’s security efforts. It entails promoting organizational knowledge of general and role-specific information and increasing the operational efficiency of an organization’s internal control systems.

Implementing CC2 calls for a few broad steps:

  • Communication Policy: Explain how the communication policy could be developed to manage the formal structure of how information regarding the internal control system will be communicated in the organization. 
  • Identification of Information Requirements: Identify what elements are needed explicitly for the different parts of an organization to run effectively, including operational data, role-based expectations, and information on the most likely security events that will affect that organization.
  • Train and Educate: Conduct periodic training programs, workshops, and awareness programs to train and enable employees to understand the importance of effective communication and their role within the internal control systems.


CC3: Risk Assessment and Management

CC3 mainly requires that the organization implement logical risk management efforts based on the potential threats and vulnerabilities to their data and systems. 

Implementing a practical risk assessment and management process involves several key steps:

  • Establish a Risk Management Framework: Implement a framework encompassing the entire organization and addressing risks to be assessed and managed. Outline the roles and responsibilities, methodologies for assessing risk, and means of ranking an organization’s risks. 
  • Comprehensive Risk Assessment: Conduct regular risk assessments to identify threats that may befall organizational objectives. This will evolve based on the security environment, such as market trends, technological advancements, and changes in rules and regulations.
  • Review and Update Risk Management Process: Changes should necessitate essential changes in the assessment framework on an ongoing basis. 


CC4: Monitoring Activities

The objective of CC4 is to establish continuous monitoring that reasonably assures an organization understands existing or unfolding threats, changes, and potential risks to its IT infrastructure. 

Effective implementation of monitoring activities involves several critical steps:

  • Monitoring Plan Development: Develop a monitoring plan detailing what will be monitored, how monitoring will happen, and the frequency that monitoring must abide by. Also, plan out how monitoring will be embedded into existing operations. 
  • Automation: Use available technology enablers to foster continuous observation of controls. These may include security information and event management (SIEM) systems, intrusion detection systems, and compliance management software, which usually aid in automating anomaly detection and general monitoring procedures.
  • Monitor and Evaluate Controls: Regularly monitor and evaluate the effectiveness of control activities. This involves assessing whether the controls operate as intended and effectively mitigate threats. Based on this ongoing evaluation, adjustments should be made as necessary.


CC5: Control Activities

CC5 ensures that “control activities,” or the implementation and maintenance of security and privacy controls, are appropriately designed and executed to address the risks identified during risk assessment. 

Implementing practical control activities includes:

  • Maintain Access Controls: Ensure that authorized employees can access controls and that unauthorized access and tampering are blocked. 
  • Classify Control Activities: Ensure that practices and tools like encryption, data types, system sensitivity, and practices are classified and codified in organizational policies. 


CC6: Logical and Physical Access Controls

The primary purpose of CC6 is to define the physical and logical security measures used to maintain authorized access to data, processing systems, and other infrastructure. 

Implementing effective logical and physical access controls involves:

  • Classification of Assets: Identify and classify the assets based on their importance, vulnerability, etc.
  • Strong Access Control Policy: Develop in-depth access control policies that can be used to set up how accesses are granted, reviewed, and revoked. The policy shall drive logical and physical access to systems, data, and facilities.
  • Physical Access Controls: Organizations should implement locks, security badges, and biometric scanners to protect physical locations, data centers, and workstations. These controls will also include surveillance systems and alarms in all physical facilities.
  • Periodic Review of Rights: Access rights will be re-examined periodically based on employee role, employment status, or the sensitivity of information and necessarily modified.


CC7: System Operations and Availability

CC7 ensures that information systems operate securely and effectively on a systemic level to remain available to customers, employees, and auditors. 

System operations control management includes the following:

  • Development and Operational Policies: Develop and operationalize information system policies that guide the maintenance of information systems, managing staff roles and responsibilities for response, incident handling, operations, and change implementation.
  • Performance, Integrity, and Capacity Monitoring: This will include the systems deployed for checks, such as SIEM systems (Security Information and Event Management) and IDS (Intrusion Detection Systems), to check for anomalies, unauthorized access attempts, or potential security threats.
  • Redundancy: This criterion requires organizations to support their system’s ongoing resilience, including data backups, fail-over redundancies, and business continuity strategies in case of a security incident (such as ransomware). 


CC8: Change Management

The primary objective of CC8 is to ensure that all changes to information systems and related processes are assessed, authorized, documented, and implemented to minimize risks to the organization’s operations and security. 

Implementing effective change management involves several key steps:

  • Establish a Change Management Process: Develop and document a formal change management process that outlines the steps for requesting, reviewing, approving, testing, and implementing changes. 
  • Assess and Authorize Changes: No change should occur without a complete assessment and authorization of these changes via informed stakeholders and decision-makers. 
  • Test Changes Before Implementation: Always run logical or sandbox tests on system changes to ensure they are implemented correctly.
  • Document Changes and Procedures: Document all changes in detail, including the rationale, assessment findings, approval records, testing results, and implementation details. 


CC9: Risk Mitigation

The chief objective of CC9 is to require risk mitigation strategies that organizations keep on hand to address security issues. 

Implementing effective risk mitigation involves several key steps:

  • Risk Mitigation Strategy: Organizations should have a risk mitigation strategy in place to address threats at an organizational level. 
  • Select Appropriate Risk Mitigation Activities: Select the most appropriate mitigation or combination of activities for each identified risk. This selection should be based on the effectiveness of the mitigation activity in reducing the risk, the cost of implementation, and the impact on business operations.
  • Risk Mitigation Controls: Implement risk mitigation controls that support the organization’s strategy. These will often be a series of security measures implemented as part of SOC 2 or other compliance frameworks. 

Maintain a Complete View of SOC 2 Compliance with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve, including changes and revisions to security frameworks like SOC 2. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC