S2
SOC 2 Certification Directory
Back to Blog
controls

List of SOC 2 Controls 2025 - Detailed Control Reference Guide

Complete list of SOC 2 controls with detailed descriptions, implementation guidance, and examples. Your comprehensive reference for all Trust Service Criteria controls.

May 14, 20249 min read

Your comprehensive reference guide to all SOC 2 controls across the five Trust Service Criteria, with detailed descriptions, implementation guidance, and practical examples.

Overview

SOC 2 controls are organized around five Trust Service Criteria, with over 99 individual controls covering various aspects of security, availability, processing integrity, confidentiality, and privacy.

Security Controls (CC) - 58 Controls

Control Environment (CC1)

CC1.1 - Code of Conduct and Ethics

  • Type: Preventive
  • Complexity: Medium
  • Description: The entity demonstrates a commitment to integrity and ethical values through the establishment and enforcement of a code of conduct.

Implementation Examples:

  • Written code of conduct addressing conflicts of interest, ethical behavior, and compliance
  • Annual code of conduct acknowledgment and training for all employees
  • Disciplinary procedures for code violations
  • Anonymous reporting mechanisms for ethical concerns

Related Controls: CC1.2, CC1.3, CC2.1

CC1.2 - Board Independence and Oversight

  • Type: Preventive
  • Complexity: Low
  • Description: The board of directors or equivalent governing body demonstrates independence and exercises oversight of system design and operation.

Implementation Examples:

  • Independent board members or audit committee oversight
  • Regular board meetings addressing security and risk topics
  • Board charter defining security oversight responsibilities
  • Executive reporting on security matters to the board

CC1.3 - Organizational Structure and Authority

  • Type: Preventive
  • Complexity: Medium
  • Description: Management establishes structures, reporting lines, and appropriate authorities to achieve the entity's objectives.

Implementation Examples:

  • Organizational charts with clear reporting relationships
  • Job descriptions defining roles and responsibilities
  • Delegation of authority policies and procedures
  • Regular review and update of organizational structure

CC1.4 - Commitment to Competence

  • Type: Preventive
  • Complexity: Medium
  • Description: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Implementation Examples:

  • Competency requirements in job descriptions
  • Skills assessment and training programs
  • Performance evaluation and development planning
  • Succession planning for key positions

CC1.5 - Accountability and Enforcement

  • Type: Preventive
  • Complexity: Low
  • Description: The entity holds individuals accountable for their responsibilities in the context of the entity's objectives.

Implementation Examples:

  • Performance metrics tied to security objectives
  • Regular performance reviews and feedback
  • Recognition and incentive programs
  • Disciplinary procedures for non-compliance

Logical and Physical Access Controls (CC6)

CC6.1 - Logical Access - User Identification and Authentication

  • Type: Preventive
  • Complexity: High
  • Description: The entity implements logical access controls to restrict access to systems, applications, and data to authorized users.

Implementation Examples:

  • Multi-factor authentication for all system access
  • Strong password policies and enforcement
  • Single sign-on (SSO) implementation
  • Account lockout after failed login attempts
  • Regular password rotation requirements

Related Controls: CC6.2, CC6.3, CC6.7

CC6.2 - Logical Access - New User Setup

  • Type: Preventive
  • Complexity: High
  • Description: Prior to issuing system credentials and granting system access, the entity establishes that the user is authorized.

Implementation Examples:

  • Formal access request and approval process
  • Manager authorization for system access
  • Role-based access control (RBAC) implementation
  • Documented access provisioning procedures
  • Verification of employment status before access

CC6.3 - Logical Access - Modification and Removal

  • Type: Detective
  • Complexity: Medium
  • Description: The entity modifies or removes access in a timely manner for users whose system access is no longer authorized.

Implementation Examples:

  • Automated deprovisioning upon termination
  • Regular access reviews and certifications
  • Timely access modification for role changes
  • Monitoring of inactive user accounts
  • HR integration for status changes

CC6.7 - Transmission of Data and Credentials

  • Type: Preventive
  • Complexity: High
  • Description: The entity restricts the transmission of data and credentials to authorized users and systems.

Implementation Examples:

  • Encryption of data in transit (TLS/SSL)
  • Secure file transfer protocols (SFTP, HTTPS)
  • VPN for remote access
  • Certificate management and validation
  • Network segmentation and firewalls

CC6.8 - Physical Access Controls

  • Type: Preventive
  • Complexity: Medium
  • Description: The entity restricts physical access to facilities and protected information assets to authorized personnel.

Implementation Examples:

  • Badge access control systems
  • Visitor management and escort procedures
  • Security cameras and monitoring
  • Secure disposal of confidential information
  • Environmental protection (fire, flood, climate)

System Operations (CC7)

CC7.1 - System Operations - System Quality

  • Type: Detective
  • Complexity: High
  • Description: The entity manages systems to meet operational requirements through system quality processes.

Implementation Examples:

  • System performance monitoring and alerting
  • Capacity planning and management
  • Service level agreement monitoring
  • System availability tracking and reporting
  • Problem management and resolution procedures

CC7.2 - System Monitoring - Detection of Incidents

  • Type: Detective
  • Complexity: High
  • Description: The entity uses detection tools and configuration management to prevent, detect, and correct processing deviations.

Implementation Examples:

  • Security Information and Event Management (SIEM)
  • Intrusion detection and prevention systems
  • Log monitoring and analysis
  • Vulnerability scanning and assessment
  • Configuration management and drift detection

CC7.3 - System Operations - Response to Incidents

  • Type: Corrective
  • Complexity: Medium
  • Description: The entity evaluates security events to determine whether they could impact system security and responds appropriately.

Implementation Examples:

  • Incident response plan and procedures
  • Security incident escalation process
  • Incident classification and prioritization
  • Post-incident review and lessons learned
  • Communication procedures for incidents

CC7.4 - System Operations - Recovery and Continuity

  • Type: Corrective
  • Complexity: Medium
  • Description: The entity implements recovery procedures for recovery from system failures to meet system availability objectives.

Implementation Examples:

  • Data backup and recovery procedures
  • Business continuity and disaster recovery plans
  • Recovery time and point objectives (RTO/RPO)
  • Regular backup testing and validation
  • Alternative processing site arrangements

Availability Controls (A) - 12 Controls

System Availability

A1.1 - Availability - Performance and Capacity Monitoring

  • Type: Detective
  • Complexity: Medium
  • Description: The entity monitors system performance and evaluates whether system capacity is adequate to meet operating requirements.

Implementation Examples:

  • Real-time system performance dashboards
  • Capacity utilization monitoring and trending
  • Performance threshold alerting
  • Regular capacity planning assessments
  • Service level agreement (SLA) monitoring

A1.2 - Availability - Environmental Protections

  • Type: Preventive
  • Complexity: High
  • Description: The entity implements environmental protection controls to reduce the risk of environmental factors impacting system availability.

Implementation Examples:

  • Uninterruptible power supply (UPS) systems
  • Climate control and monitoring systems
  • Fire detection and suppression systems
  • Flood detection and mitigation measures
  • Redundant infrastructure components

A1.3 - Availability - Recovery Procedures

  • Type: Corrective
  • Complexity: High
  • Description: The entity implements procedures to restore availability to meet system availability objectives when availability is compromised.

Implementation Examples:

  • Documented disaster recovery procedures
  • Regular disaster recovery testing
  • Alternative processing site arrangements
  • Automated failover mechanisms
  • Recovery time objective (RTO) definitions

Processing Integrity Controls (PI) - 8 Controls

Data Processing

PI1.1 - Processing Integrity - Input Completeness

  • Type: Preventive
  • Complexity: Medium
  • Description: The entity implements controls to ensure input data is complete and accurate for processing.

Implementation Examples:

  • Input validation rules and checks
  • Data format and range validation
  • Mandatory field enforcement
  • Duplicate record detection
  • Data completeness verification procedures

PI1.2 - Processing Integrity - Processing Completeness

  • Type: Detective
  • Complexity: Medium
  • Description: The entity implements controls to ensure processing is complete and accurate.

Implementation Examples:

  • Batch processing controls and reconciliation
  • Transaction logging and audit trails
  • Processing error detection and handling
  • Data quality monitoring and reporting
  • Automated processing validation checks

PI1.3 - Processing Integrity - Output Accuracy

  • Type: Detective
  • Complexity: Low
  • Description: The entity implements controls to ensure output data is accurate and complete.

Implementation Examples:

  • Output validation and verification procedures
  • Report reconciliation and balancing
  • Output formatting and presentation controls
  • Data distribution and access controls
  • Output retention and archival procedures

Confidentiality Controls (C) - 6 Controls

Information Protection

C1.1 - Confidentiality - Information Classification

  • Type: Preventive
  • Complexity: Medium
  • Description: The entity identifies and classifies confidential information to meet the entity's objectives related to confidentiality.

Implementation Examples:

  • Data classification policies and procedures
  • Information labeling and handling requirements
  • Data discovery and classification tools
  • Employee training on data classification
  • Regular review and update of classifications

C1.2 - Confidentiality - Disposal of Confidential Information

  • Type: Preventive
  • Complexity: High
  • Description: The entity disposes of confidential information to meet the entity's objectives related to confidentiality.

Implementation Examples:

  • Secure data destruction procedures and policies
  • Certified disposal services for physical media
  • Data wiping standards for electronic media
  • Documentation of disposal activities
  • Regular disposal of outdated confidential information

Privacy Controls (P) - 15 Controls

Privacy Management

P1.1 - Privacy - Privacy Notice

  • Type: Preventive
  • Complexity: Low
  • Description: The entity provides notice to data subjects about privacy practices and provides choices about the use of personal information.

Implementation Examples:

  • Clear and comprehensive privacy notices
  • Opt-in and opt-out mechanisms for data processing
  • Cookie consent and preference management
  • Notice updates and user notification procedures
  • Multi-language privacy notice availability

P2.1 - Privacy - Collection and Processing

  • Type: Preventive
  • Complexity: Medium
  • Description: The entity collects and processes personal information only for the purposes identified in the privacy notices.

Implementation Examples:

  • Purpose limitation controls and monitoring
  • Data minimization practices and policies
  • Consent management systems
  • Legal basis documentation for processing
  • Regular review of collection practices

P4.1 - Privacy - Access and Correction

  • Type: Corrective
  • Complexity: Medium
  • Description: The entity provides data subjects with access to their personal information for review and correction.

Implementation Examples:

  • Subject access request procedures
  • Identity verification for data requests
  • Data portability and export capabilities
  • Correction and deletion request handling
  • Response timeframes and communication procedures

SOC 2 Controls Summary

  • Total Controls: 99+
  • Security Controls (CC): 58
  • Availability Controls (A): 12
  • Processing Integrity Controls (PI): 8
  • Confidentiality Controls (C): 6
  • Privacy Controls (P): 15

This comprehensive list provides a foundation for understanding SOC 2 control requirements. For implementation assistance and guidance, consult with qualified SOC 2 professionals.

Ready to Start Your SOC 2 Journey?

Our platform connects you with experienced SOC 2 auditors and automation tools that can help you navigate these challenges successfully. Get quotes from vetted providers who understand the pitfalls and know how to avoid them.

Find Experienced SOC 2 Partners