SOC 2
SOC 2 (AICPA Trust Services Criteria)
An attestation framework for service organizations based on five Trust Services Criteria: security, availability, processing integrity, confidentiality and privacy. The Common Criteria (CC series) form the mandatory security baseline.
Who it applies to
Service organizations — especially SaaS and cloud providers — that store or process customer data and are asked to demonstrate security through an independent auditor's report. Driven by customer and procurement requirements rather than law.
CC1 Control Environment
CC6 Logical & Physical Access
- CC6.1 Logical access security controls16 mapped
Logical access security software, infrastructure and architectures restrict access to protected information assets.
- CC6.6 Boundary protection
The entity implements controls to protect against threats from sources outside its system boundaries.
- CC6.7 Restricting data transmission15 mapped
The entity restricts the transmission, movement and removal of information and protects it during transmission, including via encryption.
CC7 System Operations
- CC7.1 Vulnerability detection and monitoring10 mapped
The entity uses detection and monitoring procedures to identify configuration changes and new vulnerabilities.
- CC7.2 Security event monitoring11 mapped
The entity monitors system components for anomalies indicative of malicious acts, natural disasters and errors.