SOC 2 Controls Overview
| Property | Value |
|---|---|
| Document ID | FW-001 |
| Version | 1.0 |
| Status | Draft |
| Owner | Chief Information Security Officer (CISO) |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2 Trust Services Criteria |
1. Purpose
This document provides an overview of SOC 2 Trust Services Criteria and explains how our organization addresses each control area. It serves as a reference for understanding SOC 2 requirements and our compliance approach.
2. SOC 2 Overview
2.1 What is SOC 2?
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates an organization's controls related to security, availability, processing integrity, confidentiality, and privacy.
2.2 Report Types
| Type | Description | Duration | When to Use |
|---|---|---|---|
| Type I | Point-in-time assessment of control design | Single date | Initial certification, design validation |
| Type II | Operating effectiveness over time | 3-12 months | Ongoing compliance, customer assurance |
2.3 Trust Services Categories
| Category | Symbol | Description | Our Scope |
|---|---|---|---|
| Security | 🔒 | Protection against unauthorized access | ✅ In Scope |
| Availability | ⬆️ | System availability commitments | ✅ In Scope |
| Processing Integrity | ✓ | Accurate and complete processing | Optional |
| Confidentiality | 🔐 | Protection of confidential information | ✅ In Scope |
| Privacy | 👤 | Personal information protection | Optional |
3. Common Criteria (CC) - Security
The Common Criteria apply to all Trust Services Categories.
CC1 - Control Environment
Demonstrates management's commitment to integrity and security.
| Criterion | Description | Our Controls |
|---|---|---|
| CC1.1 | Integrity and ethical values | Code of conduct, ethics policy |
| CC1.2 | Board oversight | Executive security committee |
| CC1.3 | Management structure | Security org structure, CISO role |
| CC1.4 | Commitment to competence | Job descriptions, training program |
| CC1.5 | Accountability | Responsibility assignments, reviews |
Evidence Required:
- Approved security policies
- Organization chart
- Job descriptions with security responsibilities
- Training completion records
- Executive meeting minutes
CC2 - Communication and Information
Ensures relevant information is communicated appropriately.
| Criterion | Description | Our Controls |
|---|---|---|
| CC2.1 | Information quality | Data governance, validation |
| CC2.2 | Internal communication | Policy distribution, security awareness |
| CC2.3 | External communication | Customer communications, public information |
Evidence Required:
- Policy acknowledgement records
- Security awareness training
- External communication procedures
- Customer-facing security documentation
CC3 - Risk Assessment
Identifies and manages risks to achieving objectives.
| Criterion | Description | Our Controls |
|---|---|---|
| CC3.1 | Risk objectives | Risk appetite statement, policy |
| CC3.2 | Risk identification | Annual risk assessment (RISK-001) |
| CC3.3 | Fraud risk assessment | Included in risk assessment |
| CC3.4 | Change identification | Change impact assessment |
Evidence Required:
- Risk register
- Risk assessment methodology
- Risk treatment plans
- Change management records
CC4 - Monitoring Activities
Evaluates control effectiveness through ongoing monitoring.
| Criterion | Description | Our Controls |
|---|---|---|
| CC4.1 | Ongoing monitoring | SIEM, logging, security dashboards |
| CC4.2 | Deficiency evaluation | Internal audits, management review |
Evidence Required:
- SIEM configuration
- Security monitoring dashboards
- Internal audit reports
- Management review minutes
- Finding remediation records
CC5 - Control Activities
Mitigates risks through policies and procedures.
| Criterion | Description | Our Controls |
|---|---|---|
| CC5.1 | Control selection | Control framework alignment |
| CC5.2 | Technology controls | Technical security controls |
| CC5.3 | Policy deployment | Policy documentation and distribution |
Evidence Required:
- Policy documentation
- Control implementation evidence
- Technical configuration evidence
CC6 - Logical and Physical Access
Restricts access to authorized users.
| Criterion | Description | Our Controls |
|---|---|---|
| CC6.1 | Access security | POL-002, RBAC implementation |
| CC6.2 | User registration | PROC-001 provisioning |
| CC6.3 | User deprovisioning | PROC-001 offboarding |
| CC6.4 | Physical access | Badge access, visitor procedures |
| CC6.5 | Information protection | POL-005 data classification |
| CC6.6 | Authentication | POL-003, MFA requirement |
| CC6.7 | Encryption | POL-004, encryption standards |
| CC6.8 | Transmission security | TLS requirements |
Evidence Required:
- Access request tickets
- User access reviews (quarterly)
- Termination checklists
- IdP configuration
- MFA enrollment reports
- Encryption configurations
- TLS scan results
CC7 - System Operations
Detects and responds to security events.
| Criterion | Description | Our Controls |
|---|---|---|
| CC7.1 | Vulnerability management | PROC-004, scanning, patching |
| CC7.2 | Security monitoring | POL-007, SIEM, alerting |
| CC7.3 | Incident detection | Alert rules, monitoring |
| CC7.4 | Incident response | POL-008, PROC-005 playbook |
| CC7.5 | Recovery | POL-009, backup/DR procedures |
Evidence Required:
- Vulnerability scan reports
- Patch remediation tickets
- SIEM alert configurations
- Incident response records
- Post-incident reviews
- Backup configurations
- DR test results
CC8 - Change Management
Authorizes, tests, and approves changes.
| Criterion | Description | Our Controls |
|---|---|---|
| CC8.1 | Change authorization | POL-006, change tickets, CAB |
Evidence Required:
- Change request tickets
- Approval records
- Testing evidence
- Deployment logs
- CAB meeting minutes
CC9 - Risk Mitigation
Mitigates risks from business operations.
| Criterion | Description | Our Controls |
|---|---|---|
| CC9.1 | Risk mitigation activities | Risk treatment plans |
| CC9.2 | Vendor management | POL-010, vendor assessments |
Evidence Required:
- Risk treatment plans
- Vendor inventory
- Vendor security assessments
- SOC 2 report reviews
- Contract security clauses
4. Availability Criteria (A)
Ensures systems are available as committed.
| Criterion | Description | Our Controls |
|---|---|---|
| A1.1 | Capacity management | Auto-scaling, monitoring |
| A1.2 | Recovery operations | Backup procedures, DR site |
| A1.3 | Recovery testing | DR drills, backup restore tests |
Evidence Required:
- Capacity monitoring dashboards
- Scaling configurations
- Backup job logs
- DR test results
- RTO/RPO documentation
5. Confidentiality Criteria (C)
Protects confidential information.
| Criterion | Description | Our Controls |
|---|---|---|
| C1.1 | Confidentiality classification | POL-005 data classification |
| C1.2 | Confidential information disposal | Secure deletion procedures |
Evidence Required:
- Data classification policy
- Labeled information examples
- Secure disposal records
- DLP configurations (if applicable)
6. SOC 2 Compliance Roadmap
Phase 1: Type I Preparation (Current)
| Milestone | Status | Target Date |
|---|---|---|
| Policy documentation | ✅ Complete | Done |
| Control implementation | 🔄 In Progress | Q1 2026 |
| Evidence collection baseline | 🔄 In Progress | Q1 2026 |
| Readiness assessment | ⏳ Planned | Q2 2026 |
| Type I audit | ⏳ Planned | Q2 2026 |
Phase 2: Type II Preparation
| Milestone | Status | Target Date |
|---|---|---|
| Operating period begins | ⏳ Planned | Q3 2026 |
| Continuous evidence collection | ⏳ Planned | Q3-Q4 2026 |
| Type II audit (6-month) | ⏳ Planned | Q1 2027 |
7. Annual Compliance Calendar
| Month | Activity |
|---|---|
| January | Annual risk assessment, policy review |
| February | Security awareness training (refresher) |
| March | Q1 access review, vulnerability review |
| April | Vendor assessment planning |
| May | Penetration test |
| June | Q2 access review, DR test |
| July | Mid-year compliance review |
| August | Control self-assessment |
| September | Q3 access review, audit preparation |
| October | Internal audit |
| November | External audit (if applicable) |
| December | Q4 access review, year-end review |
8. Related Documents
- Control Mapping Matrix (RISK-004)
- ISO 27001 ISMS Overview (FW-002)
- Internal Audit Schedule (FW-003)
- Evidence & Audit Log Tracker (RISK-005)
9. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-11 | Security Team | Initial release |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.