Secure Controls Framework
Download The SCF
SOC 2

What does SOC 2 CC6 require?

Direct Answer

CC6 (Logical and Physical Access Controls) requires organizations to restrict access to authorized users based on least privilege, implement identification and authentication controls, protect data in transit and at rest through encryption, control physical access to data processing facilities, and promptly remove access when no longer needed. CC6 also addresses encryption key management and remote access controls.

CC6 is one of the most detailed TSC categories and one of the most common sources of audit findings. Common CC6 deficiencies include access reviews not performed on a regular schedule, terminated employees retaining system access, shared credentials, and missing encryption on portable storage media. Organizations should establish a formal access review process, automate deprovisioning where possible, and document encryption controls across all in-scope systems before beginning their SOC 2 audit engagement.

Keep Exploring

Relevant Resources

References

Authoritative Sources