← Glossary·Controls

Common Criteria (CC1–CC9)

SOC 2

The nine Common Criteria categories that make up the Security TSC in SOC 2 — control environment through change management.

The Common Criteria (CC1–CC9) are the nine categories of criteria within the Security Trust Services Criterion: CC1 Control Environment, CC2 Communication & Information, CC3 Risk Assessment, CC4 Monitoring Activities, CC5 Control Activities, CC6 Logical & Physical Access, CC7 System Operations, CC8 Change Management, CC9 Risk Mitigation.

Why it matters
Audit fieldwork is structured around CC1–CC9. Mapping your controls to specific criteria up front prevents the dreaded ‘which control covers CC7.2?’ scramble during fieldwork.

Related terms

Trust Services Criteria (TSC)
The five AICPA criteria categories underpinning SOC 2: Security, Availability, Confidentiality, Processing Integrity, Privacy.
SOC 2
AICPA attestation report on a service organisation's controls across five Trust Services Criteria.

Does your program actually cover Common Criteria (CC1–CC9)?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary