What Are Sub-Controls?
Think of SOC 2 controls as high-level security objectives your organization needs to achieve. Traditionally, these controls are broad statements like “The entity demonstrates a commitment to integrity and ethical values” (CC1.1). While this captures the intent, it doesn’t tell you exactly how to implement it.
Sub-controls break these broad requirements into specific, actionable components. Instead of one vague requirement, you get clear, manageable tasks that your team can actually execute and track.
A Practical Example
CC1.1.1 – Code of Conduct Documentation
Let’s take CC1.1 – the integrity and ethical values control. Without sub-controls, you’d need to figure out yourself what evidence to provide. With our breakdown feature, this becomes:
- Create and maintain your code of conduct
- Track annual reviews and updates
- Document board approvals
CC1.1.2 – Employee Acknowledgments
- Collect signed acknowledgments from all employees
- Track annual recertifications
- Maintain HR records
CC1.1.3 – Ethics Training Program
- Deliver ethics training to new hires
- Conduct annual refresher training
- Track completion rates
CC1.1.4 – Violation Response Procedures
- Document how violations are reported
- Track investigations and outcomes
- Ensure consistent enforcement
Now your compliance team knows exactly what to implement, and auditors can assess each component individually.
Implementation Architecture
We’ve built this feature with flexibility at its core. The system maintains a hierarchical structure where parent controls can be broken down into sub-controls, but we limit nesting to one level to prevent unnecessary complexity.
For AI-assisted projects, we leverage machine learning to generate context-specific sub-controls based on your organization’s size, industry, and risk profile. The AI analyzes the control objective and produces tailored breakdowns that match your operational reality. These suggestions are cached to ensure consistent performance.
For standard compliance projects, we provide pre-configured sub-control templates based on industry best practices and common auditor expectations. These templates are refined from successful SOC 2 audits across various organization sizes.
The system intelligently handles the transition – existing evidence on parent controls remains valid (we call these “legacy controls”), while new implementations direct evidence collection to the appropriate sub-control level. Assessment results automatically roll up from sub-controls to their parent, maintaining a clear compliance picture at both detailed and summary levels.
Key Benefits
For Compliance Teams:
- Clear Implementation Roadmap – No more guessing what “demonstrate commitment to integrity” actually means
- Better Progress Tracking – See exactly which components are complete versus pending
- Distributed Ownership – Assign different sub-controls to appropriate team members
- Reduced Audit Prep Time – Evidence is already organized by specific requirements
For Auditors:
- Granular Assessment – Evaluate each component individually rather than making binary pass/fail decisions
- Risk-Based Focus – Identify specific areas needing attention without failing entire controls
- Clearer Evidence Mapping – Direct correlation between requirements and provided documentation
For Organizations:
- Right-Sized Compliance – Small companies get simpler breakdowns; enterprises get comprehensive ones
- Faster Implementation – Teams can work on sub-controls in parallel
- Better Resource Planning – Understand effort required for each component
- Continuous Improvement – Address specific gaps without overhauling entire control implementations
Smart Suggestions
The platform recognizes when controls could benefit from breakdown and presents suggestions in your control overview. You maintain full control – accept the breakdown when it makes sense, or keep the consolidated approach for simpler controls.
For SOC 2 projects, sub-controls are enabled by default since auditors increasingly expect this level of detail. For ISO 27001, we maintain the traditional consolidated approach unless specifically requested, respecting the different assessment methodologies of each framework.
The Bottom Line
Sub-controls transform SOC 2 compliance from an overwhelming checklist into a structured, manageable program. Whether you’re a startup preparing for your first audit or an enterprise managing complex compliance requirements, the breakdown feature ensures you’re implementing controls at the right level of detail for your organization’s needs and auditor expectations.