Back to Blog
Controls 7 min read

CC1: Common Criteria — Control Environment Requirements

Understand SOC 2 CC1 control environment requirements: tone at the top, organizational structure, HR controls, and how auditors evaluate them.

Key Takeaways
  • CC1 covers the COSO control environment — the foundation all other SOC 2 criteria build on.
  • Auditors look for a documented code of conduct, org chart, and background check policy.
  • Board or leadership oversight (CC1.2) must be demonstrable through meeting minutes or written reviews.
  • HR processes — onboarding, role definitions, performance reviews — are direct CC1 evidence.
  • Weak control environment findings can escalate to qualified opinions even when technical controls pass.

In this guide

  1. What Is CC1?
  2. CC1 Criteria Breakdown
  3. Tone at the Top (CC1.1)
  4. Board and Management Oversight (CC1.2)
  5. Organizational Structure (CC1.3)
  6. HR and Competency Controls (CC1.4–CC1.5)
  7. Evidence to Collect
  8. Common CC1 Gaps

What Is CC1?

CC1 is the first category in the AICPA Trust Services Criteria (TSC) common criteria section. It maps directly to the COSO Internal Control Framework's "Control Environment" component — the set of standards, processes, and structures that form the foundation of internal control across the organization.

Unlike technical controls that can be verified with a screenshot or log export, CC1 is evaluated through policies, organizational evidence, and interviews. An auditor assessing CC1 wants to know: does leadership set the right tone, are roles and responsibilities clearly defined, and does the company have the HR processes to hire, train, and hold accountable the people responsible for controls?

For SaaS companies pursuing SOC 2 Type II, CC1 is often the first area populated in a readiness assessment. Getting it right sets the stage for every other control category.

CC1 Criteria Breakdown

CC1 contains five sub-criteria: CC1.1 through CC1.5. Each maps to a COSO principle and each has specific points of focus that auditors use to evaluate design and operating effectiveness.

CC1.1 — The entity demonstrates a commitment to integrity and ethical values. CC1.2 — The board of directors (or equivalent) demonstrates independence from management and exercises oversight. CC1.3 — Management establishes, with oversight, structures, reporting lines, and appropriate authorities. CC1.4 — The organization demonstrates commitment to attracting, developing, and retaining competent individuals. CC1.5 — The organization holds individuals accountable for their internal control responsibilities.

Each sub-criterion has "Points of Focus" — implementation guidance from the AICPA that auditors use to evaluate whether a control is designed and operating effectively. Not every point of focus needs to be addressed if the entity can demonstrate compensating controls.

Tone at the Top (CC1.1)

CC1.1 requires the organization to demonstrate a commitment to integrity and ethical values. In practice, auditors look for a code of conduct or ethics policy that all employees acknowledge, a whistleblower or speak-up mechanism, and documented disciplinary actions when violations occur.

For early-stage startups, this often means creating a formal Code of Business Conduct document, adding it to the employee handbook, and collecting annual e-signatures. Tools like Rippling, BambooHR, or even a simple Google Form signature capture work as evidence.

The key is operationalization — the policy needs to be communicated, not just written. Auditors will check that new hires sign it during onboarding and that existing employees re-acknowledge it at least annually.

Board and Management Oversight (CC1.2)

CC1.2 requires the board or equivalent governing body to exercise oversight of the system of internal control. For VC-backed startups without a formal board of directors, an audit committee or advisory board with documented review responsibilities can satisfy this criterion.

Evidence auditors typically request: board meeting minutes that reference security or compliance reviews, quarterly risk reports presented to leadership, and documentation showing the board has reviewed and approved the security program at least annually.

If your company lacks a formal board, designate a security oversight committee — even a monthly meeting between the CEO and CTO reviewing security metrics, documented in meeting minutes, demonstrates the oversight the criterion requires.

Organizational Structure (CC1.3)

CC1.3 requires defined reporting lines and assigned authorities and responsibilities. The primary evidence artifact is an org chart, but auditors also look for documented role descriptions that include security and compliance responsibilities.

Job descriptions should state who is responsible for maintaining security controls. The CISO or Head of Engineering should have a written mandate that includes information security. If these responsibilities are split, a RACI matrix clarifying who is Responsible, Accountable, Consulted, and Informed for key security decisions satisfies the criterion.

Auditors also check that reporting lines are appropriate — an engineer who also approves their own access changes, for example, is a segregation of duties finding that originates in CC1.3.

HR and Competency Controls (CC1.4–CC1.5)

CC1.4 covers attracting, developing, and retaining competent personnel. Evidence includes job descriptions with required qualifications, documented onboarding checklists, security awareness training records, and professional development plans.

CC1.5 covers accountability — holding individuals responsible for their control obligations. This is demonstrated through performance review processes that include security objectives, documented disciplinary procedures, and a user access review process that ties access rights to job function.

Background checks are a critical CC1.4 evidence item. Your policy should define which roles require a background check, what the check covers (criminal, employment verification, etc.), and your process for handling adverse findings. Auditors will sample new-hire records to verify the process is followed.

Evidence to Collect for CC1

For a Type II audit covering a 12-month period, prepare the following CC1 evidence: (1) Code of Conduct signed by all employees — export from your HR system showing sign dates. (2) Org chart current as of audit period. (3) Board or leadership meeting minutes that reference security reviews. (4) Background check policy and sample completed check records (redacted). (5) Security awareness training completion records. (6) Job descriptions for key security roles. (7) Performance review records showing security objectives.

AuditPath automates evidence collection for CC1.4 by integrating with Okta, BambooHR, and Google Workspace to pull training completion and onboarding records directly, eliminating manual spreadsheet exports.

Common CC1 Gaps

The most common CC1 finding is a code of conduct that exists but isn't formally acknowledged by employees. A document sitting in Notion that nobody signs is not a control — it's a draft.

The second most common gap is lack of board-level oversight documentation. Founding teams often skip meeting minutes, but auditors need to see that leadership is reviewing the security program at a cadence. Start keeping minutes from your next security review.

Third: background checks not run consistently. Auditors will sample 5-10 new hires from the audit period. If any are missing background checks, it's a finding. Define the policy, automate the trigger in your HR system, and keep records.

Frequently Asked Questions

Does CC1 apply to Type I audits as well as Type II?
Yes. CC1 is evaluated in both SOC 2 Type I (point-in-time design effectiveness) and Type II (operating effectiveness over a period). In a Type I audit, auditors verify that the controls are designed correctly. In a Type II, they also verify the controls operated consistently throughout the audit period.
We are a 10-person startup. Do we need a formal board to satisfy CC1.2?
No. CC1.2 requires an "appropriate oversight body," not specifically a board. A documented security oversight committee, advisory board, or even a formal executive security review meeting with minutes can satisfy this criterion. The key is evidence of independent oversight and review.
What counts as "security awareness training" for CC1.4?
Any documented training that covers information security topics — phishing awareness, data handling, password hygiene, incident reporting. Platforms like KnowBe4, Proofpoint Security Awareness, or even a recorded internal session with a sign-off sheet qualify. Annual training is the minimum; auditors prefer quarterly.
Can a contractor satisfy CC1.4 competency requirements?
Yes, but you need to document it. Contractors filling key security roles should have a written scope of work that includes security responsibilities, and their background checks and training records should match the requirements for equivalent full-time employees.
How far back do auditors look at HR records for a Type II audit?
Auditors sample across the entire audit period, typically 12 months. They will select a random sample of employees who joined during that period and verify that onboarding controls — background checks, code of conduct sign-off, training completion — occurred within your documented timeframes.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

SOC 2

What Is SOC 2? The Complete Guide for Software Companies

Controls

CC6: Logical and Physical Access Controls for SOC 2

SOC 2

SOC 2 for Startups: How to Get Certified Without an Army