CIS Controls9 min readUpdated Mar 2026

CIS Controls and SOC 2 Mapping

Understanding how CIS Controls map to SOC 2 helps organizations implement security controls that satisfy both frameworks efficiently. This guide provides a detailed mapping between CIS Controls v8 safeguards and SOC 2 Trust Services Criteria.

Robin Coste

•

Co-founder

Robin is a co-founder of Bastion, bringing extensive experience in compliance automation and security strategy. Previously, he led compliance as a tech lead at Palantir. He helps startups navigate the complexities of SOC 2 and ISO 27001 certification.

SOC 2ISO 27001Compliance AutomationSecurity Strategy

CIS Controls tell you what to implement technically. SOC 2 provides a framework to prove your controls work. By implementing CIS Controls with SOC 2 in mind, you build a security program that's both effective and auditable.

Key Takeaways

Point	Summary
Complementary frameworks	CIS provides implementation guidance; SOC 2 provides attestation
Strong overlap	IG1 covers majority of SOC 2 technical control requirements
IG2 recommended	Full SOC 2 alignment typically requires IG2 safeguards
Evidence-focused	CIS implementation creates evidence for SOC 2 audits
Efficiency	Implementing both together is more efficient than sequentially

Quick Answer: CIS Controls provide excellent technical implementation guidance for SOC 2 compliance. IG1 (56 safeguards) covers approximately 70% of SOC 2's technical control requirements. Adding IG2 safeguards (particularly vulnerability scanning, centralized logging, and penetration testing) brings coverage to approximately 90%. The remaining requirements relate to governance, policies, and specific SOC 2 criteria that aren't purely technical.

Understanding the Relationship

CIS Controls: The "How"

CIS Controls specify exactly what to implement:

18 controls with 153 safeguards
Prioritized by Implementation Group
Technical and procedural guidance
No certification; internal improvement focus

SOC 2: The "Proof"

SOC 2 provides external validation:

Trust Services Criteria framework
Annual audit by CPA firm
Report demonstrating control effectiveness
Customer-facing compliance evidence

Why Use Both?

Challenge	CIS Controls Solution	SOC 2 Solution
What to implement	Specific safeguards	General criteria
How to prioritize	Implementation Groups	Risk-based
Proving to customers	Internal documentation	External audit report
Continuous improvement	Implementation tracking	Annual attestation

SOC 2 Trust Services Criteria Overview

SOC 2 is organized around five Trust Services Criteria:

Criteria	Code	Description
Security (Common Criteria)	CC	Protection against unauthorized access
Availability	A	System availability and performance
Processing Integrity	PI	Complete, accurate, timely processing
Confidentiality	C	Protection of confidential information
Privacy	P	Collection, use, retention of personal information

Security (CC) is mandatory. Others are included based on your service and customer requirements. Most SaaS companies include Security and Availability.

Detailed Mapping: Security Criteria (CC)

CC1: Control Environment

SOC 2 Criteria	Relevant CIS Controls	Notes
CC1.1 COSO principle 1 (integrity and ethics)	14.1 (Security awareness program)	Training supports ethical behavior
CC1.2 Board oversight	N/A	Governance, not technical
CC1.3 Management oversight	17.1 (Designate incident personnel)	Assigned responsibility
CC1.4 Organizational structure	N/A	Governance, not technical
CC1.5 Commitment to competence	14.1-14.6 (Training safeguards)	Skills training

CC2: Communication and Information

SOC 2 Criteria	Relevant CIS Controls	Notes
CC2.1 Internal communication	14.1, 17.3 (Training, incident reporting)	Security awareness
CC2.2 External communication	17.2 (Contact information)	Incident contacts
CC2.3 System changes	4.1 (Secure configuration process)	Change management

CC3: Risk Assessment

SOC 2 Criteria	Relevant CIS Controls	Notes
CC3.1 Objectives specification	7.1 (Vulnerability management process)	Risk identification
CC3.2 Risk identification	7.1, 7.5, 7.6 (Vulnerability scanning)	IG2 scanning recommended
CC3.3 Fraud consideration	14.2 (Social engineering training)	Fraud awareness
CC3.4 Change identification	2.1, 2.3 (Software inventory)	Change detection

CC4: Monitoring Activities

SOC 2 Criteria	Relevant CIS Controls	Notes
CC4.1 Ongoing and separate evaluations	8.11 (Log reviews), 18.2 (Penetration testing)	IG2 safeguards
CC4.2 Deficiency evaluation	7.2 (Remediation process)	Tracking remediation

CC5: Control Activities

SOC 2 Criteria	Relevant CIS Controls	Notes
CC5.1 Selection and development	All implementation safeguards	CIS provides control selection
CC5.2 Technology controls	4.1-4.12 (Secure configuration)	Technical controls
CC5.3 Policies deployment	4.1, 8.1 (Process documentation)	Policy implementation

CC6: Logical and Physical Access

SOC 2 Criteria	Relevant CIS Controls	Notes
CC6.1 Logical access security	5.1-5.6, 6.1-6.8 (Account and access management)	Core access controls
CC6.2 Prior to access	6.1 (Access granting process)	Access provisioning
CC6.3 Access removal	5.3, 6.2 (Dormant accounts, revoking)	Access deprovisioning
CC6.4 Access review	5.1, 6.6 (Account and auth inventory)	Access reviews
CC6.5 Segregation of duties	5.4 (Dedicated admin accounts)	Role separation
CC6.6 External threat protection	4.4, 4.5, 10.1-10.7 (Firewalls, anti-malware)	Perimeter defense
CC6.7 Transmission protection	3.10 (Encrypt data in transit)	IG2 safeguard
CC6.8 Unauthorized software	2.3 (Address unauthorized software)	Software control

CC7: System Operations

SOC 2 Criteria	Relevant CIS Controls	Notes
CC7.1 Detection measures	8.2, 13.1-13.6 (Logging, monitoring)	Detection capabilities
CC7.2 Incident detection	13.1, 13.2 (Security alerting, IDS)	IG2 safeguards
CC7.3 Incident evaluation	17.4 (Incident response process)	IG2 safeguard
CC7.4 Incident response	17.1-17.9 (Incident response)	Full IR program
CC7.5 Incident recovery	11.1-11.5 (Data recovery)	Recovery capabilities

CC8: Change Management

SOC 2 Criteria	Relevant CIS Controls	Notes
CC8.1 Change authorization	4.1 (Secure configuration process)	Change control

CC9: Risk Mitigation

SOC 2 Criteria	Relevant CIS Controls	Notes
CC9.1 Risk identification and remediation	7.1-7.7 (Vulnerability management)	Vulnerability program
CC9.2 Vendor risk	15.1-15.7 (Service provider management)	Third-party risk

Mapping: Availability Criteria (A)

SOC 2 Criteria	Relevant CIS Controls	Notes
A1.1 Capacity management	N/A	Infrastructure planning
A1.2 Environmental protections	N/A	Physical security
A1.3 Recovery operations	11.1-11.5 (Data recovery)	Backup and recovery

Mapping: Confidentiality Criteria (C)

SOC 2 Criteria	Relevant CIS Controls	Notes
C1.1 Identification of confidential information	3.1, 3.2 (Data management, inventory)	Data classification
C1.2 Destruction of confidential information	3.5 (Secure disposal)	Secure deletion

CIS Controls Coverage by SOC 2 Area

This summary shows how CIS Controls Implementation Groups cover SOC 2 requirements:

Coverage by Implementation Group

SOC 2 Area	IG1 Coverage	IG2 Coverage	IG3 Coverage
CC6: Access Controls	Strong	Complete	Complete
CC7: Operations	Moderate	Strong	Complete
CC3: Risk Assessment	Basic	Strong	Complete
CC8: Change Management	Basic	Moderate	Strong
CC9: Risk Mitigation	Moderate	Strong	Complete
Availability (A)	Moderate	Strong	Strong
Confidentiality (C)	Moderate	Strong	Strong

Key IG2 Safeguards for SOC 2

These IG2 safeguards significantly improve SOC 2 alignment:

Safeguard	SOC 2 Benefit
7.5 Internal vulnerability scanning	CC3.2 risk identification
7.6 External vulnerability scanning	CC3.2 risk identification
8.9 Centralize audit logs	CC7.1 detection measures
8.11 Conduct log reviews	CC4.1 monitoring activities
13.1 Security event alerting	CC7.2 incident detection
15.2-15.5 Service provider management	CC9.2 vendor risk
17.4 Incident response process	CC7.3, CC7.4 incident handling
18.2 Periodic penetration testing	CC4.1 separate evaluations

Practical Implementation

Phase 1: IG1 Foundation (Months 1-3)

Implement IG1 safeguards that directly support SOC 2:

Access Controls (CC6):

5.1: Account inventory
5.2: Unique passwords
5.3: Disable dormant accounts
5.4: Dedicated admin accounts
6.1: Access granting process
6.2: Access revoking process
6.3-6.5: MFA requirements

System Operations (CC7):

8.1: Audit log process
8.2: Collect audit logs
8.3: Adequate log storage
11.1-11.4: Data recovery

Risk Mitigation (CC9):

7.1: Vulnerability management process
7.2: Remediation process
7.3-7.4: Automated patching
15.1: Service provider inventory

Phase 2: IG2 Enhancement (Months 3-6)

Add IG2 safeguards for stronger SOC 2 alignment:

Risk Assessment (CC3):

7.5: Internal vulnerability scans
7.6: External vulnerability scans
7.7: Remediate detected vulnerabilities

Monitoring (CC4, CC7):

8.9: Centralize audit logs
8.11: Conduct log reviews
13.1: Security event alerting
13.2: Host-based intrusion detection
18.2: External penetration testing

Vendor Management (CC9):

15.2: Service provider policy
15.3: Classify service providers
15.4: Security requirements in contracts
15.5: Assess service providers

Phase 3: Documentation and Evidence (Months 4-6)

Prepare for SOC 2 audit:

Document controls:

Write policies supporting each control
Document procedures for each safeguard
Create evidence collection processes

Gather evidence:

Screenshots of configurations
Logs demonstrating control operation
Reports from security tools
Training records
Access review documentation

Common Questions

Can I pass SOC 2 with only IG1?

You can, but it requires careful scoping and documentation. IG1 covers the foundational technical controls, but SOC 2 also requires:

Formal policies and procedures
Governance and oversight
Risk assessment processes
Vendor management beyond inventory

Organizations typically find IG2 safeguards (particularly logging, monitoring, and vulnerability scanning) strengthen their SOC 2 posture significantly.

What SOC 2 requirements aren't covered by CIS Controls?

SOC 2 Requirement	Why Not in CIS
Board oversight	Governance, not technical
HR policies	People management
Physical security	Physical controls minimal in CIS
Privacy (P criteria)	Privacy requires separate framework
Business continuity planning	Beyond technical controls

Should I implement CIS Controls before pursuing SOC 2?

Either order works, but implementing CIS Controls first offers advantages:

Build security before proving it
Reduce audit findings
Create evidence as you implement
Understand what you're attesting to

How does this mapping help during the audit?

Provide your auditor with:

CIS Controls implementation documentation
Mapping to SOC 2 criteria (use this guide)
Evidence of safeguard implementation
Tool outputs and configurations

Auditors appreciate structured evidence that clearly demonstrates control implementation.

Evidence Matrix

Use this matrix to collect evidence during implementation:

CIS Safeguard	SOC 2 Criteria	Evidence Type	Example
5.1 Account Inventory	CC6.1, CC6.4	Report	User account list with attributes
5.3 Dormant Accounts	CC6.3	Process	Monthly account review procedure
6.3-6.5 MFA	CC6.1	Configuration	SSO/IdP MFA settings screenshot
7.3 OS Patching	CC9.1	Report	Patch compliance report
8.2 Audit Logs	CC7.1	Configuration	Logging configuration documentation
11.2 Backups	A1.3	Report	Backup success reports
14.1 Training	CC1.5	Records	Training completion rates
17.4 IR Process	CC7.4	Document	Incident response plan
18.2 Pen Testing	CC4.1	Report	Penetration test report

Building a Combined Program

Unified Control Framework

Create a control framework that addresses both:

Control ID	Control Name	CIS Safeguards	SOC 2 Criteria
AC-001	Account Inventory	5.1	CC6.1, CC6.4
AC-002	MFA	6.3, 6.4, 6.5	CC6.1
AC-003	Access Provisioning	6.1	CC6.2
AC-004	Access Deprovisioning	5.3, 6.2	CC6.3

Continuous Compliance

After initial implementation:

Monthly:

Review access and account status
Verify backup completion
Update asset inventory
Collect evidence for ongoing controls

Quarterly:

Formal access review
Vulnerability scan review
Training status review
Policy review

Annually:

Full SOC 2 audit
Penetration testing
Complete policy update
CIS Controls reassessment

The Bastion Approach

We help organizations implement CIS Controls with SOC 2 in mind:

Challenge	Our Approach
What to implement	CIS Controls prioritization
How to document	SOC 2-ready evidence collection
Policy development	Policies satisfying both frameworks
Audit preparation	Mapped evidence packages
Ongoing compliance	Continuous compliance monitoring

Ready to implement CIS Controls for SOC 2 compliance? Talk to our team

Sources

CIS Controls v8 - Official CIS Controls documentation
AICPA Trust Services Criteria - SOC 2 criteria definitions
CIS Controls Navigator - Framework mapping tool
SOC 2 Guide - Complete SOC 2 overview

← PreviousCIS Controls Compliance Checklist

Back to CIS Controls guides

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company