CC2 — Communication and Information - SOC Type 2 (System and Organization Controls Type 2)

CC2 addresses the information and communication systems that support the functioning of internal controls. In practical terms: do employees know what the security policies are? Do they know how to report a security issue? Do clients and external parties receive appropriate information about the organization’s security commitments? And when something goes wrong, is there a defined communication path?

CC2 is sometimes treated as a formality in SOC 2 readiness programs — “we have policies, therefore we communicate information.” Auditors test CC2 more actively than this assumption suggests. They want to see evidence that security-relevant information actually reaches the people who need it, at the frequency required, in a format they can act on.

Internal Communication Requirements

The internal communication dimension of CC2 covers how the organization ensures that personnel with internal control responsibilities understand those responsibilities. This includes the security awareness training program, the accessibility of security policies, the mechanism for employees to ask security questions or report concerns, and the communication of changes to policies and procedures.

CC2 Internal Requirement	Acceptable Evidence	Common Gap
Security awareness training	Training platform completion records showing all employees completed annual training; onboarding training for new hires	Training completed but completion records not retained; training content not updated to reflect current threats
Policy accessibility	Security policy library accessible to all employees (e.g., intranet, wiki, HRIS); policy acknowledgment log	Policies exist but are stored in a location only the security team can access
Security reporting mechanism	Documented channel for employees to report security incidents or concerns (e.g., [email protected], Slack channel, ticketing system)	Reporting channel exists but is not communicated to employees in onboarding or training
Policy change notification	Evidence that employees are notified when policies are materially updated	Policy updated but employees not re-acknowledged; no change communication record

External Communication Requirements

CC2 also covers the organization’s communication with external parties — primarily clients, but also regulators, sub-processors, and other relevant external stakeholders. This includes how the organization communicates its security commitments (typically through system descriptions, privacy notices, and security pages), how it notifies clients of security incidents that affect them, and how it handles external security inquiries.

IMPORTANT

Client security incident notification is a CC2 requirement that organizations frequently underestimate. If a security incident affects client data, SOC 2 requires that clients be notified. The notification procedure — who decides to notify, within what timeframe, through what channel — must be documented before the audit. Evidence of actual notifications (even anonymized) will be reviewed in a Type II audit.

The external communication artifacts auditors request include: the organization’s security or trust page (the public-facing statement of security practices), data processing agreements or security addenda shared with clients, the incident notification procedure, and any records of security communications sent to clients or regulators during the audit period.

Practical CC2 Implementation

The most efficient way to satisfy CC2 is to treat it as an operational communication practice rather than a compliance documentation exercise. An annual security awareness training with a completion tracker, policies stored in an employee-accessible location with an acknowledgment log, a published security page on the company website, and a documented incident notification procedure — these four elements cover the majority of CC2 requirements with minimal overhead.

BITLION INSIGHT

Organizations often discover that CC2 is already substantially satisfied — they just haven’t retained the evidence. If you run annual security training through a platform like KnowBe4 or Proofpoint, those completion records exist. If you notify clients of incidents over email, those emails exist. The work is not creating new communications — it’s ensuring those communications are discoverable and organized for audit review.

CC2 — Communication and Information

Internal Communication Requirements

External Communication Requirements

Practical CC2 Implementation

SOC 2 Foundations

What is SOC 2 and Why It Matters

The Five Trust Services Criteria (TSC)

SOC 2 Type I vs Type II — Understanding the Difference

The Common Criteria (CC): Security in Depth

SOC 2 vs ISO 27001 vs PCI DSS — Framework Comparison

Who Needs SOC 2 and When

SOC 2 Requirements

CC1 — Control Environment

CC2 — Communication and Information

CC3 — Risk Assessment

CC4 — Monitoring Activities

CC5 — Control Activities

CC6 — Logical and Physical Access

CC7 — System Operations

CC8 & CC9 — Change Management and Risk Mitigation

SOC 2 Audit Process

Scoping Your SOC 2 Audit

Selecting a SOC 2 Auditor (CPA Firm)

SOC 2 Readiness Assessment

Evidence Collection and Management

The SOC 2 Audit: What to Expect

Reading and Using Your SOC 2 Report

Continuous Compliance: Maintaining SOC 2 After Certification

SOC 2 Implementation

Building a SOC 2-Ready Control Environment

Logical Access Controls for SOC 2

Security Monitoring and Incident Response

Vulnerability Management and Penetration Testing

Change Management for SOC 2

Vendor and Third-Party Risk Management

Business Continuity and Availability Controls

SOC 2 Policies and Documentation

The SOC 2 Policy Suite: What You Need

Writing the System Description

Risk Assessment Documentation

Employee Training and Awareness Documentation

Incident Response Policy and Procedure

Vendor Management Policy and DPA Templates

Evidence Retention and the Audit Trail

SOC 2 In Context

SOC 2 for SaaS Companies

SOC 2 for Fintech and Financial Services

SOC 2 for Healthcare and Life Sciences

Multi-Framework Compliance: SOC 2 + ISO 27001 + GDPR

SOC 2 from Indonesia: Practical Guide

SOC 2 and Customer Trust: Using the Report Commercially

Building a Long-Term Compliance Program: SOC 2 as Foundation