The CC1 series in the trust services criteria establishes the foundation of the control environment for the organization and sets the foundation of your SOC 2 examination. How you manage your integrity as an organization, your structure, and how you handle people are all main themes in this set of criteria. This blog post will provide a detailed overview of each criterion, key concepts assessed, typical evidence requests for each criterion, and the ByteChek difference.

Overview of CC1.0 (Control Environment)

CC1.1, CC1.3, CC1.4, and CC1.5

CC1.1 The entity demonstrates a commitment to integrity and ethical values.

CC1.3 Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

CC1.4 The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

CC1.5 The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Key Concepts Assessed in CC1.1, CC1.4, and CC1.5:

Background Checks

Typical evidence requests: The controls in the CC1.0 series will require a listing of all employees from your Human Resources Information System (HRIS) showing the hire dates for each employee. Your auditors will select a sample of new employees and request evidence that each sampled new employee underwent background checks prior to their start date. This evidence is generally redacted and only shows your auditors the individual’s name, date of background check completion, and the vendor utilized to conduct the check (i.e. GoodHire, Checkr, etc.).

With ByteChek, we integrate directly with your HRIS or background check tools where this information resides. We eliminate the listing of employees, the hours your HR team has to spend collecting evidence and speaking with auditors. If your organization does not utilize the tools we integrate with, our intuitive platform provides your employees with the ability to upload evidence of their background checks directly to the Bytechek platform.

Code of Conduct Acknowledgement

Typical evidence requests: Your auditors will request proof of your employee handbook or code of conduct. The code of conduct should describe the responsibilities and expected behavior for each employee. Along with responsibilities and expected behavior, the code of conduct should outline a sanctions policy for workforce member’s misconduct. This concept also involves testing how the code of conduct is incorporated into your onboarding procedures. Your auditors will request a listing of all employees from your HRIS showing the hire dates for each employee. Your auditors will select a sample of new employees and request evidence that each sampled new employee read and agreed to the code of conduct upon hire.

With ByteChek, our platform is built with an intuitive information security policy generator which will help you quickly create a robust and detailed policy. This policy includes a code of conduct that outlines an employee’s responsibilities and expected behavior. If you already have a code of conduct, you can upload it directly to our platform to address this control. We also take care of the communication to users, your employees can use the ByteChek platform to read and acknowledge the code of conduct. Our platform integrates with your HRIS tool to identify any new hires that were required to acknowledge the code of conduct.

Security Awareness Training

Typical evidence requests: The controls in the CC1.0 series will require a listing of all employees from your Human Resources Information System (HRIS) showing the hire dates for each employee. Your auditors will select a sample of new employees and request evidence that each sampled new employee completed security awareness training upon hire. This evidence is typically a certificate of completion from your security awareness training provider.

With ByteChek, our platform helps orchestrate the submission of security awareness training evidence for your SOC 2 examination. Your employees can upload evidence of their security awareness training directly to the ByteChek platform. Our employee dashboard provides a single pane view for managers on the completion status of all key onboarding activities. We are building an integration with KnowBe4 and always looking for feedback on future integrations, feel free to send us an integration suggestion at info@bytechek.com.

Job Descriptions

Typical evidence requests: The controls in the CC1.0 series will require a listing of all employees from your Human Resources Information System (HRIS) showing the hire dates and employment status for each employee. Your auditors will select a sample of employees and request evidence that each sampled employee has a job description that outlines roles, responsibilities, and education requirements.

With ByteChek, our platform provides a form to paste a link to your careers page or another website where you post available job descriptions. The link to your job descriptions will populate in our Control Dashboard Console so your auditors can quickly evaluate this control. No more sending auditors PDFs of job descriptions.

Confidentiality Agreements

Typical evidence requests: The controls in the CC1.0 series will require a listing of all employees from your HRIS showing the hire dates and employment status for each employee. Your auditors will select a sample of employees and request evidence that each sampled new employee signed a confidentiality agreement upon hire.

With ByteChek, we integrate directly with your HRIS tools where this information resides. We eliminate the listing of employees, the hours your HR team has to spend collecting evidence and speaking with auditors. If your organization does not utilize the tools we integrate with, our intuitive platform provides your employees with the ability to upload evidence of their confidentiality agreements directly to the ByteChek platform.

Information Security Policies and Procedures

Typical evidence requests Your information security policies and procedures that include approvals and version history. Your auditors may provide templates or websites where you can generate a policy that will sufficiently address this criterion. Be prepared to explain the process or tools used to communicate these policies and procedures to employees (i.e. acknowledged upon hire, stored on internal document repository, etc.). A few key concepts your information security policy should cover are:

  • Roles and Responsibilities

  • Human Resources Security

  • Asset Management

  • Access Control

  • Cryptography

  • Physical Security

  • Risk Management

  • Compliance & Internal Audit

  • Logging and Monitoring

  • Communications Security

  • Software Development Lifecycle

  • Third-Party Management

  • Incident Management

  • Business Continuity

  • Disaster Recovery

  • Privacy

With ByteChek, our platform is built with an intuitive information security policy generator which will help you quickly create a robust and detailed policy. If you already have a policy, you can upload it directly to our platform to address this control. We also take care of the communication to users, your employees can use the ByteChek platform to read and acknowledge their understanding of the information security policy (and other applicable policies and procedures).

Defined Management Responsibilities

Typical evidence requests: Your auditors will examine your information security policy and procedures to determine that there is an individual or individuals assigned responsibility to oversee the implementation of the information security environment. Alternatively, your auditors may ask for the Chief Information Security Officer (CISO), Director of Information Security, or other responsible individual’s job description outlining their responsibilities for the oversight of the implementation of the information security environment.

With ByteChek, our platform is built with an intuitive information security policy generator which will help you quickly create a robust and detailed policy that assigns the responsibility for the implementation of the information security officer to the individual you designate. If you already have a policy that meets these requirements, you can upload it directly to our platform to address this control.

CC1.2 The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Key Concepts Assessed in CC1.2:

Establishing the board:

  • Typical evidence requests An output (PDF or Word) of the board of directors charter document. Your auditors will confirm that the board has oversight responsibilities that are related to internal control.

  • With ByteChek, you’ll upload evidence of your board of directors charter documents directly to our platform using the control discussion feature with each control.

Board meeting cadence:

  • Typical evidence requests: Your auditors will ask for proof of regular board meetings, generally evidenced by meeting minutes and calendar invites. The meeting minutes should show that responsibilities related to internal control were discussed.

  • At ByteChek, we understand the board of directors meeting minutes is sensitive, we will work with you to set up some time to remotely observe evidence of these meeting minutes.

The ByteChek Difference

We started ByteChek with one goal in mind: Make Compliance Suck Less. This blog post covers a small subset of the controls we built our platform to automate and move away from status quo SOC 2 examinations and other framework audits. Automating compliance and eliminating screenshots, document uploads, and generic evidence requests help your team focus on growing and securing your business. Reach out to our team to learn how you can automate compliance and set up a demo of the ByteChek platform.


Did this answer your question?