If you’re preparing for SOC 2, the first, and most important step is understanding the Common Criteria. These criteria form the core of SOC 2 and are included in every audit, no matter which Trust Services Categories you select.
Yet here’s the truth:
Most teams begin their SOC 2 journey without fully understanding what the Common Criteria require… and they end up in last-minute fire drills, missing evidence, and delayed audits.
What Are the SOC 2 Common Criteria?
SOC 2 is built on the AICPA Trust Services Criteria (TSC).
The Security category is mandatory, and within it live the Common Criteria (CC1–CC5), the baseline controls auditors expect every organization to have.
These criteria evaluate your ability to:
- Protect customer data
- Manage risk
- Maintain operational integrity
- Monitor and enforce controls
Let’s explore each one.
CC1: Control Environment
The Control Environment defines how your organization manages governance, responsibility, and culture around security.
Auditors look for:
- A clear organizational structure
- Documented roles and responsibilities
- Code of conduct or ethics policies
- Leadership commitment to security
This is where your security program begins, if CC1 is weak, everything else is too.
CC2: Communication & Information
This criterion ensures information flows effectively throughout your company.
SOC 2 requires you to:
- Document and distribute security policies
- Train employees consistently
- Communicate system changes
- Maintain reliable channels for reporting incidents
Your ability to keep people informed directly impacts your ability to stay secure.
CC3: Risk Assessment
Risk Assessment is the foundation of proactive security.
Auditors expect:
- A documented risk assessment process
- Identification of internal and external risks
- Defined threat evaluation methods
- Clear mitigation strategies
SOC 2 wants to see that you manage risk before it becomes a problem.
CC4: Monitoring of Controls
Monitoring ensures your controls are working, not just existing.
This includes:
- Internal audits
- Continuous monitoring tools
- Alerting and logging
- Issue detection and remediation
SOC 2 rewards organizations that can prove ongoing oversight, not one-time fixes.
CC5: Control Activities
This is where the actual security measures live, the technical backbone of your SOC 2 posture.
Examples include:
- Access controls
- MFA
- Change management
- Secure configurations
- Vendor risk management
- Patch management
Auditors expect these controls to be enforced consistently and documented clearly.
Why the SOC 2 Common Criteria Matter
Failing to meet the Common Criteria leads to:
- Delayed audits
- Remediation cycles
- Missing evidence
- Increased cost and frustration
Understanding these requirements early helps teams:
- Build controls correctly
- Reduce audit prep time
- Improve security posture
- Maintain long-term compliance
Make SOC 2 Simple With ZeroTB
SOC 2 doesn’t have to be overwhelming.
ZeroTB automates evidence collection, maps controls to criteria, and guides you step-by-step through every Common Criterion, so you stay audit-ready year-round.
Start your ZeroTB account for free and reduce your SOC 2 prep time dramatically.