SOC 2 Controls: Full List, Categories and How They Are Tested
Controls are the operational core of every SOC 2 engagement. Policies describe what an organization intends to do. Controls are what the organization actually does — the specific, repeatable actions, configurations, and processes that protect systems, manage access, detect threats, and maintain service availability.
SOC 2 controls are the security measures that CertPro CPA LLC tests during the examination against the AICPA’s Trust Services Criteria. Every control in scope must be documented, implemented, consistently operated, and capable of generating evidence — because evidence is what the examination tests. A control that exists only in a policy document but is never performed is not a control for SOC 2 purposes — it is a gap.
This guide from CertPro CPA LLC covers the full landscape of SOC 2 controls by category, how they map to the Trust Services Criteria, what auditors test at each control, and how to build a control environment that produces clean examination results.
Tl; DR:
Concern: With SOC 2 audit preparation consuming significant organizational resources, service organizations find it hard to understand which specific controls they need to implement, how those controls map to the Trust Services Criteria, and what evidence auditors will test against each one.
Overview: SOC 2 controls are the specific security, operational, and governance measures that a service organization implements to meet the AICPA’s Trust Services Criteria — and that CertPro CPA LLC tests during the SOC 2 examination using inspection, inquiry, observation, and re-performance.
Solution: Service organizations should understand the full landscape of SOC 2 controls by category, how controls map to each Trust Services Criterion, what evidence each control must generate to be testable, and how to implement a control environment that supports a clean SOC 2 examination from CertPro CPA LLC.
SOC 2 Controls: Full List, Categories and How They Are Tested
SOC 2 controls are the specific measures a service organization implements to meet the applicable Trust Services Criteria. They are tested by CertPro CPA LLC during the SOC 2 audit using inspection, inquiry, observation, and re-performance — and the results of that testing form the substance of Section 4 of the SOC 2 report.
How SOC 2 Controls Are Structured
SOC 2 controls are organized by the Trust Services Criteria (TSC) they address. Every SOC 2 engagement includes the Security criterion — which is mandatory — and may include one or more additional criteria: Availability, Confidentiality, Processing Integrity, and Privacy.
Within the Security criterion, controls are organized around the Common Criteria (CC) — a set of nine control categories that form the baseline of every SOC 2 examination:
| Category | Code | Focus |
|---|---|---|
| Control Environment | CC1 | Organizational governance, tone at the top, competence |
| Communication and Information | CC2 | Internal and external communication of security information |
| Risk Assessment | CC3 | Identification and assessment of risks to security objectives |
| Monitoring Activities | CC4 | Ongoing evaluation of control effectiveness |
| Control Activities | CC5 | Policies and procedures that address identified risks |
| Logical and Physical Access | CC6 | Access provisioning, authentication, physical security |
| System Operations | CC7 | Change management, incident response, system monitoring |
| Change Management | CC8 | Formal change management procedures |
| Risk Mitigation | CC9 | Vendor management, business continuity |
Additional criteria — Availability (A series), Confidentiality (C series), Processing Integrity (PI series), and Privacy (P series) — add further control categories relevant to the specific services provided.
Control Environment Controls (CC1)
The control environment is the foundation of the SOC 2 control structure. It addresses the governance and organizational disciplines that create the conditions under which effective controls can operate.
CC1.1 — Organizational structure and board oversight
The organization demonstrates a commitment to integrity and ethical values and has established the structures and reporting lines necessary to maintain a functioning control environment. For SOC 2 purposes, this means documented governance policies, a defined organizational chart with clear security responsibilities, and evidence of leadership engagement in security oversight.
What auditors test: Existence of a documented organizational structure, evidence of board or senior leadership involvement in security governance, and communication of the code of conduct or ethics policy to all personnel.
CC1.2 — Independence and oversight of controls
The board or equivalent body exercises independent oversight of the design and operation of the system of internal controls.
What auditors test: Evidence of independent oversight — meeting minutes, governance reports, or documented management reviews.
CC1.3 — Management structure and assignment of authority
Management has established reporting lines and defined responsibility for security-related functions. Personnel understand their security responsibilities and have the authority to fulfill them.
What auditors test: Job descriptions, role assignments, and evidence that security responsibilities are explicitly defined and communicated.
CC1.4 — Commitment to competence
The organization has processes for hiring, training, and retaining personnel with the competence to perform security-relevant functions — including background checks and ongoing security training.
What auditors test: Background check records, job description accuracy, and training completion records. See Common SOC 2 Audit Exceptions for how training gaps become exceptions.
CC1.5 — Accountability for internal control
Management holds personnel accountable for their security responsibilities through performance management processes, incident tracking, and disciplinary procedures for policy violations.
What auditors test: Evidence of accountability mechanisms — performance review processes, incident documentation, and policy acknowledgment records.
Communication and Information Controls (CC2)
CC2.1 — Obtaining and using relevant information
The organization obtains and uses quality information to support the functioning of its controls — including threat intelligence, vulnerability data, regulatory updates, and operational metrics.
What auditors test: Evidence of information sources used — threat intelligence subscriptions, vulnerability scan reports, regulatory monitoring processes.
CC2.2 — Internal communication
Security-relevant information is communicated internally to the personnel who need it to perform their control responsibilities — including security policy updates, incident notifications, and operational alerts.
What auditors test: Policy communication records, security awareness communications, and incident notification documentation.
CC2.3 — External communication
The organization communicates with external parties — customers, regulators, subservice providers — about security commitments, incidents, and changes that affect those parties’ reliance on the service organization’s controls.
What auditors test: Customer notification procedures, incident communication records, and service level agreement documentation.
Risk Assessment Controls (CC3)
CC3.1 — Risk identification
The organization has a defined process for identifying risks to the achievement of its security objectives. Risk registers not updated during the observation period are a common finding.
What auditors test: A documented, current risk register identifying threats, vulnerabilities, and the likelihood and impact of each.
CC3.2 — Risk analysis
Identified risks are analyzed to determine their significance and the appropriate response — including the prioritization of controls based on risk level.
What auditors test: Risk scoring methodology, evidence of risk ranking, and documentation of risk treatment decisions.
CC3.3 — Risk identification for fraud
The organization considers the potential for fraud in its risk assessment — including management override of controls, unauthorized access, and data manipulation.
What auditors test: Evidence that fraud risks are explicitly identified in the risk assessment and that controls addressing fraud risk are implemented.
CC3.4 — Identifying and assessing significant changes
The organization identifies and assesses changes that could significantly affect the system of controls — including new products, infrastructure changes, personnel changes, and regulatory developments.
What auditors test: Change impact assessment documentation and evidence that the risk assessment is updated when significant changes occur.
Logical and Physical Access Controls (CC6)
CC6 generates the highest volume of SOC 2 exceptions across all control categories. It governs how access to systems and data is provisioned, maintained, and removed.
CC6.1 — Access provisioning
Access to systems is provisioned based on documented authorization and the principle of least privilege — users receive only the access required to perform their job functions, approved by an authorized approver before provisioning.
What auditors test: Access request and approval records for all user provisioning events during the observation period, with specific attention to privileged access requests.
CC6.2 — Access removal
Access is removed promptly when personnel leave the organization or change roles. Deprovisioning occurs within the timeframe defined in the access management policy — typically within 24 hours for voluntary departures and immediately for involuntary ones.
What auditors test: Termination records matched against account deactivation logs. Gaps between termination date and account deactivation date are exceptions. This is the single most common source of SOC 2 exceptions.
CC6.3 — Access review
Periodic reviews of all user access are conducted to identify and remove accounts that are no longer authorized. Reviews typically occur quarterly or semi-annually.
What auditors test: Access review completion records for every scheduled review during the observation period, including evidence that identified issues were remediated.
CC6.6 — Physical access
Physical access to systems and data is restricted to authorized personnel through physical security controls — including badge access systems, visitor logs, data center access controls, and CCTV monitoring.
What auditors test: Badge access logs, visitor records, data center access reports, and evidence of periodic physical access reviews.
CC6.7 — Transmission and disposal
Data transmitted externally is encrypted and data disposed of is rendered unrecoverable. Encryption standards and disposal procedures are documented and enforced.
What auditors test: Encryption configuration documentation, transmission security configurations, and media disposal records.
CC6.8 — Malware detection
The organization implements controls to prevent or detect malware on systems processing in-scope data — including endpoint protection, email security, and network security controls.
What auditors test: Endpoint protection deployment records, scan completion logs, and evidence that malware alerts were investigated and resolved.
System Operations Controls (CC7)
CC7.1 — System monitoring
The organization monitors the in-scope system on an ongoing basis to detect security events, performance degradation, and anomalous activity. Monitoring coverage is maintained continuously throughout the observation period.
What auditors test: Monitoring tool configurations, alert logs, and evidence that alerts were reviewed and acted upon. Gaps in monitoring coverage or unreviewed alert queues are exceptions.
CC7.2 — Security event evaluation
Security events identified through monitoring are evaluated to determine whether they constitute security incidents — and incidents are handled according to the documented incident response procedure.
What auditors test: Incident log completeness, evidence that all significant events were evaluated, and documentation of the incident response process for any events during the observation period.
CC7.3 — Incident response
The organization responds to identified security incidents following a documented procedure — including containment, eradication, recovery, and post-incident review.
What auditors test: Incident records for all events during the observation period, evidence that the response procedure was followed, and post-incident review documentation.
CC7.4 — Problem resolution
Identified problems affecting the in-scope system are tracked, prioritized, and resolved within defined timeframes — with root cause analysis conducted for significant problems.
What auditors test: Problem tracking records, resolution timelines, and root cause analysis documentation for significant issues.
CC7.5 — Disclosure of breaches
The organization has procedures for disclosing security breaches to affected parties — customers, regulators, and other required recipients — within the timeframes defined by applicable legal and contractual requirements.
What auditors test: Disclosure procedure documentation, evidence of any required disclosures during the observation period, and timeliness of those disclosures.
Change Management Controls (CC8)
CC8.1 — Change management process
All changes to the in-scope system — including infrastructure changes, software deployments, configuration changes, and emergency fixes — are managed through a documented change management process that requires approval before implementation and testing before deployment to production.
What auditors test: Change tickets for all production changes during the observation period, approval records, test evidence, and post-implementation review documentation. Unauthorized changes — deployments not documented in the change management system — are exceptions.
Vendor and Risk Mitigation Controls (CC9)
CC9.1 — Risk mitigation through vendor management
The organization assesses and manages the risks posed by third-party vendors and subservice organizations that perform functions relevant to the in-scope system — including cloud hosting providers, payment processors, and other critical suppliers.
What auditors test: Vendor inventory, risk assessment records for each in-scope vendor, evidence of periodic reassessment, and documentation of vendor security requirements in contracts.
CC9.2 — Business continuity and disaster recovery
The organization has documented business continuity and disaster recovery plans that address the resumption of in-scope services following a significant disruption — and tests those plans periodically to verify that they would work as designed.
What auditors test: Business continuity plan documentation, evidence of testing during the observation period, and test results including identified gaps and remediation actions.
Availability Controls (A Series)
A1.1 — Availability commitments
The organization has defined and communicated its availability commitments to customers — typically through service level agreements — and has implemented controls to meet those commitments.
What auditors test: SLA documentation, uptime monitoring records, and evidence of SLA performance during the observation period.
A1.2 — Capacity management
The organization monitors system capacity and plans for capacity changes to ensure the system can meet its availability commitments under current and anticipated load conditions.
What auditors test: Capacity monitoring reports and evidence of capacity planning activities.
A1.3 — Recovery testing
The organization tests its recovery capabilities — backup restoration, failover procedures, and disaster recovery processes — to verify that data can be recovered and systems restored within the defined recovery time and recovery point objectives.
What auditors test: Recovery test records, test frequency, test results, and evidence that identified gaps were remediated.
Confidentiality Controls (C Series)
C1.1 — Identifying and maintaining confidentiality of information
The organization identifies information required to be kept confidential under contractual, legal, or policy requirements — and implements controls to protect that information throughout its lifecycle.
What auditors test: Data classification documentation, confidentiality agreement records, and evidence that confidential data handling procedures are followed.
C1.2 — Disposal of confidential information
Confidential information is disposed of when no longer needed in a manner that renders it unrecoverable — including secure deletion of electronic data and physical destruction of hard media.
What auditors test: Media disposal records, data retention and deletion logs, and evidence that confidentiality requirements are enforced at end-of-life.
How CertPro CPA LLC Tests SOC 2 Controls
For every control in scope, CertPro CPA LLC applies a combination of four testing procedures:
Inspection — reviewing documentary evidence of control operation. For an access review control, this means reviewing the completed access review records, the list of accounts reviewed, and the documentation of any actions taken.
Inquiry — interviewing the control owner and other relevant personnel to understand how the control is performed in practice. Inquiry is corroborated by inspection or re-performance — it is not sufficient evidence on its own.
Observation — directly observing the control being performed. Used for controls that occur during the fieldwork period and can be witnessed directly.
Re-performance — independently executing the control procedure to verify that it produces the expected result. For an access control, this might mean independently querying the access management system to verify that terminated employees’ accounts have been deactivated.
The combination of procedures applied to each control depends on the nature of the control, the frequency of its operation, and the risk associated with a control failure.
Maintain Clean Controls with CertPro CPA LLC
CertPro CPA LLC is a licensed CPA firm that conducts SOC 2 examinations under AICPA AT-C Section 205. Our readiness assessment process maps your existing controls against the full SOC 2 control landscape, identifies gaps, and gives your team a prioritized remediation plan before the observation period begins.
Explore the full SOC 2 hub for detailed guidance on every aspect of the SOC 2 process.
Ready to begin? Contact CertPro CPA LLC to scope your SOC 2 engagement.
FAQ
How many controls does a SOC 2 audit test?
The number varies by engagement scope. A Security-only engagement typically involves 60–100 individual control tests. Adding additional Trust Services Criteria increases the number. The system’s complexity, number of personnel, and infrastructure footprint also affect the total control count.
Do I choose my own SOC 2 controls?
Management defines and implements the controls — CertPro CPA LLC tests them. The controls must be sufficient to meet the applicable Trust Services Criteria. There is no prescribed list of specific controls — the criteria define the outcomes required, and management determines how to achieve them through the design of the control environment.
What is the difference between a control and a policy?
A policy describes the organization’s intent — what it commits to doing. A control is the specific operational action that fulfills that commitment. A policy that says “access will be reviewed quarterly” requires a control — the actual quarterly access review — to be testable for SOC 2 purposes.
Can compensating controls substitute for standard controls?
Yes. Where a standard control cannot be implemented — for example, because a legacy system does not support MFA — a compensating control that achieves equivalent risk mitigation can be documented and tested. CertPro CPA LLC assesses compensating controls for adequacy during the examination.
