SOC 2 Common Criteria explained: the CC series and the five Trust Services Criteria
SOC 2 is built on five Trust Services Criteria, with Security as the mandatory foundation expressed through nine Common Criteria categories (CC1 through CC9). Here is what each one means.
The five Trust Services Criteria
SOC 2 is organized around five categories defined by the AICPA: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is required in every report; the other four are optional and included only where relevant to the promises you make customers. Scoping the right categories is the first real decision in a SOC 2 project.
Why Security is called the Common Criteria
The Security category is also known as the Common Criteria, or CC series, because its requirements are common to and shared across all five categories — which is why every SOC 2 must include Security. The Common Criteria are organized into nine groups, CC1 through CC9, each with more specific numbered criteria.
How the CC series maps to COSO
The Common Criteria are deliberately aligned with the COSO Internal Control framework. The first five groups, CC1–CC5, map to COSO's principles, while CC6–CC9 expand on the technical and operational controls specific to information security. The AICPA also publishes mappings to ISO/IEC 27001 and the NIST CSF, which eases cross-framework programs.
CC1 through CC5: the governance foundation
CC1 (Control Environment) sets roles, accountability, and policies; CC2 (Communication and Information) ensures security expectations are communicated; CC3 (Risk Assessment) identifies threats; CC4 (Monitoring Activities) checks that controls work; and CC5 (Control Activities) translates policy and risk thinking into concrete actions like access procedures and change approvals.
CC6 through CC9: the technical and operational controls
CC6 (Logical and Physical Access Controls) governs who can reach systems and data; CC7 (System Operations) covers monitoring, detection, and incident response; CC8 (Change Management) ensures changes follow a controlled, reviewed process; and CC9 (Risk Mitigation) reduces the impact of disruptions and manages vendor risk.
Putting it together for an audit
You always include the Common Criteria (Security), then add other categories based on customer commitments. An auditor evaluates whether controls meet each in-scope criterion — and for a Type 2, whether they operated effectively over a period. Mapping a single control to as many criteria as it satisfies sharply reduces your evidence burden.