List of SOC 2 Controls 2025 - Detailed Control Reference Guide

Security Controls (CC)

Control Environment (CC1)

CC1.1 Preventive Medium

Code of Conduct and Ethics

The entity demonstrates a commitment to integrity and ethical values through the establishment and enforcement of a code of conduct.

Implementation Examples:

Written code of conduct addressing conflicts of interest, ethical behavior, and compliance
Annual code of conduct acknowledgment and training for all employees
Disciplinary procedures for code violations
Anonymous reporting mechanisms for ethical concerns

CC1.2 Preventive Low

Board Independence and Oversight

The board of directors or equivalent governing body demonstrates independence and exercises oversight of system design and operation.

Implementation Examples:

Independent board members or audit committee oversight
Regular board meetings addressing security and risk topics
Board charter defining security oversight responsibilities
Executive reporting on security matters to the board

CC1.3 Preventive Medium

Organizational Structure and Authority

Management establishes structures, reporting lines, and appropriate authorities to achieve the entity's objectives.

Implementation Examples:

Organizational charts with clear reporting relationships
Job descriptions defining roles and responsibilities
Delegation of authority policies and procedures
Regular review and update of organizational structure

CC1.4 Preventive Medium

Commitment to Competence

The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Implementation Examples:

Competency requirements in job descriptions
Skills assessment and training programs
Performance evaluation and development planning
Succession planning for key positions

CC1.5 Preventive Low

Accountability and Enforcement

The entity holds individuals accountable for their responsibilities in the context of the entity's objectives.

Implementation Examples:

Performance metrics tied to security objectives
Regular performance reviews and feedback
Recognition and incentive programs
Disciplinary procedures for non-compliance

Logical and Physical Access Controls (CC6)

CC6.1 Preventive High

Logical Access - User Identification and Authentication

The entity implements logical access controls to restrict access to systems, applications, and data to authorized users.

Implementation Examples:

Multi-factor authentication for all system access
Strong password policies and enforcement
Single sign-on (SSO) implementation
Account lockout after failed login attempts
Regular password rotation requirements

CC6.2 Preventive High

Logical Access - New User Setup

Prior to issuing system credentials and granting system access, the entity establishes that the user is authorized.

Implementation Examples:

Formal access request and approval process
Manager authorization for system access
Role-based access control (RBAC) implementation
Documented access provisioning procedures
Verification of employment status before access

CC6.3 Detective Medium

Logical Access - Modification and Removal

The entity modifies or removes access in a timely manner for users whose system access is no longer authorized.

Implementation Examples:

Automated deprovisioning upon termination
Regular access reviews and certifications
Timely access modification for role changes
Monitoring of inactive user accounts
HR integration for status changes

CC6.7 Preventive High

Transmission of Data and Credentials

The entity restricts the transmission of data and credentials to authorized users and systems.

Implementation Examples:

Encryption of data in transit (TLS/SSL)
Secure file transfer protocols (SFTP, HTTPS)
VPN for remote access
Certificate management and validation
Network segmentation and firewalls

CC6.8 Preventive Medium

Physical Access Controls

The entity restricts physical access to facilities and protected information assets to authorized personnel.

Implementation Examples:

Badge access control systems
Visitor management and escort procedures
Security cameras and monitoring
Secure disposal of confidential information
Environmental protection (fire, flood, climate)

System Operations (CC7)

CC7.1 Detective High

System Operations - System Quality

The entity manages systems to meet operational requirements through system quality processes.

Implementation Examples:

System performance monitoring and alerting
Capacity planning and management
Service level agreement monitoring
System availability tracking and reporting
Problem management and resolution procedures

CC7.2 Detective High

System Monitoring - Detection of Incidents

The entity uses detection tools and configuration management to prevent, detect, and correct processing deviations.

Implementation Examples:

Security Information and Event Management (SIEM)
Intrusion detection and prevention systems
Log monitoring and analysis
Vulnerability scanning and assessment
Configuration management and drift detection

CC7.3 Corrective Medium

System Operations - Response to Incidents

The entity evaluates security events to determine whether they could impact system security and responds appropriately.

Implementation Examples:

Incident response plan and procedures
Security incident escalation process
Incident classification and prioritization
Post-incident review and lessons learned
Communication procedures for incidents

CC7.4 Corrective Medium

System Operations - Recovery and Continuity

The entity implements recovery procedures for recovery from system failures to meet system availability objectives.

Implementation Examples:

Data backup and recovery procedures
Business continuity and disaster recovery plans
Recovery time and point objectives (RTO/RPO)
Regular backup testing and validation
Alternative processing site arrangements

Availability Controls (A)

System Availability

A1.1 Detective Medium

Availability - Performance and Capacity Monitoring

The entity monitors system performance and evaluates whether system capacity is adequate to meet operating requirements.

Implementation Examples:

Real-time system performance dashboards
Capacity utilization monitoring and trending
Performance threshold alerting
Regular capacity planning assessments
Service level agreement (SLA) monitoring

A1.2 Preventive High

Availability - Environmental Protections

The entity implements environmental protection controls to reduce the risk of environmental factors impacting system availability.

Implementation Examples:

Uninterruptible power supply (UPS) systems
Climate control and monitoring systems
Fire detection and suppression systems
Flood detection and mitigation measures
Redundant infrastructure components

A1.3 Corrective High

Availability - Recovery Procedures

The entity implements procedures to restore availability to meet system availability objectives when availability is compromised.

Implementation Examples:

Documented disaster recovery procedures
Regular disaster recovery testing
Alternative processing site arrangements
Automated failover mechanisms
Recovery time objective (RTO) definitions

Processing Integrity Controls (PI)

Data Processing

PI1.1 Preventive Medium

Processing Integrity - Input Completeness

The entity implements controls to ensure input data is complete and accurate for processing.

Implementation Examples:

Input validation rules and checks
Data format and range validation
Mandatory field enforcement
Duplicate record detection
Data completeness verification procedures

PI1.2 Detective Medium

Processing Integrity - Processing Completeness

The entity implements controls to ensure processing is complete and accurate.

Implementation Examples:

Batch processing controls and reconciliation
Transaction logging and audit trails
Processing error detection and handling
Data quality monitoring and reporting
Automated processing validation checks

PI1.3 Detective Low

Processing Integrity - Output Accuracy

The entity implements controls to ensure output data is accurate and complete.

Implementation Examples:

Output validation and verification procedures
Report reconciliation and balancing
Output formatting and presentation controls
Data distribution and access controls
Output retention and archival procedures

Confidentiality Controls (C)

Information Protection

C1.1 Preventive Medium

Confidentiality - Information Classification

The entity identifies and classifies confidential information to meet the entity's objectives related to confidentiality.

Implementation Examples:

Data classification policies and procedures
Information labeling and handling requirements
Data discovery and classification tools
Employee training on data classification
Regular review and update of classifications

C1.2 Preventive High

Confidentiality - Disposal of Confidential Information

The entity disposes of confidential information to meet the entity's objectives related to confidentiality.

Implementation Examples:

Secure data destruction procedures and policies
Certified disposal services for physical media
Data wiping standards for electronic media
Documentation of disposal activities
Regular disposal of outdated confidential information

Privacy Controls (P)

Privacy Management

P1.1 Preventive Low

Privacy - Privacy Notice

The entity provides notice to data subjects about privacy practices and provides choices about the use of personal information.

Implementation Examples:

Clear and comprehensive privacy notices
Opt-in and opt-out mechanisms for data processing
Cookie consent and preference management
Notice updates and user notification procedures
Multi-language privacy notice availability

P2.1 Preventive Medium

Privacy - Collection and Processing

The entity collects and processes personal information only for the purposes identified in the privacy notices.

Implementation Examples:

Purpose limitation controls and monitoring
Data minimization practices and policies
Consent management systems
Legal basis documentation for processing
Regular review of collection practices

P4.1 Corrective Medium

Privacy - Access and Correction

The entity provides data subjects with access to their personal information for review and correction.

Implementation Examples:

Subject access request procedures
Identity verification for data requests
Data portability and export capabilities
Correction and deletion request handling
Response timeframes and communication procedures

Complete List of SOC 2 Controls

Trust Service Criteria

Security Controls (CC)

Control Environment (CC1)

Code of Conduct and Ethics

Board Independence and Oversight

Organizational Structure and Authority

Commitment to Competence

Accountability and Enforcement

Logical and Physical Access Controls (CC6)

Logical Access - User Identification and Authentication

Logical Access - New User Setup

Logical Access - Modification and Removal

Transmission of Data and Credentials

Physical Access Controls

System Operations (CC7)

System Operations - System Quality

System Monitoring - Detection of Incidents

System Operations - Response to Incidents

System Operations - Recovery and Continuity

Availability Controls (A)

System Availability

Availability - Performance and Capacity Monitoring

Availability - Environmental Protections

Availability - Recovery Procedures

Processing Integrity Controls (PI)

Data Processing

Processing Integrity - Input Completeness

Processing Integrity - Processing Completeness

Processing Integrity - Output Accuracy

Confidentiality Controls (C)

Information Protection

Confidentiality - Information Classification

Confidentiality - Disposal of Confidential Information

Privacy Controls (P)

Privacy Management

Privacy - Privacy Notice

Privacy - Collection and Processing

Privacy - Access and Correction

SOC 2 Controls Summary

99+

58

5

8