SOC 2 TSC — Compliance Controls

Home/Compliance

soc2-tsc

SOC 2 TSC. Security Controls

57 controls · cross-mapped to ATT&CK techniques

Translate between regulatory language and what attackers actually do. Each control maps to MITRE ATT&CK techniques; open a control to see those techniques and whether we hold detection coverage for them.

NIST 800-53 (1246)NIST CSF (106)ISO 27001:2022 (93)PCI-DSS v4.0 (75)CIS v8.1 (62)CRI Profile (60)CSA CCM v4 (57)SOC 2 TSC (57)OWASP API (10)OWASP Mobile (10)OWASP Web (10)

▤ Audit answer: every control + the techniques it defends + what you can detect (exportable)

▤ Generate threat-informed coverage report

⇄ Self-assessment: pick what you have, see your coverage

▤

Controls

57 shown of 57

A1.1

Maintains, monitors, and evaluates current processing capacity and use of system components

high

family Availability framework soc2-tsc

A1.2

Develops, documents, and maintains environmental protections, software, data backup processes

high

family Availability framework soc2-tsc

A1.3

Recovers and restores the system after disruption to meet commitments

high

family Availability framework soc2-tsc

C1.1

Identifies and maintains confidential information to meet objectives related to confidentiality

high

family Confidentiality framework soc2-tsc

C1.2

Disposes of confidential information to meet objectives related to confidentiality

high

family Confidentiality framework soc2-tsc

CC1.1

COSO Principle 1: Demonstrates commitment to integrity and ethical values

high

family CC1 · Control Environment framework soc2-tsc

CC1.2

COSO Principle 2: Exercises oversight responsibility

high

family CC1 · Control Environment framework soc2-tsc

CC1.3

COSO Principle 3: Establishes structure, authority, and responsibility

high

family CC1 · Control Environment framework soc2-tsc

CC1.4

COSO Principle 4: Demonstrates commitment to competence

high

family CC1 · Control Environment framework soc2-tsc

CC1.5

COSO Principle 5: Enforces accountability

high

family CC1 · Control Environment framework soc2-tsc

CC2.1

COSO Principle 13: Uses relevant information

high

family CC2 · Communication & Information framework soc2-tsc

CC2.2

COSO Principle 14: Communicates internally

high

family CC2 · Communication & Information framework soc2-tsc

CC2.3

COSO Principle 15: Communicates externally

high

family CC2 · Communication & Information framework soc2-tsc

CC3.1

COSO Principle 6: Specifies suitable objectives

high

family CC3 · Risk Assessment framework soc2-tsc

CC3.2

COSO Principle 7: Identifies and analyzes risk

high

family CC3 · Risk Assessment framework soc2-tsc

CC3.3

COSO Principle 8: Assesses fraud risk

high

family CC3 · Risk Assessment framework soc2-tsc

CC3.4

COSO Principle 9: Identifies and analyzes significant change

high

family CC3 · Risk Assessment framework soc2-tsc

CC4.1

COSO Principle 16: Conducts ongoing and/or separate evaluations

high

family CC4 · Monitoring framework soc2-tsc

CC4.2

COSO Principle 17: Evaluates and communicates deficiencies

high

family CC4 · Monitoring framework soc2-tsc

CC5.1

COSO Principle 10: Selects and develops control activities

high

family CC5 · Control Activities framework soc2-tsc

CC5.2

COSO Principle 11: Selects and develops general controls over technology

high

family CC5 · Control Activities framework soc2-tsc

CC5.3

COSO Principle 12: Deploys through policies and procedures

high

family CC5 · Control Activities framework soc2-tsc

CC6.1

Implements logical access security measures to authorized users

high

family CC6 · Logical & Physical Access framework soc2-tsc

CC6.2

Prior to issuing credentials and granting access, registers and authorizes new users

high

family CC6 · Logical & Physical Access framework soc2-tsc

CC6.3

Removes access to protected information when appropriate

high

family CC6 · Logical & Physical Access framework soc2-tsc

CC6.4

Restricts access to protected information using physical security controls

high

family CC6 · Logical & Physical Access framework soc2-tsc

CC6.5

Authenticates entities and authorizes their access to protected information assets

high

family CC6 · Logical & Physical Access framework soc2-tsc

CC6.6

Implements controls to prevent or detect and act upon introduction of unauthorized or malicious software

high

family CC6 · Logical & Physical Access framework soc2-tsc

CC6.7

Restricts the transmission, movement, and removal of information

high

family CC6 · Logical & Physical Access framework soc2-tsc

CC6.8

Implements controls to prevent or detect and act upon unauthorized physical access

high

family CC6 · Logical & Physical Access framework soc2-tsc

CC7.1

Detects and monitors for new vulnerabilities

high

family CC7 · System Operations framework soc2-tsc

CC7.2

Monitors system components for anomalous behavior

high

family CC7 · System Operations framework soc2-tsc

CC7.3

Evaluates security events to determine whether they could or have resulted in failure

high

family CC7 · System Operations framework soc2-tsc

CC7.4

Responds to identified security incidents per incident response program

high

family CC7 · System Operations framework soc2-tsc

CC7.5

Identifies, develops, and implements activities to recover from identified security incidents

high

family CC7 · System Operations framework soc2-tsc

CC8.1

Authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes

high

family CC8 · Change Management framework soc2-tsc

CC9.1

Identifies, selects, and develops risk mitigation activities

high

family CC9 · Risk Mitigation framework soc2-tsc

CC9.2

Assesses and manages risks associated with vendors and business partners

high

family CC9 · Risk Mitigation framework soc2-tsc

P1.1

Provides notice to data subjects about its privacy practices

high