SOC2 Common Criteria
1
CC1.1 The entity demonstrates a commitment to integrity and ethical values.
2
CC1.2 The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3
CC2.1 The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
4
CC3.1 The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
5
CC3.2 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
6
CC3.3 The entity considers the potential for fraud in assessing risks to the achievement of objectives.
7
CC3.4 The entity identifies and assesses changes that could significantly impact the system of internal control.
8
CC1.3 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
9
CC4.1 The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
10
CC5.1 The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11
CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
12
CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
13
CC8.1 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
14
CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
15
CC9.2 The entity assesses and manages risks associated with vendors and business partners.
16
CC1.4 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
17
CC1.5 The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
18
CC2.2 The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
19
CC2.3 The entity communicates with external parties regarding matters affecting the functioning of internal control.
20
CC4.2 The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
21
CC5.2 The entity also selects and develops general control activities over technology to support the achievement of objectives.
22
CC5.3 The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.
23
CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
24
CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives
25
CC6.4 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.
26
CC6.5 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
27
CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
28
CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
29
CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
30
CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
31
CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
32
CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
33
CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents.
34
A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
35
A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.
36
C1.1 The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
37
C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
38
A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives.
Drag to adjust the number of frozen columns
Trust Principle
Common Criteria
#
COSO Principle
Control Description
Company Controls
Control Status
Notes
Evidence
Common
1.0 – Control Environment
CC1.1
1
The entity demonstrates a commitment to integrity and ethical values.
AC-01 Company has established an Access Management Policy to define the implementation of access controls.
Common
1.0 – Control Environment
CC1.2
2
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Common
2.0 – Information and Communication
CC2.1
13
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
Common
3.0 – Common Criteria Related to Risk Assessment
CC3.1
6
The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Common
3.0 – Common Criteria Related to Risk Assessment
CC3.2
7
The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
Common
3.0 – Common Criteria Related to Risk Assessment
CC3.3
8
The entity considers the potential for fraud in assessing risks to the achievement of objectives.
Common
3.0 – Common Criteria Related to Risk Assessment
CC3.4
9
The entity identifies and assesses changes that could significantly impact the system of internal control.
Common
1.0 – Control Environment
CC1.3
3
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
Common
4.0 – Common Criteria Related to Monitoring Activities
CC4.1
16
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Common
5.0 – Common Criteria Related to Control Activities
CC5.1
10
The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Common
6.0 – Common Criteria Related to Logical and Physical Access
CC6.1
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
Common
7.0 – Common Criteria Related to System Operations
CC7.1
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
Common
8.0 – Common Criteria Related to Change Management
CC8.1
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
Common
9.0 – Common Criteria Related to Risk Mitigation
CC9.1
The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
Common
9.0 – Common Criteria Related to Risk Mitigation
CC9.2
The entity assesses and manages risks associated with vendors and business partners.
Common
1.0 – Control Environment
CC1.4
4
The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
Common
1.0 – Control Environment
CC1.5
5
The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Common
2.0 – Information and Communication
CC2.2
14
The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
Common
2.0 – Information and Communication
CC2.3
15
The entity communicates with external parties regarding matters affecting the functioning of internal control.
Common
4.0 – Common Criteria Related to Monitoring Activities
CC4.2
17
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
Common
5.0 – Common Criteria Related to Control Activities
CC5.2
11
The entity also selects and develops general control activities over technology to support the achievement of objectives.
Common
5.0 – Common Criteria Related to Control Activities
CC5.3
12
The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.
Common
6.0 – Common Criteria Related to Logical and Physical Access
CC6.2
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
Common
6.0 – Common Criteria Related to Logical and Physical Access
CC6.3
The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives
Common
6.0 – Common Criteria Related to Logical and Physical Access
CC6.4
The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.
Common
6.0 – Common Criteria Related to Logical and Physical Access
CC6.5
The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
Common
6.0 – Common Criteria Related to Logical and Physical Access
CC6.6
The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
Common
6.0 – Common Criteria Related to Logical and Physical Access
CC6.7
The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
Common
6.0 – Common Criteria Related to Logical and Physical Access
CC6.8
The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
Common
7.0 – Common Criteria Related to System Operations
CC7.2
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
Common
7.0 – Common Criteria Related to System Operations
CC7.3
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
Common
7.0 – Common Criteria Related to System Operations
CC7.4
The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.
Common
7.0 – Common Criteria Related to System Operations
CC7.5
The entity identifies, develops, and implements activities to recover from identified security incidents.
Availability
A1 - Availability
A1.1
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
Availability
A1 - Availability
A1.2
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.
Confidentiality
C1 - Confidentiality
C1.1
The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
Confidentiality
C1 - Confidentiality
C1.2
The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
Availability
A1 - Availability
A1.3
The entity tests recovery plan procedures supporting system recovery to meet its objectives.
38 records
Extensions

Alert

Lorem ipsum
Okay