SOC 2 · Trust Services Criteria · Security
The SOC 2 Security
Criteria (CC1–CC9)
The SOC 2 Security category — implemented through the nine Common Criteria CC1–CC9 — is the mandatory foundation of every SOC 2 examination, requiring an organization to protect its systems and data against unauthorized access, disclosure, and damage.
The Common Criteria are mandatory in every SOC 2 report — the other four categories are optional add-ons chosen by customer demand.
AICPA Trust Services Criteria · SSAE 18 attestation · Last reviewed June 2026
Direct Answer
Are the Security criteria mandatory?
The SOC 2 Security criterion — implemented through the Common Criteria CC1–CC9 — is the mandatory foundation of every SOC 2 examination, requiring an organization to protect its systems and data against unauthorized access, disclosure, and damage. Defined by the AICPA (aicpa-cima.com), it is the only one of the five Trust Services Criteria included in every report, whereas Availability, Processing Integrity, Confidentiality, and Privacy are optional add-ons chosen by customer demand. SOC 2 itself is an SSAE 18 attestation performed by a licensed CPA — an independent opinion, not a certificate.
The Foundation
What is the SOC 2 Security criteria?
Security criteria (Common Criteria CC1–CC9) are the mandatory foundation of every SOC 2 audit. Unlike the other Trust Services Criteria (Availability, Processing Integrity, Confidentiality, Privacy) which are optional, Security is always required.
These nine criteria establish the baseline security controls that protect your systems and data. They cover everything from organizational culture (CC1) to disaster recovery (CC9).
Mandatory for All SOC 2 Reports
Every SOC 2 Type 1 and Type 2 report must include Security criteria
9 Common Criteria (CC1–CC9)
Comprehensive framework covering all aspects of security controls
Based on the COSO Framework
Aligned with the Committee of Sponsoring Organizations (COSO) internal control framework
Auditor Will Test Each Criterion
Your CPA auditor will evaluate evidence for all 9 criteria during the audit
Why Security Criteria Matter
Enterprise Requirements
Fortune 500 companies require SOC 2 Security criteria compliance
Risk Mitigation
Demonstrates a systematic approach to security risk management
Customer Trust
Independent CPA verification builds confidence with customers
Competitive Advantage
Win deals against competitors without SOC 2 compliance
The Common Criteria
The 9 Common Criteria (CC1–CC9)
Each criterion addresses a specific aspect of security controls. Your auditor will test all nine during the SOC 2 examination.
Control Environment
The entity demonstrates a commitment to integrity and ethical values.
Key Implementation Points
- Tone at the top - leadership sets security culture
- Code of conduct and ethics policies
- Organizational structure with clear roles
- Commitment to competence and training
- Accountability mechanisms and enforcement
Communication and Information
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
Key Implementation Points
- Security policies communicated to all employees
- Incident reporting channels established
- Regular security awareness training
- Documentation of security procedures
- Stakeholder communication protocols
Risk Assessment
The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
Key Implementation Points
- Formal risk assessment process
- Identification of threats and vulnerabilities
- Risk scoring and prioritization
- Risk treatment plans and mitigation
- Regular risk reassessment (at least annually)
Monitoring Activities
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Key Implementation Points
- Continuous monitoring of security controls
- Log review and analysis
- Security metrics and KPIs
- Internal audits and assessments
- Management review of control effectiveness
Control Activities
The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Key Implementation Points
- Policies and procedures documented
- Segregation of duties
- Authorization and approval workflows
- Physical and environmental controls
- Vendor and third-party management
Logical and Physical Access Controls
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events.
Key Implementation Points
- Multi-factor authentication (MFA) required
- Role-based access control (RBAC)
- Least privilege principle enforced
- Access reviews (quarterly recommended)
- Physical security controls for data centers
System Operations
The entity manages the system to support the achievement of the entity's objectives, including the use of system components.
Key Implementation Points
- Capacity planning and performance monitoring
- Backup and recovery procedures
- Disaster recovery and business continuity
- System availability monitoring
- Incident response procedures
Change Management
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures.
Key Implementation Points
- Formal change management process
- Change approval workflows
- Testing in non-production environments
- Rollback procedures documented
- Change documentation and tracking
Risk Mitigation
The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
Key Implementation Points
- Business impact analysis (BIA)
- Disaster recovery plan (DRP)
- Business continuity plan (BCP)
- Regular testing of recovery procedures
- Incident response and crisis management
Implementation
How to Implement the Security Criteria
Documentation Requirements
- Security policies: Information Security Policy, Acceptable Use Policy, Access Control Policy
- Risk assessment: Annual risk assessment with threat identification and mitigation plans
- Procedures: Incident response, change management, backup/recovery procedures
- Evidence: Access reviews, security training records, monitoring logs
Technical Controls
- MFA everywhere: Multi-factor authentication for all production systems and admin access
- RBAC: Role-based access control with least privilege principle
- Logging: Centralized logging with retention (1 year minimum recommended)
- Encryption: Data encryption at rest and in transit (TLS 1.2+)
Organizational Controls
- Security training: Annual security awareness training for all employees
- Background checks: Pre-employment screening for employees with system access
- Vendor management: Security assessments for third-party vendors
- Incident response: Documented IR plan with defined roles and escalation
Operational Controls
- Change management: Formal approval process for production changes
- Backups: Automated daily backups with quarterly restore testing
- Monitoring: 24/7 system monitoring with alerting for security events
- Disaster recovery: DR plan with RTO/RPO defined and tested annually
From the Audit Floor
Common Mistakes to Avoid
The patterns we see derail SOC 2 examinations — and how we keep your Common Criteria evidence clean the first time.
Incomplete documentation
Missing policies, procedures, or evidence will cause audit delays or outright failures.
Fix: Build a comprehensive documentation library before the audit starts, using templates to ensure completeness.
No MFA on critical systems
Single-factor authentication is a common audit finding and a real security risk.
Fix: Implement MFA on all production systems, admin panels, and cloud infrastructure before the observation period.
Infrequent access reviews
Not reviewing user access quarterly leads to privilege creep and audit findings.
Fix: Schedule quarterly access reviews with documented approval from system owners.
Untested disaster recovery
Having a DR plan without testing it is insufficient for SOC 2 compliance.
Fix: Test disaster-recovery procedures at least annually with documented results.
No change-management process
Deploying production changes without approval or testing is a critical finding.
Fix: Implement formal change management with approval workflows and testing requirements.
Insufficient logging
Not logging security events, or retaining logs for too short a period.
Fix: Implement centralized logging with a one-year retention minimum across authentication, authorization, and system changes.
Frequently Asked Questions
Common questions on the SOC 2 Security category and the Common Criteria CC1–CC9.
Are the Security / Common Criteria mandatory for every SOC 2 report?
Yes. The Security category — implemented through the Common Criteria CC1–CC9 — is the only Trust Services Criteria that is mandatory in every SOC 2 examination. The other four categories (Availability, Processing Integrity, Confidentiality, and Privacy) are optional add-ons a service organization selects based on customer demand. Because Security is the baseline, a SOC 2 report that scopes in only Security is sometimes called a "Security-only" or "Common Criteria" report. The criteria are published by the AICPA (https://www.aicpa-cima.com).
What are the 9 Common Criteria (CC1–CC9)?
CC1 Control Environment, CC2 Communication and Information, CC3 Risk Assessment, CC4 Monitoring Activities, and CC5 Control Activities map to the COSO internal-control framework. CC6 covers Logical and Physical Access Controls, CC7 covers System Operations, CC8 covers Change Management, and CC9 covers Risk Mitigation. Together they form the security baseline your CPA evaluates evidence against during the SOC 2 examination.
Is SOC 2 a certification?
No. SOC 2 is an attestation performed by a licensed CPA firm under the AICPA SSAE 18 standard — the auditor issues an independent opinion on whether your controls meet the Trust Services Criteria. There is no "SOC 2 certificate" or certification body; the deliverable is an attestation report (Type 1 at a point in time, or Type 2 over a period). Treating SOC 2 as a "certification" is a common but technically incorrect shorthand.
How long does it take to implement the Security criteria controls?
For most SaaS companies, implementing the Common Criteria takes roughly 3–6 months depending on your starting point. Teams that already enforce MFA, role-based access, logging, and backups move faster; teams starting from scratch should plan for 6+ months to build and operate a mature control set before a Type 2 observation window. Tranquility Cybersecurity typically delivers SOC 2 readiness for an indicative ₹2–4 lakh.
What evidence will the auditor request for the Security criteria?
Auditors request four kinds of evidence: (1) policies and procedures — information security policy, incident response plan, change-management procedure; (2) evidence of execution — access-review records, security-training logs, the annual risk assessment, change tickets; (3) system configurations — MFA settings, RBAC roles, backup schedules, monitoring alerts; and (4) testing results — disaster-recovery test results, vulnerability scans, and penetration tests. For a Type 2 report this evidence must cover the full observation period, not just a single date.
Continue your SOC 2 research
- SOC 2 compliance hub — Trust Services Criteria, Type 1 vs Type 2, timelines, and costs in one place.
- SOC 2 consulting for Indian companies — readiness through attestation at an indicative ₹2–4L.
- Tranquility Cybersecurity credentials & proof — 250+ SOC 2 attestations to date.
Written By Expert Auditors
Keep Exploring
Related Reading
Trust Services Criteria
Security, Availability, Confidentiality, Processing Integrity, Privacy.
Read moreTSC: Availability
Uptime SLAs, monitoring and incident response criteria.
Read moreTSC: Confidentiality
Data classification, encryption and access control criteria.
Read moreSOC 2 Knowledge Hub
Type 1 vs Type 2, criteria, timelines and audit prep — all guides.
Read moreSOC 2 Audit Preparation
Evidence, readiness checks and what the CPA firm will sample.
Read moreAnnex A Controls Overview
All 93 controls across organizational, people, physical and tech domains.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours