SOC 2 Common Criteria CC1-CC9: What Each Category Actually Tests

The Security Trust Service Criterion — mandatory in every SOC 2 examination — is organized into nine Common Criteria sub-categories (CC1 through CC9). These nine categories are derived directly from the COSO Internal Control Framework's 17 principles, adapted by the AICPA for technology service organizations.

Understanding the CC series matters because it determines what auditors actually test. A SOC 2 examination is not a penetration test or a vulnerability scan — it evaluates whether your organization has designed and implemented controls across all nine categories and, for Type II, whether those controls operated effectively throughout the observation period.

The 2022 revision to the AICPA's Points of Focus updated guidance for cloud computing, remote work, and modern threat landscapes, but the CC structure itself has remained stable since the 2017 Trust Services Criteria (TSP Section 100). The stability is intentional: the criteria are principle-based, not prescriptive, so they accommodate evolving technology without requiring structural changes.

One critical point most guides miss: roughly half of the CC series (CC1-CC5, CC9) covers governance, risk management, communication, and organizational controls — not technical configurations. Organizations that focus only on firewalls and encryption leave half the audit scope unaddressed.

CC1 — Control Environment maps to COSO Principles 1-5 and evaluates organizational governance: ethical values, board or management oversight of security, organizational structure, accountability mechanisms, and commitment to competent personnel. This is "tone at the top" — auditors want evidence that leadership takes security seriously, not just that the IT team does.

Auditors look for: documented board or management-level security oversight (meeting minutes, committee charters), defined security roles and responsibilities, background check policies for personnel with access to sensitive systems, and a code of conduct that addresses security expectations. The most common CC1 gap is having no formal governance structure — security is "everyone's job" with no specific accountability.

CC2 — Communication and Information maps to COSO Principles 13-15 and evaluates how the organization communicates security policies internally and externally. This includes security awareness training, system description documentation, and communication of security responsibilities to third parties.

Auditors look for: security awareness training records with completion tracking, documented communication to customers about system changes, internal security policy distribution with acknowledgment records, and a current system description that accurately defines the boundaries of the system being examined.

CC3 — Risk Assessment maps to COSO Principles 6-9 and evaluates whether the organization formally identifies, analyzes, and manages risks. This is not a one-time exercise — auditors expect documented, periodic risk assessments that consider fraud risk and track identified risks through remediation.

Auditors look for: a documented risk assessment methodology, risk registers with identified risks and assigned owners, evidence of periodic reassessment (at minimum annually), fraud risk consideration, and assessment of risks from organizational changes (new systems, new markets, personnel changes). The most common CC3 gap: risk assessment exists as a document but has not been updated since it was first created.

CC4 — Monitoring Activities maps to COSO Principles 16-17 and evaluates ongoing and periodic evaluation of controls, plus communication and remediation of identified deficiencies. This is the "are we checking that our controls still work?" category.

Auditors look for: evidence of ongoing monitoring (SIEM dashboards, automated alerting, continuous compliance platform data), periodic separate evaluations (internal audits, control testing), and documented remediation of identified deficiencies with tracked timelines.

CC5 — Control Activities maps to COSO Principles 10-12 and evaluates the selection, development, and deployment of specific controls to mitigate identified risks. This bridges the gap between risk assessment (CC3) and the specific technical and operational controls in CC6-CC9.

Auditors look for: evidence that controls were selected based on identified risks (not randomly), technology general controls, and documented policies deployed across the organization.

CC6 evaluates how the organization manages who can access what — both logically (systems, data, applications) and physically (offices, data centers, equipment). This is consistently the most frequently cited deficiency area across all SOC 2 examinations.

CC6 covers approximately 8 controls addressing: new user provisioning, authentication mechanisms (MFA enforcement), access modification on role changes, timely deprovisioning when employees leave, periodic access reviews, physical access restrictions, data classification and protection, and management of access credentials.

Auditors specifically test: (1) Timeliness of access removal — they compare HR termination dates against access deactivation dates across all systems. A 24-48 hour deprovisioning window is expected; anything beyond that is documented as an exception. (2) Evidence of periodic access reviews — quarterly or semi-annual reviews where managers confirm their team members' access is appropriate. (3) MFA coverage — particularly for privileged accounts, VPN access, and production environments. (4) Least privilege enforcement — are users provisioned with only the access they need?

The most common CC6 gaps: excessive privileges inherited from "just clone the access of someone with a similar role," access reviews that exist as a policy but are not consistently performed, and delayed deprovisioning because the offboarding process is not integrated with the identity provider.

Want to see how your access controls measure up? The SOC 2 gap assessment evaluates all CC6 controls individually with weighted scoring that reflects their audit materiality.

CC7 — System Operations evaluates infrastructure monitoring, vulnerability management, incident detection and response, business continuity, and disaster recovery. This is where technical security meets operational readiness.

Auditors look for: vulnerability scanning with documented cadence (at minimum quarterly, industry trend is continuous), penetration testing (annual external, with remediation tracking), a documented and tested incident response plan (tabletop exercises at minimum annually), business continuity and disaster recovery plans with tested recovery procedures, and evidence of infrastructure monitoring with defined alerting thresholds.

The critical CC7 gap: incident response plans that have never been tested. Auditors explicitly ask when the last tabletop exercise occurred and review the documented outcomes. The absence of any documented security incidents is also a red flag — it may indicate incidents are not being detected rather than not occurring.

CC8 — Change Management evaluates how changes to infrastructure, software, and processes are authorized, tested, approved, and implemented. This is where engineering workflows meet compliance requirements.

Auditors look for: segregation of duties in the change process (the person who writes code is not the same person who approves and deploys it), documented change authorization and approval records, evidence of testing before production deployment, and emergency change procedures with retrospective review.

The common CC8 gap in startups: a single engineer writes, reviews, and deploys code. Auditors do not require large teams, but they require documented evidence that at minimum two people are involved in moving changes to production — one to author and one to approve.

CC9 evaluates how the organization manages business risks that extend beyond its direct control — particularly third-party vendor risk and business risk acceptance decisions. While CC9 typically carries fewer controls (approximately 2) than other categories, it addresses a systemic risk area that many organizations overlook entirely.

Auditors look for: a formal vendor risk assessment process applied to critical vendors, ongoing monitoring of vendor security posture (not just initial due diligence), an inventory of critical third-party service providers, documented risk acceptance decisions for residual risks that cannot be fully mitigated, and evidence of insurance coverage appropriate to identified risks.

The most common CC9 gap: no formal vendor risk assessment process. Organizations rely on dozens of SaaS tools, cloud infrastructure providers, and data processors without ever evaluating their security posture. At minimum, auditors expect a vendor inventory, a risk classification framework (critical, standard, low-risk), and documented security assessments for critical vendors — those with access to sensitive data or whose failure would impact service delivery.

For organizations already holding or pursuing ISO 27001, there is significant overlap with Annex A controls in supplier management (A.15 in ISO 27001:2013, A.5.19-A.5.23 in ISO 27001:2022). The SOC 2 gap assessment includes framework overlap analysis that shows which controls carry over from existing certifications.

Understanding the CC series as a reference is useful. Understanding how auditors weight these categories in practice is more useful.

In practice, auditors assess materiality — a gap in CC6 access controls has different implications than a gap in CC2 communication policies. The categories most likely to produce qualified opinions, ranked by frequency of cited deficiencies: CC6 (access controls), CC7 (system operations — particularly incident response), CC8 (change management), CC1 (governance), and CC3 (risk assessment).

This does not mean CC2, CC4, CC5, and CC9 are unimportant. It means that if you have limited remediation time, prioritize the categories auditors flag most often. An organization with strong CC6, CC7, and CC8 controls but weak CC2 documentation will have a better examination outcome than the reverse.

The COSO lineage of CC1-CC9 also means that organizations familiar with financial audit frameworks will recognize the structure. The five COSO components — Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities — map directly to CC1, CC3, CC5, CC2, and CC4 respectively. CC6-CC9 add technology-specific criteria that COSO's general framework does not address.

For a control-by-control evaluation of where your organization stands across all nine CC categories, the SOC 2 gap assessment maps 33 Security controls to the full CC1-CC9 structure with weighted scoring that reflects the materiality differences auditors apply.