If you’re used to working with a specific SOC 2 framework control, you can use this guide to identify its corresponding Unified Control.
For more information, and to view other framework control maps, visit Unified Controls FAQ.
SOC 2 Control | Unified Control Name |
AC-01-SOC Access Control Policy and Procedures | CTRL-1 Access Control Policy and Procedures |
AC-02-SOC User Account Management | CTRL-1 Access Control Policy and Procedures |
AC-02.02-SOC Access Provisioning | CTRL-16 Access Provisioning |
AC-02.02-SOC-T2 Access Provisioning | CTRL-16 Access Provisioning |
AC-02.03-SOC Access Deprovisioning | CTRL-535 Access Termination |
AC-02.03-SOC-T2 Access Deprovisioning | CTRL-535 Access Termination |
AC-02.04-SOC Access Reviews | CTRL-73 Review of User Privileges |
AC-02.04-SOC-T2 Access Reviews | CTRL-73 Review of User Privileges |
AC-03-SOC Role-based Access Controls (RBAC) | CTRL-23 Role-Based Access Control |
AC-03-SOC Role-based Access Controls (RBAC) | CTRL-16 Access Provisioning |
AC-03.01-SOC Privileged Access | CTRL-9 Privileged User Accounts |
AC-03.01-SOC-T2 Privileged Access | CTRL-9 Privileged User Accounts |
AC-05-SOC Separation of Duties | CTRL-65 Separation of Duties |
AC-06-SOC Least Privilege Access | CTRL-23 Role-Based Access Control |
AC-06(07)-SOC Review of Access Privileges | CTRL-73 Review of User Privileges |
AC-07-SOC Unsuccessful Logon Attempts | CTRL-349 Password-Based Authentication |
AC-11-SOC Device Lock and Session Timeouts | CTRL-91 Session Termination |
AT-01-SOC Awareness and Training Policy and Procedures | CTRL-245 Security and Privacy Awareness Training |
AT-02-SOC Security Awareness and Privacy Training | CTRL-245 Security and Privacy Awareness Training |
AT-04-SOC Training Records | CTRL-245 Security and Privacy Awareness Training |
AT-04.01-SOC Security Awareness Training | CTRL-245 Security and Privacy Awareness Training |
AT-04.01-SOC-T2 Security Awareness Training | CTRL-245 Security and Privacy Awareness Training |
CA-01-SOC Assessment, Authorization, and Monitoring Policy and Procedures | CTRL-814 System Integrity Policy and Procedures |
CA-01-SOC-P Assessment, Authorization, and Monitoring Policy and Procedures | CTRL-814 System Integrity Policy and Procedures |
CA-02-SOC Control Assessments | CTRL-149 Control Assessments |
CA-03-SOC Third-Party Agreements | CTRL-1129 Third-Party Agreements |
CA-03-SOC-P Third-Party Agreements | CTRL-1129 Third-Party Agreements |
CA-08-SOC Penetration Testing | CTRL-174 Penetration Testing |
CA-08.02-SOC Penetration Test and Remediation Plan | CTRL-174 Penetration Testing |
CA-08.02-SOC-T2 Penetration Test and Remediation Plan | CTRL-174 Penetration Testing |
CM-01-SOC Configuration and Change Management Policy and Procedures | CTRL-262 Change Management and Software Development Policy and Procedures |
CM-03-SOC Configuration Change Control | CTRL-190 Change Management and Software Development Life Cycle |
CM-05-SOC Access Restrictions for Change | CTRL-16 Access Provisioning |
CM-05.01-SOC Segregation of Duties | CTRL-65 Separation of Duties |
CM-05.01-SOC-T2 Segregation of Duties | CTRL-65 Separation of Duties |
CM-06-SOC System Hardening Through Baseline Configurations | CTRL-208 Configuration Management |
CM-06.01-SOC Configuration Management | CTRL-208 Configuration Management |
CM-06.01-SOC-T2 Configuration Management | CTRL-208 Configuration Management |
CM-06.02-SOC-T2 Change Management | CTRL-190 Change Management and Software Development Life Cycle |
CM-06.03-SOC-T2 System Change Communication | CTRL-190 Change Management and Software Development Life Cycle |
CM-06.04-SOC-T2 System Hardening | CTRL-208 Configuration Management |
CM-08-SOC Asset Inventory | CTRL-435 System Inventory |
CM-08.01-SOC Asset Inventory | CTRL-435 System Inventory |
CM-08.01-SOC-T2 Asset Inventory | CTRL-435 System Inventory |
CM-09-SOC Configuration Management Plan | CTRL-190 Change Management and Software Development Life Cycle |
CP-01-SOC Contingency Planning Policy and Procedures | CTRL-264 Contingency Plan |
CP-01-SOC-A Contingency Planning Policy and Procedures | CTRL-264 Contingency Plan |
CP-02-SOC Contingency Plan (BCP/DR) | CTRL-264 Contingency Plan |
CP-02.01-SOC-A-T2 Capacity Management | CTRL-266 Capacity Planning |
CP-02.02-SOC Business Continuity and Disaster Recovery | CTRL-264 Contingency Plan |
CP-02.02-SOC-A Business Continuity and Disaster Recovery | CTRL-276 Contingency Plan Testing |
CP-02.02-SOC-T2 Business Continuity and Disaster Recovery | CTRL-264 Contingency Plan |
CP-02(02)-SOC-A Capacity Planning | CTRL-266 Capacity Planning |
CP-04-SOC Contingency Plan (BCP/DR) Testing | CTRL-276 Contingency Plan Testing |
CP-09-SOC-A Data Backup | CTRL-300 System Backup |
CP-09.01-SOC Data Backup and Replication | CTRL-306 Redundant Secondary System |
CP-09.01-SOC-A | CTRL-306 Redundant Secondary System |
CP-09.01-SOC-A-T2 Data Backup and Replication | CTRL-306 Redundant Secondary System |
CP-09(01)-SOC-A System Backup Testing | CTRL-301 System Backup Test |
CP-09(06)-SOC-A Redundant Secondary System | CTRL-306 Redundant Secondary System |
IA-01-SOC Identification and Authentication Policy and Procedures | CTRL-1 Access Control Policy and Procedures |
IA-02-SOC User Identification and Authentication | CTRL-319 Identification and Authentication |
IA-02-SOC User Identification and Authentication | CTRL-320 Multi-Factor Authentication |
IA-02-SOC Internal Users Identification and Authentication | CTRL-320 Multi-Factor Authentication |
IA-02.01-SOC Authentication Controls | CTRL-319 Identification and Authentication |
IA-02.01-SOC-T2 Authentication Controls | CTRL-319 Identification and Authentication |
IA-02.02-SOC Multi-factor Authentication | CTRL-320 Multi-Factor Authentication |
IA-02.02-SOC-T2 Multi-factor Authentication | CTRL-320 Multi-Factor Authentication |
IA-05-SOC Password Management | CTRL-349 Password-Based Authentication |
IA-05.01-SOC Password Configurations | CTRL-349 Password-Based Authentication |
IA-05.01-SOC-T2 Password Configurations | CTRL-349 Password-Based Authentication |
IA-08-SOC External Users Identification and Authentication | CTRL-319 Identification and Authentication |
IR-01-SOC Incident Response Policy and Procedures | CTRL-423 Incident Response Plan |
IR-01-SOC-P Incident Response Policy and Procedures | CTRL-423 Incident Response Plan |
IR-01.01-SOC Incident Response Policies and Procedures | CTRL-423 Incident Response Plan |
IR-03-SOC Incident Response Testing | CTRL-23 Role-Based Access Control |
IR-04-SOC Incident Handling and Reporting | CTRL-423 Incident Response Plan |
IR-05-SOC Incident Monitoring | CTRL-423 Incident Response Plan |
IR-05-SOC-P Incident Monitoring | CTRL-423 Incident Response Plan |
IR-08-SOC Incident Response Plan | CTRL-423 Incident Response Plan |
IR-08-SOC-P Incident Response Plan | CTRL-423 Incident Response Plan |
IR-08.01-SOC Security Incidents | CTRL-423 Incident Response Plan |
IR-08.01-SOC-T2 Security Incidents | CTRL-423 Incident Response Plan |
IR-08.02-SOC-T2 Incident Response Plan Test | CTRL-394 Incident Response Testing |
KT-01-SOC Key Tool Selection (HR) | CTRL-1134 Key Tools Selection (HR) |
KT-02-SOC Key Tool Selection (Technical) | CTRL-1135 Key Tools Selection (Technical) |
LCL-38 Access Reviews | CTRL-73 Review of User Privileges |
PM-01-SOC Information Security Program Management Policy and Procedures | CTRL-431 Information Security Policy and Procedures |
PM-01-SOC-P Information Security Program Management Policy and Procedures | CTRL-431 Information Security Policy and Procedures |
PM-02-SOC Information Security Program Leadership Role | CTRL-432 Information Security Program Leadership Role |
PM-06-SOC Performance Reviews | CTRL-1127 Performance Reviews |
PM-07-SOC Network Architecture and Dataflow Diagrams | CTRL-198 Network Segmentation |
PM-07.01-SOC Network Segmentation | CTRL-198 Network Segmentation |
PM-07.01-SOC-T2 Network Segmentation | CTRL-198 Network Segmentation |
PM-09-SOC Risk Management Program and Strategy | CTRL-463 Risk Management Committee |
PM-09-SOC Risk Management Program and Strategy | CTRL-646 Risk Assessment |
PM-09.01-SOC Risk Committee Oversight | CTRL-463 Risk Management Committee |
PM-09.01-SOC-T2 Risk Committee Oversight | CTRL-463 Risk Management Committee |
PM-09.02-SOC-T2 Risk Committee Meeting | CTRL-463 Risk Management Committee |
PM-09.03-SOC-T2 Guidelines and Support Resources | CTRL-1130 Guidelines and Support Resources |
PM-09.04-SOC-T2 Roles & Responsibilities | CTRL-432 Information Security Program Leadership Role |
PM-20-SOC-P Dissemination of Privacy Program Information | CTRL-1130 Guidelines and Support Resources |
PM-29-SOC Risk Management Program Leadership Roles (TO DELETE) | CTRL-463 Risk Management Committee |
POL-01-SOC Policy Review and Publication | CTRL-431 Information Security Policy and Procedures |
POL-01-SOC-T2 Policy Review | CTRL-431 Information Security Policy and Procedures |
POL-02-SOC Policy Socialization | CTRL-431 Information Security Policy and Procedures |
PS-01-SOC Personnel Security Policy and Procedures | CTRL-530 Personnel Screening |
PS-01-SOC Personnel Security Policy and Procedures | CTRL-431 Information Security Policy and Procedures |
PS-02-SOC Security Job and Risk Descriptions | CTRL-545 Position Descriptions |
PS-02.01-SOC Job Descriptions | CTRL-545 Position Descriptions |
PS-02.01-SOC-T2 Job Descriptions | CTRL-545 Position Descriptions |
PS-02.02-SOC Organization Chart | CTRL-545 Position Descriptions |
PS-02.02-SOC-T2 Organization Chart | CTRL-545 Position Descriptions |
PS-02.03-SOC Performance Reviews | CTRL-1127 Performance Reviews |
PS-02.03-SOC-T2 Performance Reviews | CTRL-1127 Performance Reviews |
PS-03-SOC Personnel Screening | CTRL-530 Personnel Screening |
PS-03.01-SOC Background Checks | CTRL-530 Personnel Screening |
PS-03.01-SOC-T2 Background Checks | CTRL-530 Personnel Screening |
PS-04-SOC Personnel Termination | CTRL-535 Access Termination |
PS-06-SOC Confidentiality Agreements for Company Personnel | CTRL-539 Access Agreements |
PS-06.01-SOC Confidentiality Agreements for Company Personnel | CTRL-539 Access Agreements |
PS-06.01-SOC-T2 Confidentiality Agreements for Company Personnel | CTRL-539 Access Agreements |
PS-06.02-SOC-T2 Code of Conduct Acknowledgement | CTRL-539 Access Agreements |
RA-01-SOC Risk Assessment Policy and Procedures | CTRL-643 Risk Assessment Policy and Procedures |
RA-03-SOC Risk Assessment | CTRL-646 Risk Assessment |
RA-03.01-SOC Risk Objectives, Control, and Assessment | CTRL-646 Risk Assessment |
RA-03.01-SOC-T2 Risk Objectives, Control, and Assessment | CTRL-646 Risk Assessment |
RA-05-SOC Vulnerability Monitoring and Scanning | CTRL-652 Vulnerability Management |
RA-05-SOC Vulnerability Monitoring and Scanning | CTRL-814 System Integrity Policy and Procedures |
RA-07-SOC Risk Response and Remediation | CTRL-646 Risk Assessment |
RA-07-SOC Risk Response and Remediation | CTRL-652 Vulnerability Management |
SA-01-SOC System Development Life Cycle (SDLC) Policy and Procedures | CTRL-262 Change Management and Software Development Policy and Procedures |
SA-01-SOC-P System Development Life Cycle (SDLC) Policy and Procedures | CTRL-262 Change Management and Software Development Policy and Procedures |
SA-03-SOC System Development Life Cycle | CTRL-262 Change Management and Software Development Policy and Procedures |
SA-03-SOC-C System Development Life Cycle | CTRL-262 Change Management and Software Development Policy and Procedures |
SA-03-SOC-P System Development Life Cycle | CTRL-262 Change Management and Software Development Policy and Procedures |
SA-03.01-SOC-C-T2 Sensitive Data in Non-Prod | CTRL-1186 Sensitive Data in Non-Production Environments |
SA-03(02)-SOC-C Use of Live or Operational Data | CTRL-1186 Sensitive Data in Non-Production Environments |
SA-03(02)-SOC-P Use of Live or Operational Data | CTRL-1186 Sensitive Data in Non-Production Environments |
SA-09-SOC External System Services | CTRL-1129 Third-Party Agreements |
SA-09-SOC External System Services | CTRL-1109 Supplier Assessments and Reviews |
SC-01-SOC System Protection Policy and Procedures | CTRL-932 System Protection Policy and Procedures |
SC-07-SOC Boundary Protection and Firewalls | CTRL-833 Logging and Monitoring |
SC-07-SOC Boundary Protection and Firewalls | CTRL-950 Boundary Protection |
SC-08-SOC Transmission Confidentiality and Integrity | CTRL-112 Encryption of Data at Rest and in Transit |
SC-08.01-SOC Data Transmission Protocols | CTRL-112 Encryption of Data at Rest and in Transit |
SC-08.01-SOC-T2 Data Transmission Protocols | CTRL-112 Encryption of Data at Rest and in Transit |
SC-08.03-SOC Security Groups (SG) | CTRL-950 Boundary Protection |
SC-08.03-SOC-T2 Security Groups (SG) | CTRL-950 Boundary Protection |
SC-12-SOC Cryptographic Key Establishment and Management | CTRL-194 Cryptography Management |
SC-13-SOC Cryptographic Protection | CTRL-112 Encryption of Data at Rest and in Transit |
SC-13-SOC Cryptographic Protection | CTRL-194 Cryptography Management |
SC-13-SOC-P Cryptographic Protection | CTRL-194 Cryptography Management |
SC-38.01-SOC-T2 Data Encryption | CTRL-112 Encryption of Data at Rest and in Transit |
SI-01-SOC System Integrity Policy and Procedures | CTRL-814 System Integrity Policy and Procedures |
SI-01-SOC-C System Integrity Policy and Procedures | CTRL-814 System Integrity Policy and Procedures |
SI-01-SOC-P System Integrity Policy and Procedures | CTRL-814 System Integrity Policy and Procedures |
SI-02-SOC Flaw Remediation and Patch Management | CTRL-652 Vulnerability Management |
SI-02.01-SOC-T2 Infrastructure Patching | CTRL-652 Vulnerability Management |
SI-03-SOC Malware and Endpoint Protection | CTRL-822 Malicious Code Protection |
SI-03-SOC-C Malware and Endpoint Protection | CTRL-822 Malicious Code Protection |
SI-03-SOC-P Malware and Endpoint Protection | CTRL-822 Malicious Code Protection |
SI-04-SOC System Monitoring | CTRL-833 Logging and Monitoring |
SI-04.01-SOC Intrusion Detection System (IDS) | CTRL-833 Logging and Monitoring |
SI-04.01-SOC-T2 Intrusion Detection System (IDS) | CTRL-833 Logging and Monitoring |
SI-04.02-SOC Anti-malware | CTRL-822 Malicious Code Protection |
SI-04.02-SOC-T2 Anti-malware | CTRL-822 Malicious Code Protection |
SI-04.03-SOC Vulnerability Scanning and Remediation | CTRL-652 Vulnerability Management |
SI-04.03-SOC-T2 Vulnerability Scanning and Remediation | CTRL-652 Vulnerability Management |
SI-04.05-SOC Log Management | CTRL-833 Logging and Monitoring |
SI-04.05-SOC-T2 Log Management | CTRL-833 Logging and Monitoring |
SI-04.06-SOC Infrastructure Monitoring & Alerting | CTRL-833 Logging and Monitoring |
SI-04.06-SOC-T2 Infrastructure Monitoring & Alerting | CTRL-833 Logging and Monitoring |
SI-04(05)-SOC System-Generated Alerts | CTRL-833 Logging and Monitoring |
SI-12-SOC Data Handling, Retention, and Disposal | CTRL-896 Information Management and Retention |
SI-12-SOC-C Data Handling, Retention, and Disposal | CTRL-896 Information Management and Retention |
SI-12-SOC-P Data Handling, Retention, and Disposal | CTRL-896 Information Management and Retention |
SI-12.01-SOC-C Customer Data Deletion | CTRL-899 Information Disposal |
SI-12.01-SOC-C-T2 Customer Data Deletion | CTRL-899 Information Disposal |
SR-01-SOC Third-Party Risk Management Policy and Procedures | CTRL-1094 Third-Party Risk Management Policy and Procedures |
SR-01-SOC-P Third-Party Risk Management Policy and Procedures | CTRL-1094 Third-Party Risk Management Policy and Procedures |
SR-02-SOC Third Party Management | CTRL-1094 Third-Party Risk Management Policy and Procedures |
SR-06-SOC Third-Party Risk Assessments | CTRL-1109 Supplier Assessments and Reviews |
SR-06-SOC-P Third-Party Risk Assessments | CTRL-1109 Supplier Assessments and Reviews |
SR-06.01-SOC Vendor Management | CTRL-1109 Supplier Assessments and Reviews |
SR-06.01-SOC-T2 Vendor Management | CTRL-1094 Third-Party Risk Management Policy and Procedures |
SR-06.02-SOC Vendor Confidentiality Agreements | CTRL-1129 Third-Party Agreements |
SR-06.02-SOC-T2 Vendor Confidentiality Agreements | CTRL-1129 Third-Party Agreements |
SR-06.03-SOC-T2 Customer MSA/EULA | CTRL-1128 Customer Agreements |
Viewing Framework Controls in Thoropass
You can view the framework requirements satisfied by a Unified Control by clicking References on the side panel when viewing the Unified Control.
The IDs and names of all framework controls satisfied by the Unified Control are listed by framework. Click a framework control to view its description.
