SOC 2 Controls List for 2026

Starting a SOC 2 program means creating controls that fit your company’s goals, risks, and systems. These controls will vary depending on how your organization operates, the data you handle, and what your customers expect.

SOC 2 is based on five Trust Services Criteria, each tied to a specific type of risk. Knowing which controls apply helps you prepare for audits, handle vendor reviews, and keep your security practices in order.

This post outlines the main types of SOC 2 controls, how they connect to the criteria, and where to begin when building your list.

Download SOC 2 Controls List PDF

What Are SOC 2 Controls?

SOC 2 controls are the policies, procedures, and technical measures used to protect systems and data. They help reduce the risk of security risks, mistakes, or unauthorized access.

These controls are based on the SOC 2 Trust Services Criteria, which auditors use as a guide when assessing your organization.

Common examples include password rules, multi-factor authentication, logical access security measures, access permissions, and steps for onboarding and offboarding employees.

Each control supports your overall security program and helps meet the expectations of customers and service organizations.

SOC 2 Controls List

The SOC 2 controls framework is built around five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. These controls guide how a company protects systems and data and form the core of what auditors evaluate during a SOC 2 examination.

1. Security Controls

Security is the foundation of SOC 2. This category focuses on strong operational practices and defenses against both digital and physical threats. Controls in this section often include multi-factor authentication, web application firewalls, physical and virtual measures, and physical safeguards at server facilities.

Auditors also review indirect controls, such as hiring policies for security roles, to assess whether the organization has established the right environment for protecting confidential information.

Security is the foundation of SOC 2. These controls protect against both digital and physical threats.

Examples include:

• Multi-factor authentication
• Web application firewalls
• Detection and monitoring procedures for unauthorized activity
• Physical safeguards for server rooms
• Hiring and background checks for staff in sensitive roles
• Security awareness training for all employees

2. Privacy Controls

Privacy controls apply to any customer data a company handles. Organizations must clearly communicate their privacy policies to individuals whose data they store.

These controls typically require organizations to:

• Obtain consent before collecting data
• Limit data collection to what is necessary
• Collect data through lawful methods
• Use data only for the purpose stated
• Dispose of data once it is no longer needed, following internal compliance process requirements
• Maintain documentation as part of internal control responsibilities

3. Confidentiality Controls

Confidential data often needs to be shared with trusted parties, for example, health information shared across hospitals and pharmacies. The goal here is not to block access entirely but to manage secure sharing with vetted business partners.

Controls focus on identifying confidential data, limiting unauthorized access, and securely disposing of it after a defined retention period. These safeguards help maintain trust services principles and support compliance efforts.

The goal of confidentiality controls is to allow secure sharing without exposing unauthorized users to that data.

Typical controls:

• Data classification policies
• Role-based access permissions
• Use of encryption at rest and in transit
• Secure disposal processes for confidential information
• Retention schedules for confidential data

4. Processing Integrity Controls

These controls address whether systems perform as intended. They focus on the accuracy, completeness, and reliability of system processing, especially when large volumes of data are ingested, processed, and exported. Effective controls help confirm that inputs and outputs align and that no data is lost or altered during processing.

SOC 2 Processing Integrity Controls

Examples include:

• Timely error detection and correction during periods of high processing demand
• Input validation and sanity checks
• Monitoring data pipelines to verify inputs and outputs match expected results
• Reconciling processed data through automated checks and reporting
• Controls that prevent unauthorized system components’ logic changes
• Automated alerts for processing failures

5. Availability Controls

Availability controls aim to reduce downtime and maintain reliable service delivery. These are critical for SaaS platforms and cloud providers. This category also involves input from senior management when defining acceptable recovery objectives and allocating resources.

Typical controls include:

• Secure backup procedures
• Disaster recovery plans
• Business continuity plans
• Environmental risk management assessments
• Predictive capacity planning as part of a formal readiness assessment

Control Categories in SOC 2

SOC 2 controls are also grouped into functional categories that support the five TSCs. These include:

1. Control Environment

• Encourages ethical behavior and integrity
• Involves senior leadership and the board in oversight
• Assigns clear responsibilities for controls

2. Communication and Information (CC2)

• Documents policies and procedures clearly
• Communicates data-handling expectations to staff and third parties
• Ensures timely sharing of incident updates and risk alerts

3. Risk Assessment (CC3)

• Regularly evaluates new risks to security and compliance
• Identifies internal and external threats
• Considers the impact of system changes or new services

4. Monitoring Activities

• Tracks control performance over time
• Flags control failures or policy violations
• Shares findings with stakeholders

5. Logical and Physical Access Controls

• Manages user credentials and system permissions
• Uses strong authentication methods
• Restricts physical access to hardware

6. System and Operations Controls

• Logs security events and monitors for anomalies
• Responds to system incidents
• Maintains change logs and version control

7. Change Management Controls

• Requires documented approvals for all code or system changes
• Tests updates in a staging environment
• Tracks who made changes and when

8. Risk Mitigation Controls

• Supports recovery from business disruptions
• Maintains vendor risk assessment practices
• Includes monitoring and contract terms for third-party vendors

Common Criteria (CC-Series)

The Security category includes nine Common Criteria (CC1–CC9), which apply across all TSCs.

• CC1: Control Environment
• CC2: Communication and Information
• CC3: Risk Assessment
• CC4: Monitoring Activities
• CC5: Control Activities
• CC6: Logical and Physical Access Controls
• CC7: System Operations
• CC8: Change Management
• CC9: Risk Mitigation

Each criterion represents a layer of control maturity and helps shape an auditor’s opinion on whether your environment meets SOC 2 standards.

How Bright Defense Can Help?

Bright Defense helps organizations meet SOC 2 requirements through a complete compliance support system. The team performs readiness assessments to spot gaps, builds detailed security controls, and prepares all documentation needed for the audit. We guide clients through every stage, from defining scope and writing policies to gathering evidence and coordinating with auditors.

With CISSP and CISA certified experts, Bright Defense provides ongoing monitoring, risk reviews, and policy updates so that compliance stays current beyond certification. Their goal is to make SOC 2 achievable and sustainable with practical, clear processes and hands-on support.

FAQs