CC1 — the Control Environment cluster — is the organizational bedrock of a SOC 2 audit. Before auditors test a single access review or inspect a change management ticket, they assess whether the organizational environment in which those controls operate is fundamentally sound. A weak control environment means auditors will scrutinize every other control more skeptically; a strong one provides confidence that the policies and procedures described in the system description are real and consistently applied.
CC1 is drawn directly from the COSO 2013 framework’s Control Environment component, which COSO describes as “the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.” In SOC 2 terms, this means: does leadership set an appropriate example? Is there board-level visibility into security? Are people accountable for their security responsibilities?
The Five Principles of CC1
| COSO Principle | SOC 2 CC1 Requirement | Key Evidence |
|---|---|---|
| Commitment to integrity and ethical values | The organization demonstrates a commitment to integrity and ethical values relevant to the security of its systems | Code of conduct; employee acknowledgment records; ethical reporting mechanisms (e.g., whistleblower channel) |
| Board oversight | The board or equivalent oversight body oversees the design and operating effectiveness of internal controls | Board or audit committee meeting minutes showing security discussion; board-approved information security policy; risk committee charter |
| Organizational structure | Management establishes organizational structure, reporting lines, and appropriate authorities for security responsibilities | Organizational chart; job descriptions for security-relevant roles; documented reporting structure for the CISO or security function |
| Commitment to competence | The organization demonstrates commitment to attract, develop, and retain competent individuals in alignment with objectives | Hiring standards for security roles; training records; performance management documentation; background check policy |
| Accountability | The organization holds individuals accountable for their internal control responsibilities | Performance review criteria linking security KPIs; documented consequences for policy violations; escalation procedures |
What Auditors Actually Look For
CC1 testing is primarily documentation-based for a Type I audit. Auditors will request the code of conduct, confirm it has been signed by all employees, review the board or executive oversight structure for security, and confirm that key security roles have defined responsibilities. For a Type II audit, they will additionally test whether these organizational commitments operate consistently over the period — for example, whether new employees sign the code of conduct as part of onboarding, not just during an annual re-acknowledgment sweep.
| KEY IDEA | The most common CC1 gap for technology companies is not the absence of a code of conduct — it’s the absence of board or executive-level visibility into security. Auditors expect to see evidence that the highest level of the organization is engaged with security as a governance matter. For many startups and SMEs, this means formalizing what may already be happening informally: minutes of a leadership meeting that includes a security agenda item are better evidence than no documentation at all. |
Building CC1-Compliant Governance
For organizations implementing CC1 controls, the required artifacts are straightforward but must be maintained consistently. The code of conduct should explicitly reference information security responsibilities. The board oversight mechanism can be as simple as a quarterly security update on the board or executive leadership agenda — documented in minutes. Organizational charts and job descriptions should clearly place the security function within the hierarchy.
The accountability mechanism is often overlooked. Auditors will ask: what happens when someone violates the code of conduct or security policies? The answer should be documented — not necessarily punitive, but defined. A disciplinary policy that includes security violations, and evidence that it has been applied (anonymized references to policy violation handling), satisfies this requirement.
| BITLION INSIGHT | For early-stage companies where the “board” is the founding team, CC1’s governance requirements are still achievable. Document that the founding executives review security posture quarterly. Keep minutes. Appoint someone — even a part-time CISO or vCISO — with named security accountability. Auditors understand that governance structures differ by organization size; what they require is that the structure, whatever it is, is documented and operating. |