Common Criteria

Common Criteria refers to the foundational set of controls required for every SOC 2 audit, regardless of which optional Trust Services Criteria are also included. The AICPA structures Common Criteria into nine series labeled CC1 through CC9, covering control environment, communication, risk assessment, monitoring activities, control activities, logical and physical access, system operations, change management, and risk mitigation. The Security category in SOC 2 is implemented through Common Criteria, meaning every SOC 2 report addresses these controls at minimum. Specific examples include CC6.1 for logical access security, CC6.2 for user provisioning and deprovisioning, CC7.2 for monitoring and detection of anomalies, and CC8.1 for change management approval workflows. When a service organization adds optional categories like Availability or Confidentiality, additional category-specific criteria layer on top of Common Criteria. Understanding the CC numbering helps when reviewing audit reports or mapping evidence to specific control requirements.