The Common Criteria (CC) under the SOC 2 Trust Services Criteria evaluate whether your organization's control environment, governance structures, and oversight mechanisms enable security and operational controls to operate reliably over time. This isn't about whether controls are merely designed on paper-it's about proving they're trustworthy, repeatable, and auditable in practice.
In the ECIL, Common Criteria represent the assurance backbone of your entire compliance program. If Common Criteria fail, all other SOC 2 domains-Security, Availability, Processing Integrity, Confidentiality, and Privacy-lose their credibility. Without a strong control environment, your SOC 2 report becomes meaningless.
The Purpose of Common Criteria in SOC 2
What Common Criteria Ensure
Common Criteria establish the foundation for trustworthy control operations. They ensure that controls have clear ownership and accountability, risks are identified and addressed systematically, controls operate consistently rather than on an ad hoc basis, and exceptions or failures are detected and corrected promptly.
SOC 2 auditors evaluate how well your organization governs control execution-not just whether control documentation exists in a policy manual somewhere. The difference between designed controls and operating controls is what separates SOC 2 Type I from Type II assessments.
The Governance Question
At its core, Common Criteria answer a fundamental question: Can your organization be trusted to operate controls reliably over time? This requires demonstrating sustained capability, not point-in-time compliance.
The control environment encompasses everything from tone at the top and ethical standards to monitoring activities and deficiency management. It's the organizational infrastructure that makes security controls effective and sustainable.
CC1: Governance & Control Ownership
Management Commitment
Leadership demonstrates active commitment to security and compliance through resource allocation, policy approval, and regular engagement with control performance metrics.
Control Ownership
Every control has a clearly defined owner with documented responsibility for implementation, operation, monitoring, and remediation of deficiencies.
Ethical Standards
The organization establishes and maintains ethical standards and tone at the top that reinforce the importance of integrity in control execution.
Reporting Lines
Clear reporting structures and escalation paths ensure issues impacting control effectiveness reach appropriate management levels for resolution.
Without ownership, controls degrade silently. The CC1 capability area examines whether your organization has a sound control environment where accountability is clear and sustained.
This capability area focuses on whether risks are systematically identified and translated into appropriate controls. SOC 2 auditors expect to see a formal, documented risk assessment process that identifies risks affecting system objectives, demonstrates clear alignment between identified risks and control design, and includes periodic reassessment as business conditions, threats, or system configurations change.
Controls without risk alignment lack assurance value. A control that doesn't address an identified risk-or worse, a risk that has no corresponding control—represents a fundamental gap in your control environment. Your risk assessment must be a living process, not an annual checkbox exercise.
Effective risk assessment under CC3 requires cross-functional participation, regular updates reflecting changes in the threat landscape, documented risk acceptance decisions for risks without full mitigation, and clear traceability from risks to controls to evidence.
4
Key Elements
Formal process, risk identification, control alignment, periodic review
Controls are executed consistently across all relevant systems, processes, and time periods covered by the SOC 2 examination period.
02
Operational Integration
Controls are integrated into daily operations rather than treated as separate compliance activities performed only when audits approach.
03
Performance Evidence
The organization maintains evidence demonstrating control performance over time, not just control design documentation.
04
Deviation Handling
Procedures exist for identifying, documenting, and addressing control deviations or exceptions in a timely manner.
SOC 2 Type II examinations test operation over time, typically covering a 6-12 month period. Point-in-time design documentation is insufficient. Auditors will sample control evidence throughout the examination period to verify consistent operation.
This capability area examines whether control performance is actively monitored and deficiencies are corrected. Unmonitored controls eventually fail-it's not a question of if, but when. Effective monitoring under CC5 includes ongoing assessment of control effectiveness through automated monitoring where possible, manual reviews where automation isn't feasible, and management oversight of control performance metrics.
1
Ongoing Monitoring
Continuous or periodic monitoring of control effectiveness through automated tools, manual reviews, or both
2
Deficiency Identification
Systematic identification of control deficiencies and root cause analysis to prevent recurrence
3
Timely Remediation
Prompt remediation of identified control gaps with defined timelines based on risk severity
4
Management Review
Regular management review of unresolved issues and remediation progress tracking
Your monitoring program must demonstrate that deficiencies are not just identified but actually resolved. Auditors will examine your deficiency tracking system, remediation timelines, and evidence of completed corrective actions.
This capability area focuses on whether information flows support effective control operation. Poor communication undermines otherwise strong controls. If control owners don't understand their responsibilities, if teams can't coordinate control activities, or if issues affecting assurance never reach decision-makers, your control environment is fundamentally compromised.
Effective information and communication under CC2 requires clear communication of control responsibilities to all relevant personnel, availability of accurate and timely information needed to execute controls, effective coordination between teams operating related controls, and reliable escalation mechanisms for issues impacting assurance.
Control Responsibilities
Clear documentation and communication of who owns and operates each control
Information Quality
Accurate, complete, and timely data available to support control execution
Team Coordination
Effective communication channels between groups operating interdependent controls
Issue Escalation
Documented processes for escalating control failures or deficiencies
Change is a primary source of control failure. This capability area evaluates whether changes to systems, processes, or organizational structures preserve control effectiveness. Every change, whether to infrastructure, applications, procedures, or personnel, has the potential to break previously effective controls.
1
Change Governance
Formal governance processes for changes affecting controls, including approval requirements and risk assessments
2
Impact Assessment
Evaluation of change impact on control effectiveness and overall assurance posture before implementation
3
Post-Change Validation
Testing and validation of controls after changes to verify they still operate as designed
4
Control Documentation
Updates to control descriptions, procedures, and evidence requirements reflecting implemented changes
Your change management process must explicitly consider control impact. This includes changes to IT systems, business processes, organizational structure, key personnel, and third-party service providers. Auditors will examine whether your change management process identifies controls affected by changes and validates their continued effectiveness post-implementation.
Common Criteria Across SOC 2 Trust Service Criteria
Common Criteria serve as the foundation for all five SOC 2 Trust Service Criteria. Without a strong control environment, none of the specific security, availability, processing integrity, confidentiality, or privacy controls can be relied upon.
Security
CC ownership and monitoring enable reliable security controls
Availability
CC-driven resilience governance ensures system availability
Processing Integrity
CC-backed change control maintains processing accuracy
Confidentiality
CC accountability frameworks protect sensitive information
Privacy
CC governance ensures privacy control effectiveness
Think of Common Criteria as the organizational immune system for your compliance program. When CC is strong, all other controls function reliably. When CC is weak, even well-designed technical controls will fail over time.
Evidence supporting Common Criteria must demonstrate sustained control operation throughout the examination period. Auditors assess confidence in the control environment, not isolated artifacts or point-in-time snapshots.
Representative Evidence Types
Control descriptions with ownership assignments documented in policies or responsibility matrices
Risk assessments including initial assessments and periodic updates reflecting changes
Control execution records over time showing consistent operation during the examination period
Monitoring reports demonstrating ongoing assessment of control effectiveness
Remediation tracking showing deficiency identification, root cause analysis, and corrective actions
Management review documentation including minutes, dashboards, and escalation records
What Auditors Look For
SOC 2 auditors are evaluating whether your control environment is robust enough to maintain control effectiveness over time. They expect to see consistency across the examination period, integration of controls into normal operations rather than separate compliance activities, and timely identification and remediation of control deficiencies.
Strong Common Criteria evidence tells a story of organizational discipline and control maturity. It shows that controls are owned, monitored, maintained, and improved-not just documented and forgotten.
Controls are assigned owners "on paper" but those individuals lack authority, resources, or understanding of their responsibilities. The ownership exists in documentation but not in practice.
2
Disconnected Risk Assessment
Risks are identified in annual risk assessments but never translated into actual controls or control improvements. The risk register becomes a compliance artifact disconnected from real security operations.
3
Inconsistent Execution
Controls are executed sporadically-performed when audits are approaching but neglected during normal operations. Evidence gaps appear throughout the examination period.
4
Known but Unaddressed Deficiencies
Control deficiencies are identified through monitoring or self-assessment but remain unremediated for extended periods. The organization knows controls are failing but doesn't fix them.
These failure patterns undermine assurance credibility across all SOC 2 domains. An auditor who discovers inconsistent control operation in Common Criteria will naturally question the reliability of all other controls.
This page provides a comprehensive overview of SOC 2 Common Criteria to help you build and maintain a strong control environment. Use this resource to assess your organization's readiness for SOC 2 Type I and Type II examinations, strengthen control ownership and monitoring activities, align governance structures with assurance expectations, and explain audit findings to management in clear business terms.
Assess Readiness
Evaluate your control environment against Common Criteria requirements before engaging auditors
Strengthen Controls
Identify gaps in ownership, monitoring, or communication and develop remediation plans
Align Governance
Ensure your governance structures support sustained control operation and assurance objectives
Explain to Leadership
Translate audit findings and Common Criteria requirements into business terms for executives
The Core SOC 2 Question: Common Criteria answer the fundamental question that underlies every SOC 2 examination: "Can this organization be trusted to operate controls reliably over time?" Your control environment is the foundation that makes your answer credible.