SOC 2 Controls List: How to Map Controls to Trust Services Criteria

The SOC 2 framework isn't a static checklist, it’s made up of the five Trust Services Criteria (TSC).

Controls are the specific policies, procedures, and systems put in place to satisfy the TSC. Think of the TSC as what you need to achieve and the controls as how you achieve it.

For example, a requirement might be “restrict physical access to sensitive data.” Your control would be “requiring keycard access for the server room.”

Because SOC 2 isn’t one-size-fits-all, the SOC 2 controls list will be unique to your organization’s specific risks and tech stack. This guide breaks down the core categories of SOC 2 controls, how they map to the criteria, and service organization controls you may need to implment.

What are SOC 2 Controls?

The AICPA TSC forms the foundation of SOC 2. There are five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The SOC 2 controls are the policies, processes and systems a service organization puts in place to protect sensitive customer data and to protect against unauthorized access.

Unlike other security frameworks, there’s no set list of SOC 2 controls. The controls your business implements will depend fully on which of the Trust Services Criteria you’ve chosen — only Security is mandatory, Availability, Processing Integrity, Confidentiality, and Privacy can be implemented depending on the unique needs of your organization.

Common examples of SOC 2 controls include: role-based access, multi-factor authentication (MFA), security monitoring and logging, and backup and recovery processes.

How to Decide Which Controls to Implement

Unlike more prescriptive frameworks, implementing SOC 2 controls doesn’t mean you just have to download a huge list of controls and make sure each is ticked off. Instead, SOC 2 is a report on the controls you decide are relevant to your business. Your goal isn't to implement all the controls, it's to understand the Trust Service Criteria and align requirements with controls that’ll mitigate specific risks facing your business.

Here’s how you can identify and implement the right controls for your business:

Understand the TSC

The AICPA defines five Trust Services Criteria but you don’t need to meet all of them, only Security (known as the Common Criteria) must be included in every SOC 2 audit. So the first step is to review the TSC and figure out which of the criteria applies to your business.

• Security (Common Criteria): Mandatory. This covers access control, firewalls, and incident response. Every SOC 2 report includes this.
• Availability: Recommended if you have SLAs regarding uptime (e.g., SaaS platforms).
• Confidentiality: Recommended if you execute NDAs or handle sensitive IP.
• Processing Integrity: Necessary if you process financial transactions or data analytics where accuracy is paramount.
• Privacy: Necessary if you handle PII directly (usually required for B2C or HealthTech).

Define Your Scope

Next, you need to define the boundaries of your audit. If you don't scope correctly, you will end up trying to secure assets that have nothing to do with customer data.

Identify the People, Processes, and Technology that store, process, or transmit customer data.

• People: Who has access to the data? (e.g., Engineering, Support, HR).
• Processes: How does data move through your company? (e.g., Code deployment, onboarding offboarding).
• Technology: Where does the data live? (e.g., AWS, GCP, Slack, Jira).

Map Controls Based on Applicability and Risk

Once you have your scope and criteria, you need to determine how you will meet those criteria. This is where mapping happens.For example, if the criteria requires "protection against unauthorized access," you might map that to:

• Enforcing MFA on GitHub and Google Workspace.
• Implementing quarterly access reviews.
• Setting up screen-lock timeouts.

Trying to map hundreds of internal processes to abstract AICPA criteria via spreadsheets usually leads to gaps or over-controlling.

This is where Workstreet can help your organization with the scoping and mapping process. Our team starts with a comprehensive evaluation of your current security posture against SOC 2 requirements before building and documenting the security controls you need to meet SOC 2 requirements.

The SOC 2 Controls List

1. Control Environment

This category establishes top-down security leadership, requiring a clear commitment to integrity and ethical behaviour. An auditor will look for evidence that senior management are actively involved in security oversight and will also look for evidence that accountability is spread across the org chart.

2. Communication and Information (CC2)

Your security policies are only effective if they’re communicated clearly throughout your organization. So your policies and processes must be clearly written and communicated to every member of staff and third-party contractor.

3. Risk Assessment (CC3)

SOC 2 isn’t a one-and-done checklist, it requires that your organization regularly evaluates and takes measures to counter new risks from both internal and external threats.

4. Monitoring Activities

You cannot rely on controls that you do not check. This category involves tracking the performance of your security program over time to ensure it remains effective. It requires automated or manual processes that flag control failures and reports these policy violations to stakeholders.

5. Logical and Physical Access Controls

This is the digital and physical front door to your data. Logical access controls manage user credentials and system permissions, ensuring that employees only have access to the data necessary for their specific roles (the principle of least privilege).

6. System and Operations Controls

This category requires you to log security disruptions and actively monitor all systems for anomalies. But detection is only half the battle, you also need clear, documented processes for addressing those alerts through a defined Incident Response Plan. To meet this standard effectively, you should regularly test your recovery times to see how quickly you can return to normal operations following an event.

7. Change Management Controls

Change management requires documented approvals for all code or system changes, ensuring that no single person can push code to production without peer review (known as separation of duties). In many cases, this will mean you’ll need a database that tracks all changes made, who designed, implemented, tested, and approved each change.

8. Risk Mitigation Controls

Security is about resilience, not just prevention. These controls mandate Business Continuity and Disaster Recovery plans to ensure survival during disruptions. This also extends to vendor risk management as you are responsible for the security of the tools you use.

The SOC 2 Trust Service Criteria (And Example SOC 2 Controls)

Security

Security is in scope for every SOC 2 audit (it’s the only mandatory TSC). The Security TSC covers the protection of your systems and data against unauthorized access through access controls (requiring both logical and physical access controls:). It also covers things like firewalls and governance controls to protect data as well as risk assessment, risk management, change management, and vulnerability scans.

Auditors can also review your hiring policies and onboarding/termination policies to ensure your organization is doing all it can to protect sensitive customer data at every touchpoint.  

Some example security controls include:

• Security awareness training for all staff
• Role-based access control for both systems and physical spaces (like server rooms)
• Multi-factor authentication and password requirements
• Formal user onboarding and offboarding process

Availability

SOC 2 availability controls are designed to ensure reliable service delivery through minimizing downtime and demonstrating system resilience. This TSC is often critical to software companies.

Some example availability controls include:

• Uptime and performance SLAs
• Disaster recovery plans
• Post-incident review processes
• Backup procedures

Confidentiality

Confidentiality protects sensitive non-Personal Identifiable Information (PII) data. Confidentiality controls focus on demonstrating how you identify confidential data and assets, restrict access to authorized personnel only, and securely destroy that data once its retention period ends.

Some example confidentiality controls include:

• Role-based and least privilege access
• Confidentiality clauses in contracts
• Data retention and disposal procedures
• Encryption of confidential data in transit and at rest

Processing Integrity

Processing integrity ensures your system performs exactly as intended. These controls ensure your system can accurately process data without any errors, data loss, or unexpected alterations, especially when large volumes of data are input and processed.

Some example processing integrity controls include:

• Input validation controls
• Automated reconciliation procedures
• Data quality monitoring
• Error handling and exception management

Privacy

This is the one that causes the most confusion. Privacy is distinct from Confidentiality. It specifically covers how you collect, use, retain, disclose, and dispose of PII- names, email addresses, phone numbers, government IDs, etc. This often maps directly to frameworks like GDPR and CCPA.

Some example privacy controls include:

• Documented privacy policy
• Consent management
• Retention and deletion schedules for PII
• Data subject rights procedures

How Workstreet Can Help with SOC 2 Compliance

With Workstreet, you can achieve SOC 2 compliance faster than ever. From helping implement security controls and evidence collection automation to prepping for your SOC 2 audit, we guide you through every step and have helped hundreds of high-growth startups achieve compliance. Book a call with our security experts to learn more about how we can help.

SOC 2 Controls List FAQs

What are the Standard SOC 2 Controls?

There’s no official SOC 2 controls list that mandates exactly what you must implement to achieve SOC 2 compliance. For SOC 2 audits the AICPA leans on the Trust Services Criteria to help service organizations decide what controls they need to implement.

How Many SOC 2 Controls Are There?

Again, there’s no official SOC 2 controls list. Depending on which of the Trust Services Criteria an organization chooses to implement, an audit can look at anywhere from 60-100+ controls.

How Many Criteria Are There in SOC 2?

SOC 2 is based on the five Trust Services Criteria, which break down into 64 individual criteria. Only the Security criteria (also called the Common Criteria) is mandatory in a SOC 2 audit and the majority of the individual criteria fall under this category (CC1 - CC9).

What Happens If An Organization Fails to Implement the Required Controls?

Failing to correctly identify and implement the controls to meet your chosen TSC can result in a qualified SOC 2 attestation report. This basically means that the auditor found some misalignments or gaps in your implementation.

What Are SOC 2 internal Controls?

Internal controls broadly refers to the policies, procedures, and systems your business implements to meet SOC 2 requirements.