CC4 — Monitoring Activities - SOC Type 2 (System and Organization Controls Type 2)

CC4 — Monitoring Activities — addresses how an organization continuously evaluates whether its system of internal controls is functioning as designed. This is the “check” in the Plan-Do-Check-Act cycle at the heart of any management system. Controls that are designed correctly but monitored inadequately will drift over time: access reviews that were quarterly become semi-annual, vulnerability scans that were weekly become monthly, incident response SLAs that were defined become informally applied.

SOC 2 distinguishes between two types of monitoring under CC4: ongoing monitoring (continuous or near-continuous assessment embedded in operations) and separate evaluations (periodic, structured assessments such as internal audits, management reviews, and penetration tests). Both are required; neither alone is sufficient.

Ongoing Monitoring

Ongoing monitoring refers to the real-time and near-real-time control monitoring embedded in the organization’s operational processes. For a technology organization, this typically includes: SIEM alerting that triggers when security controls fail or anomalous behavior occurs, infrastructure monitoring dashboards that surface availability or performance issues, automated compliance checks that flag access control deviations, and vulnerability scanning that continuously identifies new exposures.

Monitoring Type	Example Implementation	Evidence for Auditors
SIEM / Security monitoring	Centralized log management with alert rules for failed logins, privilege escalation, and unauthorized access attempts	SIEM alert configuration; sample alert notifications; evidence of alert response and closure
Availability monitoring	Uptime monitoring platform (e.g., Datadog, Pingdom) with threshold alerts and on-call rotation	Monitoring dashboards; incident history; uptime reports for the audit period
Vulnerability scanning	Weekly automated scans of in-scope systems; scan results reviewed and acted upon by defined severity SLAs	Scan reports for the audit period; remediation tickets linked to scan findings; scan schedule configuration
Access anomaly monitoring	Automated alerts for anomalous access patterns (off-hours access, geo-impossible logins, mass download events)	Alert configuration; sample anomaly alerts; investigation and disposition records
Configuration compliance	Automated baseline compliance scanning (e.g., AWS Config, Azure Policy, Wiz) checking for security misconfigurations	Compliance scan results; exception handling records; remediation evidence

Separate Evaluations

Separate evaluations are the structured, periodic assessments that complement continuous monitoring. These include: management review meetings at which security posture and control effectiveness are discussed; internal audits or self-assessments of specific control areas; annual penetration tests; and any external assessments (third-party security reviews, red team exercises) that evaluate the effectiveness of the control environment.

KEY IDEA

For a SOC 2 Type II audit, separate evaluations must produce documented outputs. A management review meeting satisfies CC4 only if minutes are kept showing that security was discussed, findings were identified, and follow-up actions were assigned. A penetration test satisfies CC4 only if the report is retained, findings are triaged, and remediation is tracked.

The CC4 requirement for management review is often satisfied through a quarterly security review meeting that includes the CISO, CTO, or equivalent leadership. The agenda typically covers: open vulnerabilities and remediation status, security incidents from the period, access review completion rates, training compliance, and any new risks or control gaps identified. Meeting minutes with action items satisfy the separate evaluation requirement.

Communicating Deficiencies

CC4 also requires that deficiencies identified through monitoring are communicated to the appropriate parties and resolved. This means: when a vulnerability scan finds a critical finding, that finding is not just logged — it is triaged, assigned, tracked, and resolved within the defined SLA. When a monitoring alert fires, it is investigated and the disposition is documented. Unresolved deficiencies that were identified but not communicated or actioned will generate exceptions in a Type II audit.

BITLION INSIGHT

The most efficient CC4 programs build monitoring into the operational rhythm from day one of the observation period. Organizations that build monitoring infrastructure in the last month before an audit will have thin evidence. The audit period is retrospective: auditors look at what actually happened over 6–12 months, not at what you can demonstrate in the week before fieldwork.

CC4 — Monitoring Activities

Ongoing Monitoring

Separate Evaluations

Communicating Deficiencies

SOC 2 Foundations

What is SOC 2 and Why It Matters

The Five Trust Services Criteria (TSC)

SOC 2 Type I vs Type II — Understanding the Difference

The Common Criteria (CC): Security in Depth

SOC 2 vs ISO 27001 vs PCI DSS — Framework Comparison

Who Needs SOC 2 and When

SOC 2 Requirements

CC1 — Control Environment

CC2 — Communication and Information

CC3 — Risk Assessment

CC4 — Monitoring Activities

CC5 — Control Activities

CC6 — Logical and Physical Access

CC7 — System Operations

CC8 & CC9 — Change Management and Risk Mitigation

SOC 2 Audit Process

Scoping Your SOC 2 Audit

Selecting a SOC 2 Auditor (CPA Firm)

SOC 2 Readiness Assessment

Evidence Collection and Management

The SOC 2 Audit: What to Expect

Reading and Using Your SOC 2 Report

Continuous Compliance: Maintaining SOC 2 After Certification

SOC 2 Implementation

Building a SOC 2-Ready Control Environment

Logical Access Controls for SOC 2

Security Monitoring and Incident Response

Vulnerability Management and Penetration Testing

Change Management for SOC 2

Vendor and Third-Party Risk Management

Business Continuity and Availability Controls

SOC 2 Policies and Documentation

The SOC 2 Policy Suite: What You Need

Writing the System Description

Risk Assessment Documentation

Employee Training and Awareness Documentation

Incident Response Policy and Procedure

Vendor Management Policy and DPA Templates

Evidence Retention and the Audit Trail

SOC 2 In Context

SOC 2 for SaaS Companies

SOC 2 for Fintech and Financial Services

SOC 2 for Healthcare and Life Sciences

Multi-Framework Compliance: SOC 2 + ISO 27001 + GDPR

SOC 2 from Indonesia: Practical Guide

SOC 2 and Customer Trust: Using the Report Commercially

Building a Long-Term Compliance Program: SOC 2 as Foundation