SOC 2 Common Criteria (Security)

Similar posts

SOC 2 Common Criteria (Security)

The SOC 2 Common Criteria (CC1–CC9) are the foundation of the Security principle. Learn what each criterion covers, how they connect to your operations, and how to prepare for them in your audit.

Read More »

What Are the SOC 2® Common Criteria?

When organizations undergo a SOC 2® audit, Security is the only Trust Service Criterion that is mandatory. Within Security lies a structured set of controls known as the Common Criteria, or CC-series, which form the foundations of every SOC 2® report.

These nine criteria define how your organization should govern, manage, monitor, and protect systems and data. They address every phase of your internal control framework, from tone at the top to incident response, and are aligned with COSO, NIST, and other global standards.

If you’re aiming for SOC 2® readiness, mastering the Common Criteria is the first non-negotiable step, but also wider understanding of What SOC 2® is, can be very helpful.

The 9 SOC 2® Common Criteria Explained

The Common Criteria are labeled CC1 through CC9. Here’s what each one covers, and why it matters:

CC1 – Control Environment

This criterion refers to your organization’s overall commitment to integrity, ethical values, and governance. It covers leadership accountability, tone at the top, and whether people across the company take security seriously.

CC2 – Communication and Information

How well does your company communicate its security policies, expectations, and responsibilities? CC2 focuses on internal and external communication channels that ensure everyone, from employees to vendors, understands how to handle sensitive data.

CC3 – Risk Assessment

CC3 evaluates how your organization identifies and analyzes risks that could affect its ability to deliver secure and reliable services. It includes evaluating external threats, internal changes, and evolving business risks.

CC4 – Monitoring Activities

Controls are only effective if they’re monitored. This criterion requires regular oversight of security-related systems, processes, and team performance, whether through automated monitoring, internal reviews, or external audits.

CC5 – Control Activities

This criterion gets into the actual “doing.” What activities does your company carry out to ensure policies are followed? This includes technical safeguards like access controls, patch management, and segregation of duties.

CC6 – Logical and Physical Access Controls

Who can access your systems, and how? CC6 covers everything from user authentication (e.g., MFA, SSO) to physical protection of infrastructure like servers and devices.

CC7 – System Operations

CC7 looks at whether your organization is continuously monitoring, logging, and responding to system activity. It ensures the health, availability, and security of day-to-day operations.

CC8 – Change Management

This criterion ensures that changes to systems or configurations are documented, approved, tested, and deployed safely, without introducing vulnerabilities or disrupting service.

CC9 – Risk Mitigation

Finally, CC9 addresses how you mitigate identified risks, especially those related to vendors, third parties, and evolving technologies. It also reflects a culture of continuous improvement in your control environment.

How to Implement Common Criteria in Practice

Here’s a basic roadmap:

  1. Map out all 9 criteria. Understand what each one requires in terms of controls and documentation.

  2. Conduct a gap analysis. Identify missing policies, processes, or technical controls.

  3. Design your internal controls. These may include access logs, training policies, vendor vetting, and change tracking.

  4. Document everything. Ensure you can produce evidence for each criterion during the audit.

  5. Monitor and refine. Set up automated alerting, periodic reviews, and internal audits.

Need help getting started? Humadroid can help you build and monitor SOC 2 controls with automation and guidance tailored to startups and small teams.

Why Common Criteria Matter (Beyond the Audit)

  1. They form the foundation of trust. Without them, your systems can’t be considered secure, regardless of availability or privacy efforts.

  2. They align with global standards. CC1–CC9 are consistent with COSO, ISO 27001, NIST CSF, and GDPR principles.

  3. They’re audit-critical. Failing to meet any Common Criteria could jeopardize your SOC 2® report.

  4. They enable scalability. Getting these fundamentals right helps your business mature and avoid costly redesigns later.

FAQ

What are SOC 2 Common Criteria?

Common Criteria (CC1–CC9) are the required set of security-focused controls that form the foundation of every SOC 2® audit. They cover governance, risk assessment, system operations, access control, and more. All organizations seeking SOC 2® compliance must meet these criteria.

Are Common Criteria the same as the Security Trust Service Criterion?

Yes. The Security Trust Service Criterion is built entirely on the nine Common Criteria. While “Security” is the official label in the Trust Service Criteria framework, Common Criteria is the specific structure used to evaluate it.

Can I pass a SOC 2® audit without implementing all 9 Common Criteria?

No. If you’re pursuing a SOC 2® Type I or Type II report, you must implement and provide evidence for all nine Common Criteria. They are not optional and form the baseline for any valid SOC 2® audit.

Who is responsible for implementing Common Criteria in a company?

Responsibility is cross-functional. Leadership owns governance (CC1), IT and security teams manage access and systems (CC5–CC7), and compliance or operations teams ensure documentation, communication, and process adherence (CC2, CC3, CC8). Everyone plays a part.

Live Demo

Join us on a personalized onboarding session! As we launch our service, we’re eager to connect directly with each of our clients. Booking a session with us means we can better understand your unique needs and tailor our solution to fit you perfectly. Let’s start this journey together—your insights are invaluable as we grow and refine our offerings. Click here to schedule a time that works best for you!