SOC 2 Controls List

SOC 2 has a long list of controls that each business pursuing a SOC 2 report needs to implement. But first, let’s talk about where this controls list comes from.

SOC 2 controls are based on the Trust Services Criteria deemed applicable to your organization. A SOC 2 report focuses on non-financial criteria related to security, availability, confidentiality, processing integrity, and privacy.

Modeled around policies, communications, procedures, and monitoring, Trust Services Criteria each have corresponding controls.

Get more information on SOC 2 Trust Services Criteria.

What are SOC 2 requirements?

SOC 2 requirements change according to the type of information a business needs to secure.

An organization should select the Trust Services Criteria requirements relevant to their business and the commitments they make to their customers. However, security is required and referred to as “Common Criteria.”

The SOC 2 controls we list here are an overview of those you may need to implement for your SOC 2 report. The ones that are relevant to your business should be selected by your CISO and management team.

SOC 2 Controls List

While there are many controls associated with each of the five TSCs, controls associated with the common criteria include common IT general controls.

Control Environment

These SOC 2 controls relate to a commitment to integrity and ethical values.

Involvement of the board of directors and senior management’s oversight relating to the development and performance of internal control.

Hold individuals accountable for their internal control responsibilities in the pursuit of objectives.

Communication and Information

This includes SOC 2 controls related to the internal and external use of quality information to support the functioning of internal control.

Risk Assessment

This requests the identification and assessment of risk relating to objectives, including fraud.

Monitoring Activities

Place controls related to the performance of ongoing and separate evaluations to determine deficiencies of controls and communicate those to the correct parties.

Control Activities

These relate to the control activities contributing to risk mitigation and policy and procedure establishment.

Logical and Physical Access Controls

Related to the implementation of logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet its objectives.

Issuing of credentials to new internal and external users
Authorization, modification, or removal of access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design
Restriction of physical access to facilities and protected information assets to authorized personnel to meet its objectives
Implementation of controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet its objectives.

System Operations

SOC 2 controls related to the use of detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities and (2) susceptibilities to newly-discovered vulnerabilities.

Response to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.

Monitoring of system components and the operation of those components for anomalies indicative of malicious acts, natural disasters, and errors

Change Management

Controls related to the authorization, design, development, testing, approval, and implementation of changes to infrastructure, data, software, and procedures to meet its objectives.

Risk Mitigation

Identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

Additional SOC 2 Criteria for Privacy, Processing Integrity, Confidentiality, Availability

In addition to the requirements attached to Security, businesses should fulfill the controls for other relevant categories based on the commitments they make to their customers.

Find examples of additional SOC 2 control categories and control types that satisfy these categories below.

Privacy:

Provides notice of privacy practices to relevant parties.

The notice is updated and communicated in a timely manner, including changes in the use of personal information.

Processing Integrity:

Obtains or generates, uses, and communicates relevant, quality information regarding the SOC 2 objectives related to processing.

This includes definitions of processed data, and product and service specifications, to support the use of products and services.

Confidentiality:

Identifies and maintains confidential information to meet SOC 2 objectives related to confidentiality.

Retention and Classification
Disposal of Information

Availability:

Maintains, monitors, and evaluates current processing capacity and use of system components like infrastructure, data, and software.

System Capacity

Maintaining processing capacity and use of system components (infrastructure, data, and software) to manage demand and enable the implementation of additional capacity to help meet objectives.

Backups and evironmental controls
Recovery controls

How does my business fulfill SOC 2 controls?

There isn’t one path to fulfilling SOC 2 controls and prepping for audit. The process should include policy implementation and technical and operational procedures.

Policies

For SOC 2 Type 1, auditors ask to examine authored policies, who they’ve been distributed to, and the procedures put in place to execute the policy.

In a Type 2 audit, auditors examine the functionality of controls over a 6-12 month time period. A comprehensive report is written based on the evidence provided.

Technical Procedures

SOC 2 controls primarily focus on policies and procedures instead of technical tasks; however, the implementation of technical procedures typically involves building or managing new tools, like endpoint security. These procedures are monitored over time for effectiveness and relayed to audit teams while pursuing a SOC 2 report.

Operational Procedures

Just as important as technical processes, operational procedures involve managing vendors and due diligence, creating uniform onboarding and termination procedures, and collecting evidence on their effectiveness.

These procedures are crucial to creating a risk assessment for auditors and understanding the business’ risk appetite.

Get compliant

Stay compliant

Compliance automation

Security audits

Integrations

Watch a demo of the platform

HealthTech

FinTech

SaaS

More industries

Some of the best money I ever spent. Thoropass and being compliant ended up helping us close our second-largest customer.

SOC 1

SOC 2

ISO 27001

GDPR

PCI DSS

HIPAA

HITRUST

Other Frameworks

If my previous audits were offered to me for free, I'd still pay for Thoropass.

Our advantage

Customer stories

Meet the experts

About

Careers

Partners

We provide the expertise—so you don't have to.

Blog

University

More resources

Events

Guides

Get 30% of the way to SOC 2 audit with our policy generator

SOC 2 Controls List

What are SOC 2 requirements?

SOC 2 Controls List

Control Environment

Communication and Information

Risk Assessment

Monitoring Activities

Control Activities

Logical and Physical Access Controls

System Operations

Change Management

Risk Mitigation

Additional SOC 2 Criteria for Privacy, Processing Integrity, Confidentiality, Availability

Privacy:

Processing Integrity:

Confidentiality:

Availability:

How does my business fulfill SOC 2 controls?

Policies

Technical Procedures

Operational Procedures

Some of the best money I ever spent. Thoropass
and being compliant ended up helping us close our second-largest customer.

If my previous audits were offered to me for free,
I'd still pay for Thoropass.