What are the SOC 2 Controls?

Service organizations pursue SOC reports to demonstrate to clients that their data is handled securely. SOC 2 reports specifically assess a company’s adherence to the five Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality, and privacy. These criteria, established by the American Institute of Certified Public Accountants (AICPA), form the foundation for SOC 2 controls that guide audit and reporting processes. Unlike a simple checklist, the TSC provides a framework that ensures organizations implement effective controls to protect client data.

SOC 2 Controls: List and Definitions

Unlike other regulatory frameworks, the Trust Services Criteria (TSC) does not provide a prescriptive SOC 2 controls list. Instead, it translates guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework into actionable criteria. Beyond the TSC, organizations typically implement four main categories of SOC 2 controls:

1. Logical and Physical Access Controls – Manage who can access systems and sensitive data.
2. System and Operations Controls – Ensure systems function reliably and as intended.
3. Change Management Controls – Oversee modifications to systems, applications, and infrastructure.
   
   
4. Risk Mitigation Controls – Identify, assess, and address risks to data and operations.

SOC 2 Logical and Physical Access Controls

The first category of SOC 2 controls focuses on logical and physical access. These controls safeguard sensitive data and the systems, networks, and devices where it is stored, transmitted, or processed. Service organizations must demonstrate robust measures, both physical and digital, to protect data privacy, integrity, and confidentiality.

Physical access controls may include securing workstations or restricting entry to areas housing private networks. On the logical side, a strong Identity and Access Management (IAM) program ensures that users only access files and systems appropriate to their role, reducing the risk of unauthorized data exposure.

SOC 2 System and Operations Controls

The second category of SOC 2 controls covers system and operations oversight. These controls evaluate the effectiveness and efficiency of an organization’s infrastructure and the ability to detect, analyze, and respond to operational deviations, both physical and digital.

A robust way to address these controls is through a Managed Detection and Response (MDR) program. MDR continuously monitors systems for irregularities and includes key components such as:

1. Threat Detection – Identifies indicators of attacks or other security incidents.
2. Incident Response – Provides protocols to stop and recover from attacks.
3. Root Cause Analysis – Produces insights to improve future prevention strategies.
4. Regulatory Compliance – Ensures responses meet applicable legal and industry requirements.

One major advantage of a comprehensive MDR program is the use of a centralized mitigation dashboard, which streamlines monitoring and decision-making for both security and operations teams.

 

SOC 2 Change Management Controls

The third category of SOC 2 controls focuses on change management, addressing evolving security requirements as organizations adopt new technologies and mature their systems. Service organizations must evaluate, implement, and track necessary changes promptly while preventing unauthorized or inappropriate modifications that could compromise data security or availability.

An effective approach to this control area is a patch monitoring program. Organizations can also conduct internal assessments or engage a Managed Security Services Provider (MSSP) to perform regular scans for vulnerabilities. Any identified gaps should be addressed immediately to maintain a secure and compliant environment.

SOC 2 Risk Mitigation Controls

The final category of SOC 2 controls focuses on risk mitigation, covering the processes for monitoring, identifying, analyzing, and preventing potential losses before they escalate into attacks or data breaches.

A highly effective approach for this control area is a Threat and Vulnerability Management (TVM) program. Like Managed Detection and Response (MDR), TVM emphasizes visibility into internal vulnerabilities that could be exploited by external threats. Another key element is Third-Party Risk Management (TPRM), which addresses risks across an organization’s network of vendors and strategic partners.

Trust Services Criteria (TSC) and SOC 2

While there is no single prescriptive SOC 2 controls list beyond the categories discussed above, the Trust Services Criteria (TSC) provides a framework of criteria used to assess an organization’s security controls. These criteria generally align with the 17 principles of the COSO framework, in addition to the control areas outlined earlier.

The TSC is organized into five main categories:

1. Security
2. Availability
3. Processing Integrity
4. Confidentiality
5. Privacy
   

In addition, the TSC includes supplemental criteria specific to each category, as well as common criteria that span all five areas, providing a comprehensive framework for evaluating SOC 2 controls.

Trust Services Category 1: Security

Within the Trust Services Criteria (TSC) framework, Security focuses on preventing unauthorized access, use, or disclosure of information across all systems. It also covers protecting systems from damage or changes that could affect data integrity or impact the other TSC categories.

Security is unique among the five categories because it does not have supplemental criteria; only the Common Criteria (CC series) apply. There are nine CC series in total, which apply across all TSC categories:

1. Control Environment (CC1)
2. Communication and Information (CC2)
3. Risk Assessment (CC3)
4. Control Monitoring (CC4)
5. Control Design and Implementation (CC5)
   

The remaining CC series (CC6–CC9) correspond to the four types of SOC 2 controls detailed in previous sections. For the other TSC categories, these common criteria work in conjunction with category-specific criteria to provide comprehensive coverage.

Trust Services Category 2: Availability

In the Trust Services Criteria (TSC) framework, Availability requires service organizations to ensure reliable access to information and systems used by their clients. The TSC does not mandate a specific uptime threshold. Instead, organizations must assess their operational and usability needs and design SOC 2 controls to meet or exceed those requirements.

The Common Criteria (CC series) apply to the Availability category, along with the A series criteria, which provide standards for measuring system performance and usage across all components. These criteria help organizations set measurable thresholds based on captured data, ensuring systems remain accessible and functional..

Trust Services Category 3: Processing Integrity

Within the Trust Services Criteria (TSC) framework, Processing Integrity ensures that service organizations implement SOC 2 controls to guarantee all system processing operates as intended.

Key measures for maintaining processing integrity include:

1. Completeness – All data and transactions are fully captured and processed.
2. Validity and Accuracy – Processes comply with legal requirements and industry standards.
3. Proper Authorization – Only authenticated and approved sources can initiate actions.
4. Timeliness – Processing occurs within expected timeframes and meets reasonable operational expectations.
   

The Common Criteria (CC series) apply to this category, alongside the PI series criteria, which provide additional standards specific to processing integrity.

Trust Services Category 4: Confidentiality

Within the Trust Services Criteria (TSC) framework, Confidentiality focuses on protecting information critical to both the service organization and its clients. A key distinction is that Personally Identifiable Information (PII) generally falls under the Privacy category rather than Confidentiality.

For Confidentiality, criteria assess how effectively an organization implements SOC 2 controls to safeguard sensitive information from unauthorized access, use, or disclosure. These protections encompass the collection, retention, and disposal of all critical data.

The Common Criteria (CC series) apply to this category, along with the C series criteria, which provide additional guidance specific to maintaining confidentiality.

Trust Services Category 5: Privacy

Within the Trust Services Criteria (TSC) framework, Privacy focuses specifically on personal information and Personally Identifiable Information (PII). Similar to Confidentiality, it requires organizations to implement SOC 2 controls that govern all uses and disclosures of personal data.

The Common Criteria (CC series) apply to this category, alongside the P series criteria, which include:

1. Communication of Objectives and Notices – Clearly informing data subjects about privacy goals.
2. Communication of Choices and Consent Guarantees – Ensuring individuals can provide informed consent.
3. Safe Collection of Personal Information – Collecting only necessary data securely.
4. Limitations on Data Use, Retention, and Disposal – Enforcing rules for handling personal data responsibly.
5. Guaranteed Access to Data for Data Subjects – Allowing individuals to view or obtain their personal data.
6. Disclosure upon Request and Breach Notification – Providing transparency in cases of access requests or breaches.
7. Guaranteed Quality and Up-to-Date Accuracy – Maintaining accurate and current personal information.
8. Continuous Privacy Monitoring and Enforcement – Regularly auditing and enforcing privacy policies.
   

Some information may fall under both Confidentiality and Privacy controls, depending on its nature and sensitivity.

SOC 2 Compliance and Reporting

SOC 2 controls form the basis for the reports that service organizations generate to demonstrate their security posture. SOC Type 1 reports evaluate the design of security controls at a specific point in time, while SOC Type 2 reports assess their operational effectiveness over a defined period. There is no prescriptive SOC 2 Type 2 controls list; instead, the Trust Services Criteria (TSC) provides the framework for measuring an organization’s controls.

When answering the question, “What are SOC 2 controls?” the four primary areas, beyond the adapted COSO framework, include:

1. Logical and Physical Access Controls
2. System and Operations Controls
3. Change Management Controls
4. Risk Mitigation Controls

RSI Security’s SOC compliance services help organizations implement and maintain effective SOC 2 controls across all areas, ensuring optimal protection for client data. To begin your SOC 2 Type 1 or Type 2 journey, contact RSI Security today.

Download Our SOC 2 Checklist