What Are the SOC 2® Common Criteria?
When organizations undergo a SOC 2® audit, Security is the only Trust Service Criterion that is mandatory. Within Security lies a structured set of controls known as the Common Criteria, or CC-series, which form the foundations of every SOC 2® report.
These nine criteria define how your organization should govern, manage, monitor, and protect systems and data. They address every phase of your internal control framework, from tone at the top to incident response, and are aligned with COSO, NIST, and other global standards.
If you’re aiming for SOC 2® readiness, mastering the Common Criteria is the first non-negotiable step, but also wider understanding of What SOC 2® is, can be very helpful.
The 9 SOC 2® Common Criteria Explained
The Common Criteria are labeled CC1 through CC9. Here’s what each one covers, and why it matters:
CC1 – Control Environment
This criterion refers to your organization’s overall commitment to integrity, ethical values, and governance. It covers leadership accountability, tone at the top, and whether people across the company take security seriously.
CC2 – Communication and Information
How well does your company communicate its security policies, expectations, and responsibilities? CC2 focuses on internal and external communication channels that ensure everyone, from employees to vendors, understands how to handle sensitive data.
CC3 – Risk Assessment
CC3 evaluates how your organization identifies and analyzes risks that could affect its ability to deliver secure and reliable services. It includes evaluating external threats, internal changes, and evolving business risks.
CC4 – Monitoring Activities
Controls are only effective if they’re monitored. This criterion requires regular oversight of security-related systems, processes, and team performance, whether through automated monitoring, internal reviews, or external audits.
CC5 – Control Activities
This criterion gets into the actual “doing.” What activities does your company carry out to ensure policies are followed? This includes technical safeguards like access controls, patch management, and segregation of duties.
CC6 – Logical and Physical Access Controls
Who can access your systems, and how? CC6 covers everything from user authentication (e.g., MFA, SSO) to physical protection of infrastructure like servers and devices.
CC7 – System Operations
CC7 looks at whether your organization is continuously monitoring, logging, and responding to system activity. It ensures the health, availability, and security of day-to-day operations.
CC8 – Change Management
This criterion ensures that changes to systems or configurations are documented, approved, tested, and deployed safely, without introducing vulnerabilities or disrupting service.
CC9 – Risk Mitigation
Finally, CC9 addresses how you mitigate identified risks, especially those related to vendors, third parties, and evolving technologies. It also reflects a culture of continuous improvement in your control environment.
How to Implement Common Criteria in Practice
Here’s a basic roadmap:
-
Map out all 9 criteria. Understand what each one requires in terms of controls and documentation.
-
Conduct a gap analysis. Identify missing policies, processes, or technical controls.
-
Design your internal controls. These may include access logs, training policies, vendor vetting, and change tracking.
-
Document everything. Ensure you can produce evidence for each criterion during the audit.
-
Monitor and refine. Set up automated alerting, periodic reviews, and internal audits.
Need help getting started? Humadroid can help you build and monitor SOC 2 controls with automation and guidance tailored to startups and small teams.
Why Common Criteria Matter (Beyond the Audit)
-
They form the foundation of trust. Without them, your systems can’t be considered secure, regardless of availability or privacy efforts.
-
They align with global standards. CC1–CC9 are consistent with COSO, ISO 27001, NIST CSF, and GDPR principles.
-
They’re audit-critical. Failing to meet any Common Criteria could jeopardize your SOC 2® report.
-
They enable scalability. Getting these fundamentals right helps your business mature and avoid costly redesigns later.
Related Internal Posts
FAQ
Common Criteria (CC1–CC9) are the required set of security-focused controls that form the foundation of every SOC 2® audit. They cover governance, risk assessment, system operations, access control, and more. All organizations seeking SOC 2® compliance must meet these criteria.
Yes. The Security Trust Service Criterion is built entirely on the nine Common Criteria. While “Security” is the official label in the Trust Service Criteria framework, Common Criteria is the specific structure used to evaluate it.
No. If you’re pursuing a SOC 2® Type I or Type II report, you must implement and provide evidence for all nine Common Criteria. They are not optional and form the baseline for any valid SOC 2® audit.
Responsibility is cross-functional. Leadership owns governance (CC1), IT and security teams manage access and systems (CC5–CC7), and compliance or operations teams ensure documentation, communication, and process adherence (CC2, CC3, CC8). Everyone plays a part.
