The Common Criteria are the backbone of every SOC 2 report. They make up the Security category - the one Trust Services Criterion that is mandatory in all engagements - and they are organized into nine groups labelled CC1 through CC9. Whatever else you include in your scope, you will be measured against the Common Criteria, so understanding them is foundational.
This guide breaks down all nine categories, explains how they map to the COSO framework, shows where teams focus their effort, and clarifies how you satisfy them with controls.
What the Common Criteria are
The Common Criteria are the AICPA's articulation of what a sound security control environment looks like. They are common in two senses: they are required in every SOC 2, and they are shared as the foundation that the optional criteria (Availability, Processing Integrity, Confidentiality, Privacy) build upon. Rather than dictating specific technologies, they describe outcomes - that access is controlled, changes are managed, risks are assessed - and let you implement controls suited to your environment.
How the nine categories break down
The nine Common Criteria categories span governance through operations. CC1 covers the control environment - governance, integrity, organizational structure, and accountability. CC2 addresses communication and information, both internal and external. CC3 covers risk assessment: identifying and analyzing risks to your objectives. CC4 covers monitoring activities that evaluate whether controls are working. CC5 covers control activities - the policies and procedures that mitigate risk. CC6 covers logical and physical access controls. CC7 covers system operations, including detection, monitoring, and incident response. CC8 covers change management. CC9 covers risk mitigation, including vendor and business-disruption risk.
Free resource
SOC 2 Readiness Kit
A practical checklist + policy starter pack to fast-track your audit.
The COSO connection
CC1 through CC5 align directly with the COSO internal control framework and its principles, which is why SOC 2 reaches beyond pure technology into governance, communication, and risk management. This alignment is deliberate: it ensures that a SOC 2 examines not just whether you have firewalls and encryption, but whether you have the organizational structures and processes that make a security program durable. Teams sometimes underestimate CC1 to CC5 because they are less technical, but auditors take them seriously.
Where the day-to-day evidence lives
While all nine categories matter, three carry the heaviest day-to-day evidence burden and are where first-time programs spend most of their remediation effort. CC6 (access) generates access-provisioning records, quarterly access reviews, and MFA configurations. CC7 (operations) generates monitoring alerts, incident tickets, and evidence of incident-response exercises. CC8 (change management) generates pull-request approvals and deployment logs. Designing these three to produce evidence automatically pays the biggest dividends at audit time.
How you satisfy the Common Criteria
You do not implement CC6 directly; you implement controls - unique accounts, least privilege, multi-factor authentication, quarterly access reviews - that satisfy CC6's points of focus. The same pattern holds across all nine categories: each is met by a set of concrete controls appropriate to your systems. A control matrix that maps each of your controls to the Common Criteria it supports is the single most useful artifact for both remediation and the audit, because it lets a reviewer trace any criterion to the controls and evidence that satisfy it.
Points of focus, not a checklist
Beneath each Common Criterion the AICPA publishes points of focus - illustrative considerations showing how the criterion can be met. They are guidance, not mandatory line items, and they were refreshed in 2022. Use them to design controls that will clearly satisfy each criterion and to anticipate how an auditor will think, but do not treat them as a rigid checklist - your environment determines which controls are appropriate.
How the optional criteria build on the Common Criteria
When you add Availability, Processing Integrity, Confidentiality, or Privacy to your scope, you are not starting over - those criteria layer category-specific requirements on top of the Common Criteria foundation. This is why expanding scope in a later report is far less effort than the first engagement: the bulk of the work, the Common Criteria, is already done and operating.
A closer look at access, operations, and change
The three Common Criteria that carry the most weight in practice deserve a closer look. CC6, logical and physical access, is where most evidence lives and most exceptions arise: auditors expect unique accounts, least-privilege permissions, multi-factor authentication, and periodic access reviews with documented approval. CC7, system operations, covers your ability to detect and respond - monitoring, alerting, and a tested incident-response process - and auditors look for evidence that detection actually works and incidents are handled and reviewed. CC8, change management, expects that changes to production are reviewed and approved before deployment, evidenced by pull-request approvals and pipeline logs. Getting these three right resolves the majority of audit friction.
How auditors test the Common Criteria
For a Type 2, the auditor does not simply read your policies; it samples evidence from across the period for each criterion and tests whether the control operated every time it should have. For access reviews under CC6, that means confirming all four quarters happened with sign-off; for change management under CC8, sampling deployments to confirm each had an approval. This is why a control that exists but operated inconsistently still produces an exception, and why complete, automatically generated evidence populations matter more than any single configuration. Anticipating how auditors test each Common Criterion lets you prepare evidence that withstands sampling rather than scrambling to reconstruct it.
Building your Common Criteria control matrix
The most useful artifact you can produce for the Common Criteria is a control matrix that maps every control you operate to the specific criteria it satisfies, names an owner, and identifies the evidence it generates. This matrix does triple duty: during remediation it tells you whether each of CC1 through CC9 is adequately covered; during the audit it lets the reviewer trace any criterion straight to the controls and evidence that satisfy it; and during ongoing maintenance it becomes your checklist for keeping controls operating. Without a matrix, teams routinely discover late that a criterion - often something in the less-technical CC1 to CC5 governance range - has no control mapped to it. Building and maintaining the matrix from the start is one of the highest-leverage habits in a SOC 2 program.
Why teams underestimate the governance criteria
A common trap is to pour effort into the technical Common Criteria - access, monitoring, change - while treating the governance criteria (CC1 through CC5) as paperwork. Auditors do not. They expect to see a real control environment: defined roles and accountability, communicated policies, a functioning risk-assessment process, and monitoring that actually evaluates whether controls work. Missing or hollow governance controls are a frequent source of findings, and they are harder to backfill under time pressure than a technical setting. Giving CC1 to CC5 genuine attention from the start - not just CC6 to CC9 - is what produces a balanced program that withstands testing.
How ISpectra covers the Common Criteria
ISpectra starts from a control library pre-mapped to CC1 through CC9, tailors it to your stack, assigns an owner to each control, and automates the evidence that CC6, CC7, and CC8 demand - so the Common Criteria are not just designed but demonstrably operating, which is what carries you cleanly through fieldwork. These criteria are the foundation that all SOC 2 compliance is built on.
Free consultation
Need help with SOC 2?
Talk to our certified compliance team — we’ve supported 200+ audits.