.svg){kind=logo}
Thinking about SOC 2 compliance and feeling a bit overwhelmed? Totally normal.
Let’s simplify things—starting with something called the Security Trust Service Criteria (TSC). If you’ve been hearing that term tossed around and wondering what it actually means, you're in the right place.
Here’s the deal:
SOC 2 is built on five key pillars known as Trust Service Criteria—Security, Availability, Processing Integrity, Confidentiality, and Privacy. But there’s one you can’t skip: Security. It’s the backbone of every SOC 2 report.
And this is where the Common Criteria (aka the CC series) step in.
These Common Criteria are a set of standardized controls, organized into nine domains (from CC 1.0 to CC 9.0). Think of them as the blueprint for building a secure, well-run system. They cover all the important stuff—like how you manage access, assess risks, monitor activity, and handle changes.
If you’re just starting out with SOC 2 or trying to tighten up your current setup, mastering the Security TSC is non-negotiable. It’s how you build trust with your customers, stay compliant, and guard your business against threats.
Coming up next, we’re breaking down each of the nine Common Criteria—what they mean, why they matter, and how you can put them into action starting today.
Understanding SOC 2 Security Trust Service Criteria (Security TSC)
Here’s the deal: when it comes to SOC 2, Security Trust Service Criteria (TSC) is the heart of it all. It’s not just one of the five trust principles—it’s the required one. Every SOC 2 report, no matter what, has to include Security TSC. Why?
Because without strong security in place, none of the other criteria—Availability, Processing Integrity, Confidentiality, or Privacy—really matter.
So, what exactly is Security TSC?
In simple terms, it’s all about protecting your systems and data from unauthorized access, misuse, or damage. That includes both digital and physical threats.
Think of it as your organization’s security blueprint—it ensures that information is kept safe from being exposed, changed, or destroyed without permission.
But Security TSC isn’t just a checklist you tick off to make auditors happy. It’s a strategic defense system.
It includes controls designed to manage who can access your data, how you monitor your systems for suspicious activity, and how you keep everything running smoothly and securely—even during unexpected incidents.
This is what helps you prevent breaches, reduce downtime, and meet both customer and compliance demands.
To bring clarity and consistency to this critical area, SOC 2 breaks the Security TSC into nine structured areas, known as the Common Criteria (CC1 to CC9).
These aren’t random—they’re a thoughtfully organized framework that guides how your organization should approach governance, risk, access control, monitoring, change management, and more.
Coming up next, we’re diving into each of these nine Common Criteria. You’ll see what they cover, why they matter, and exactly how you can apply them to create a rock-solid, secure environment your customers can trust.
Let’s get into it.
Detailed Breakdown of SOC 2 Security Common Criteria
1. CC1: Control Environment
Let’s kick things off with the foundation of it all—the control environment. This is where your organization's overall security mindset starts to take shape. Think of it as the culture, structure, and leadership that guide how seriously security is taken across the board.
CC 1.1: Integrity and Ethical Values
Security starts with trust—and trust starts with ethics. When leadership leads with integrity, it sets the standard for everyone else. Employees are way more likely to follow data protection policies when the values behind them are clear and consistently reinforced.
Here’s what to do: Write up a formal code of conduct. Make sure it covers things like data handling, access responsibilities, and compliance expectations. Then actually talk about it—don’t just let it sit in a dusty policy folder.
CC 1.2: Board Oversight
If the board isn’t paying attention to security, why should anyone else? Board-level oversight gives your security program the weight it needs and makes sure risks aren’t being ignored.
Here’s what to do: Either create a security-focused committee or make sure your board gets regular updates on key risks and compliance efforts. It shows you take this stuff seriously—because you do.
CC 1.3: Organizational Structures and Reporting Lines
Confusion is the enemy of compliance. Everyone should know exactly who’s in charge of what. That way, there’s no ambiguity when incidents happen or decisions need to be made.
Here’s what to do: Define security roles clearly and show reporting lines using an org chart. Make job descriptions super clear about who’s responsible for which controls.
CC 1.4: Attracting, Developing, and Retaining Competent Personnel
You can have the best tools in the world, but if your team isn’t up to speed, your security will suffer. Good people make or break your defense.
Here’s what to do: Build a solid onboarding and training program focused on security responsibilities. Invest in ongoing education too—because threats evolve, and so should your team.
CC 1.5: Accountability for Internal Control
No accountability? No results. Even well-designed controls can fail if no one’s making sure they’re working as intended.
Here’s what to do: Assign clear owners to each control. Use tools like access logs and internal audits to verify that everything’s running smoothly—and fix it if it’s not.
2. CC2: Communication and Information
If CC1 sets the stage with structure and culture, CC2 makes sure everyone’s actually in the loop. A secure organization isn’t just about having great controls—it’s about making sure the right people know what’s going on, when it matters, and what to do about it.
CC 2.1: Communication of Objectives and Responsibilities
People can’t follow the rules if they don’t know them. When security objectives and roles are clearly explained, everyone knows what they’re accountable for—and how their actions impact overall security.
Here’s what to do: Roll out written security policies across your org. Use onboarding, internal docs, and refresher trainings to keep expectations front and center.
CC 2.2: Internal Communication
Internal communication is more than sending out a mass email. It’s about making sure critical updates—like a vulnerability alert or a policy shift—actually reach the people who need to act on them.
Here’s what to do: Set up dedicated channels for security alerts (Slack, Teams, etc.). Make security briefings a regular thing—short, clear, and actionable.
CC 2.3: External Communication
Vendors, partners, and clients are part of your security ecosystem, too. If they’re handling your data, they need to know your security rules and what to do in case of an incident.
Here’s what to do: Share your security policies with external parties when relevant. Use NDAs and vendor security questionnaires to hold them to your standards.
3. CC3: Risk Assessment
Let’s face it—no system is bulletproof. That’s why risk assessment is such a big deal in SOC 2. It’s all about getting ahead of threats before they cause problems.
CC 3.1: Risk Identification
You can’t protect against what you don’t know. Whether it’s a cyberattack, human error, or a compliance gap, identifying risks is the first step to staying secure.
Here’s what to do: Run regular risk assessments using tools like threat modeling, vulnerability scanning, and pen testing.
Ideal visual here: A table showing common risk categories (e.g., phishing, misconfigurations, insider threats) with real-world examples.
CC 3.2: Risk Analysis and Assessment
Once you know the risks, figure out which ones deserve the most attention. Not every risk is created equal—some are more likely to happen, and some would cause bigger damage.
Here’s what to do: Use a risk matrix to score and prioritize threats. Focus your resources on high-likelihood, high-impact risks first.
CC 3.3: Risk Mitigation
Knowing the risks isn’t enough—you’ve got to take action. This is where your mitigation strategy kicks in.
Here’s what to do: Apply targeted controls like MFA, encryption, or IDS/IPS systems. Track remediation steps and review them regularly to make sure they’re working.
4. CC4: Monitoring Activities
Security isn’t a one-and-done thing—it’s an ongoing process. CC4 is about keeping your finger on the pulse so you can spot issues early and fix them fast.
CC 4.1: Ongoing and Periodic Evaluations
Automated tools are great for real-time alerts, but don’t skip those deeper, scheduled reviews. Together, they give you a full picture of your security health.
Here’s what to do: Set up log monitoring, intrusion detection, and quarterly internal audits. Use the data to identify trends and fine-tune your defenses.
CC 4.2: Communication of Deficiencies
If something breaks, your team needs to know—ASAP. The faster you surface issues, the faster you can resolve them.
Here’s what to do: Create a process for escalating security issues. Use ticketing systems or dashboards to track open items and follow up.
5. CC5: Control Activities
Control activities are where security meets execution. These are the real-world practices that keep your systems safe day in, day out.
CC 5.1: Logical and Physical Access Controls
Who gets in and what they can access—this is security 101. Both digital and physical spaces need to be tightly locked down.
Here’s what to do: Enforce RBAC, require MFA, and secure your physical infrastructure with access controls like key cards or biometrics.
CC 5.2: System Operations
Smooth system operations = fewer headaches. This includes everything from patching to watching for weird behavior in your logs.
Here’s what to do: Automate updates, monitor logs for anomalies, and have a plan to escalate when something feels off.
CC 5.3: Change Management
Change can be good—but only when it’s done safely. If your systems are constantly shifting, you need tight controls to prevent chaos.
Here’s what to do: Use a ticketing system for changes. Require approvals, test before pushing live, and always have a rollback plan.
CC 5.4: Data Backups and Restoration
Backups are your last line of defense. If something goes wrong, they’re your ticket back to business as usual.
Here’s what to do: Set up automated, encrypted backups. Test your restore process regularly so there are no surprises in a real emergency.
6. CC6: Logical and Physical Access Controls
CC6 takes a deeper dive into access control—because who has access, and how, can make or break your security.
CC 6.1: Access Restriction and Management
Limit access to only those who truly need it. The fewer people with privileges, the smaller your risk surface.
Here’s what to do: Use least privilege and RBAC. Review access lists often, and immediately remove access for former employees or role changes.
CC 6.2: User Authentication and Authorization
Strong authentication keeps imposters out. MFA isn’t just nice to have—it’s essential.
Here’s what to do: Use MFA, SSO, and password managers. Periodically audit user accounts to make sure access is still appropriate.
Ideal visual here: Flowchart showing a typical MFA login process.
CC 6.3: Protection of Physical Assets
Don’t forget about the hardware. A stolen laptop or server can do just as much damage as a hacked account.
Here’s what to do: Restrict access to server rooms, use surveillance cameras, and secure devices with locks and encryption.
CC 6.4: Secure Disposal of Data
When data’s no longer needed, destroy it properly. Deleting isn’t the same as erasing.
Here’s what to do: Use tools that meet NIST or ISO data destruction standards. For physical media, shredders or degaussers are your friend.
7. CC7: System Operations
This is where day-to-day operations meet defense. From staying online to staying protected, CC7 covers how your systems stay resilient.
CC 7.1: Incident Response
Incidents are inevitable—but chaos isn’t. A solid response plan keeps damage to a minimum.
Here’s what to do: Build an incident response plan. Assign roles, document communication flows, and practice with tabletop exercises.
Ideal visual here: Step-by-step diagram of your IR process—from detection to recovery.
CC 7.2: Monitoring of System Availability
Outages hurt trust and revenue. Keep eyes on system health so you can fix issues before users even notice.
Here’s what to do: Set up uptime and performance monitoring tools. Use alerts to catch issues in real time.
CC 7.3: Protection Against Malware and Attacks
Threats are out there—constantly. You need tools that can spot them and stop them fast.
Here’s what to do: Use EDR tools, run regular scans, and train your staff on common threats like phishing.
Consider including a screenshot: Real-time EDR dashboard or alert summary.
8. CC8: Change Management
CC8 ensures that when things change, they do so in a controlled, safe way—without opening new holes in your defenses.
CC 8.1: Change Initiation and Authorization
Not every change should be greenlit. Secure systems require strict rules on who can update what.
Here’s what to do: Require change tickets with proper business justifications. Make sure only authorized folks can approve.
CC 8.2: System Change Testing
You never want to test in production. Every change needs a dry run first.
Here’s what to do: Test in staging. Run functional checks, security validations, and always include rollback plans.
CC 8.3: Documentation and Approval of Changes
If it’s not documented, it didn’t happen. Track everything to keep audits clean and ops transparent.
Here’s what to do: Log every change—who made it, why, and what happened. Keep records in systems like Jira, ServiceNow, or your CMDB.
9. CC9: Risk Mitigation
Everything comes full circle here. After identifying and analyzing your risks, you’ve got to actively reduce them—and prep for the worst.
CC 9.1: Identification of Business Continuity Risks
Disasters don’t send warnings. Understand what could truly disrupt your business—from cyberattacks to power outages.
Here’s what to do: Run a business impact analysis (BIA). Identify critical systems, single points of failure, and worst-case scenarios.
CC 9.2: Business Continuity Planning
Planning isn’t optional—it’s survival. A BC/DR plan ensures your business can bounce back fast.
Here’s what to do: Create documented continuity plans with RTOs/RPOs, communication flows, and recovery procedures for each key area.
CC 9.3: Testing Business Continuity Plans
If you never test it, don’t expect it to work. Regular drills show you what’s working—and what’s not.
Here’s what to do: Schedule continuity drills at least once a year. Track results, flag gaps, and update your plans accordingly.
Implementing Security TSC Controls in Your Organization
Knowing the Security Trust Service Criteria (TSC) is one thing—applying them to your day-to-day operations is where the magic (and the real work) happens.
This section walks you through how to bring the Common Criteria to life inside your organization—by figuring out what controls you need, mapping them correctly, and making sure they stand up to auditor scrutiny.
Figure Out the Controls You Need
Before you start ticking boxes, take a step back. What does your organization actually need to stay secure and meet SOC 2 expectations?
Start by reviewing your existing processes, technologies, and policies. Look for gaps—are there areas where access isn’t tightly controlled? Is your incident response plan still theoretical? Are backups actually tested?
Here’s what to do: Run an internal gap assessment against the Common Criteria. Prioritize the high-risk areas first, then build or update controls accordingly. These could be technical (like firewalls or MFA), administrative (like security policies), or physical (like server room locks).
Pro tip: Don’t reinvent the wheel. Use what's already working and fine-tune it for compliance.
Map Controls to Criteria
Each Common Criterion comes with a purpose—your job is to show how your controls support that purpose. This is the core of SOC 2 readiness.
Here’s what to do: Go through each CC and document the specific controls you've put in place. Make it super clear and easy to follow.
For example:
- CC 5.1 – Logical Access Controls: Implemented SSO with role-based access reviews every quarter.
- CC 7.1 – Incident Response: Built a documented IR runbook and hooked up real-time alerting via SIEM.
- CC 9.2 – Business Continuity Planning: Launched a BC/DR strategy with scheduled recovery drills every 3 months.
Get the Auditor to Test Your Controls
Understanding and implementing controls is great—but now it’s time to prove they actually work. That’s where control testing comes in.
Here’s what to do: Prepare for your SOC 2 audit by collecting evidence that your controls are not just documented, but operational. This could be access logs, screenshots, policy documents, drill results, or tickets showing incident handling in action.
Work with your auditor to walk them through each control. Be transparent, stay organized, and have your control mapping table handy—it’ll make their job easier, and your audit smoother.
Pro tip: The more clearly you can tie your controls to the Common Criteria, the less back-and-forth you'll have during the audit process.
Conclusion
Let’s bring it all together.
The Security Trust Service Criteria (TSC) is the core of SOC 2—and the Common Criteria (CC1 to CC9) are the structured playbook that help you turn big security goals into real, actionable steps. Whether it’s defining responsibilities, managing risk, locking down access, or preparing for a disaster, each CC contributes to a stronger, more resilient security posture.
But here’s the bigger picture:
Security isn’t just about checking boxes or avoiding fines—it’s about showing your customers, partners, and stakeholders that you actually care about protecting their data. That you’ve built systems they can trust.
So what should you do next?
Don’t wait until an auditor shows up or a breach puts you on the defensive. Start now. Build a proactive culture of compliance with clear controls, ongoing monitoring, and responsibilities that don’t fall through the cracks.
Need help making it all easier? Tools like ComplyJet can guide you through every step—mapping your controls, running readiness checks, and keeping you on track with minimal stress.
Because in today’s world, being secure isn’t enough. You’ve got to be proven secure. And the Security TSC is how you get there.
