Security

Security is the required category in every SOC 2 audit, also known as the Common Criteria. It evaluates whether a service organization protects information and systems against unauthorized access, both physical and logical, and against unauthorized disclosure or damage. Security controls cover the full spectrum: identity and access management, network segmentation, endpoint protection, vulnerability management, security monitoring and incident response, secure development practices, physical access to facilities, and personnel security including background checks and training. The Security category is implemented through the nine Common Criteria series CC1 through CC9, which together comprise the largest portion of any SOC 2 audit. Every SOC 2 report covers Security at minimum; the other four categories are optional add-ons. For most companies pursuing their first SOC 2, scoping the audit to Security alone is the right starting point because it satisfies most enterprise procurement requirements and minimizes audit complexity. Additional categories can be added in subsequent audits as customer demand or business needs evolve.