What is SOC 2 Security Criteria?
Security criteria (Common Criteria CC1-CC9) are the mandatory foundation of every SOC 2 audit. Unlike the other Trust Service Criteria (Availability, Processing Integrity, Confidentiality, Privacy) which are optional, Security is always required.
These 9 criteria establish the baseline security controls that protect your systems and data. They cover everything from organizational culture (CC1) to disaster recovery (CC9).
Mandatory for All SOC 2 Reports
Every SOC 2 Type 1 and Type 2 report must include Security criteria
9 Common Criteria (CC1-CC9)
Comprehensive framework covering all aspects of security controls
Based on COSO Framework
Aligned with Committee of Sponsoring Organizations (COSO) internal control framework
Auditor Will Test Each Criteria
Your CPA auditor will evaluate evidence for all 9 criteria during the audit
Why Security Criteria Matter
Enterprise Requirements
Fortune 500 companies require SOC 2 Security criteria compliance
Risk Mitigation
Demonstrates systematic approach to security risk management
Customer Trust
Independent CPA verification builds confidence with customers
Competitive Advantage
Win deals against competitors without SOC 2 compliance
The 9 Common Criteria (CC1-CC9)
Each criterion addresses a specific aspect of security controls. Your auditor will test all 9 criteria during the SOC 2 audit.
Control Environment
The entity demonstrates a commitment to integrity and ethical values.
Key Implementation Points
- Tone at the top - leadership sets security culture
- Code of conduct and ethics policies
- Organizational structure with clear roles
- Commitment to competence and training
- Accountability mechanisms and enforcement
Communication and Information
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
Key Implementation Points
- Security policies communicated to all employees
- Incident reporting channels established
- Regular security awareness training
- Documentation of security procedures
- Stakeholder communication protocols
Risk Assessment
The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
Key Implementation Points
- Formal risk assessment process
- Identification of threats and vulnerabilities
- Risk scoring and prioritization
- Risk treatment plans and mitigation
- Regular risk reassessment (at least annually)
Monitoring Activities
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Key Implementation Points
- Continuous monitoring of security controls
- Log review and analysis
- Security metrics and KPIs
- Internal audits and assessments
- Management review of control effectiveness
Control Activities
The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Key Implementation Points
- Policies and procedures documented
- Segregation of duties
- Authorization and approval workflows
- Physical and environmental controls
- Vendor and third-party management
Logical and Physical Access Controls
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events.
Key Implementation Points
- Multi-factor authentication (MFA) required
- Role-based access control (RBAC)
- Least privilege principle enforced
- Access reviews (quarterly recommended)
- Physical security controls for data centers
System Operations
The entity manages the system to support the achievement of the entity's objectives, including the use of system components.
Key Implementation Points
- Capacity planning and performance monitoring
- Backup and recovery procedures
- Disaster recovery and business continuity
- System availability monitoring
- Incident response procedures
Change Management
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures.
Key Implementation Points
- Formal change management process
- Change approval workflows
- Testing in non-production environments
- Rollback procedures documented
- Change documentation and tracking
Risk Mitigation
The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
Key Implementation Points
- Business impact analysis (BIA)
- Disaster recovery plan (DRP)
- Business continuity plan (BCP)
- Regular testing of recovery procedures
- Incident response and crisis management
How to Implement Security Criteria
Documentation Requirements
- Security policies: Information Security Policy, Acceptable Use Policy, Access Control Policy
- Risk assessment: Annual risk assessment with threat identification and mitigation plans
- Procedures: Incident response, change management, backup/recovery procedures
- Evidence: Access reviews, security training records, monitoring logs
Technical Controls
- MFA everywhere: Multi-factor authentication for all production systems and admin access
- RBAC: Role-based access control with least privilege principle
- Logging: Centralized logging with retention (1 year minimum recommended)
- Encryption: Data encryption at rest and in transit (TLS 1.2+)
Organizational Controls
- Security training: Annual security awareness training for all employees
- Background checks: Pre-employment screening for employees with system access
- Vendor management: Security assessments for third-party vendors
- Incident response: Documented IR plan with defined roles and escalation
Operational Controls
- Change management: Formal approval process for production changes
- Backups: Automated daily backups with quarterly restore testing
- Monitoring: 24/7 system monitoring with alerting for security events
- Disaster recovery: DR plan with RTO/RPO defined and tested annually
Common Mistakes to Avoid
Incomplete Documentation
Missing policies, procedures, or evidence will cause audit delays or failures.
Fix: Create comprehensive documentation library before audit starts. Use templates to ensure completeness.
No MFA on Critical Systems
Single-factor authentication is a common audit finding and security risk.
Fix: Implement MFA on all production systems, admin panels, and cloud infrastructure before observation period.
Infrequent Access Reviews
Not reviewing user access quarterly leads to privilege creep and audit findings.
Fix: Schedule quarterly access reviews with documented approval from system owners.
Untested Disaster Recovery
Having a DR plan without testing it is insufficient for SOC 2 compliance.
Fix: Test disaster recovery procedures at least annually with documented results.
No Change Management Process
Deploying production changes without approval or testing is a critical finding.
Fix: Implement formal change management with approval workflows and testing requirements.
Insufficient Logging
Not logging security events or retaining logs for too short a period.
Fix: Implement centralized logging with 1-year retention minimum. Log authentication, authorization, and system changes.
Frequently Asked Questions
Are Security criteria mandatory for all SOC 2 reports?
Yes. Security criteria (Common Criteria CC1-CC9) are mandatory for all SOC 2 reports, both Type 1 and Type 2. The other Trust Service Criteria (Availability, Processing Integrity, Confidentiality, Privacy) are optional and selected based on your business needs.
How long does it take to implement Security criteria controls?
For most SaaS companies, implementing Security criteria controls takes 3-6 months depending on your starting point. If you already have basic security practices (MFA, access controls, backups), you can move faster. If you're starting from scratch, expect 6+ months to build a mature security program.
What's the difference between CC6 (Logical Access) and CC7 (System Operations)?
CC6 (Logical Access) focuses on who can access your systems - authentication, authorization, MFA, RBAC, access reviews. CC7 (System Operations) focuses on how systems operate - capacity planning, backups, disaster recovery, monitoring, incident response. Both are critical but address different aspects of security.
Do I need to hire a full-time security person to meet Security criteria?
Not necessarily. Many startups and mid-market companies use a fractional CISO (vCISO) or security consultant to design and oversee their security program. Your existing engineering team can implement controls with guidance. However, someone needs to own security - whether full-time, fractional, or consultant.
What evidence will the auditor request for Security criteria?
Auditors will request: (1) Policies and procedures - security policies, incident response plans, change management procedures; (2) Evidence of execution - access review logs, security training records, risk assessments, change tickets; (3) System configurations - MFA settings, RBAC configurations, backup schedules, monitoring alerts; (4) Testing results - DR test results, vulnerability scans, penetration tests.
Can I use compliance automation tools to help with Security criteria?
Yes! Tools like Vanta, Drata, and Secureframe can automate evidence collection, continuous monitoring, and policy management for Security criteria. They integrate with your cloud infrastructure (AWS, GCP, Azure), identity providers (Okta, Google Workspace), and code repositories (GitHub, GitLab) to automatically collect evidence. However, tools don't replace good security practices - you still need to implement the controls.
Ready to Implement SOC 2 Security Criteria?
Get expert guidance on implementing all 9 Common Criteria. We've helped 500+ companies achieve SOC 2 compliance with a 98% first-time pass rate.
SOC 2 Security Criteria Services
Expert SOC 2 consulting for USA, UK, Australia markets - delivered from India with 40-60% cost savings