CC1.3 SOC 2

SOC 2 CC1.3: COSO Principle 3: Management Establishes Structures, Reporting Lines, and Authorities

What This Control Requires

Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity.

In Plain Language

Without clear accountability, controls don't function. If nobody knows who owns a system, who can approve changes, or who to escalate to when something breaks, your control environment has a structural gap that auditors will flag immediately.

In practice, this means documented organisational charts, role descriptions, and delegation of authority matrices. Key security and IT functions must be clearly assigned to specific individuals or teams, with defined escalation paths. It also covers separation of duties - making sure no single person has excessive authority without appropriate checks.

Assessors want to see that you've thoughtfully designed your structure to support internal controls. That includes having a designated security function (a CISO or equivalent), clear ownership of IT systems and data, and documented processes for how decisions are made and communicated across the organisation.

How to Implement

Create and maintain a current organisational chart showing the reporting structure from the board down through operational levels. Clearly identify key security and IT roles - CISO (or equivalent), IT management, compliance officers, and data owners.

Write detailed role descriptions for all positions with security-relevant responsibilities. Each should specify authority level, decision-making scope, and reporting relationships. Pay close attention to roles involving access to sensitive systems, data classification decisions, and incident response.

Build a delegation of authority matrix documenting who can approve key decisions: system changes, access grants, vendor engagements, security exceptions. Include escalation thresholds and backup authorities for when primary decision-makers are unavailable.

Implement a separation of duties policy that identifies incompatible functions and ensures no single person can both authorise and execute critical transactions. For smaller organisations where strict separation isn't practical, document compensating controls like management reviews or audit logging.

Set up formal reporting lines for security and risk management. The CISO or equivalent should report directly to senior management and ideally have access to the board or audit committee. This ensures security concerns can be escalated without being filtered by operational management.

Document the information flow for security-relevant events - how incidents are reported upward, how policy changes are communicated downward, and how cross-functional coordination works. Review and update the organisational structure at least annually or whenever significant changes occur.

Evidence Your Auditor Will Request

Current organizational chart showing reporting lines for security, IT, and compliance functions
Role descriptions for key security and IT positions including authority levels and responsibilities
Delegation of authority matrix documenting decision-making authorities and escalation paths
Separation of duties policy with documentation of incompatible functions and compensating controls
Evidence of annual review and updates to organizational structure and role assignments

Common Mistakes

Organizational chart is outdated and does not reflect the current structure or key personnel
Security function lacks a clear reporting line to senior management or the board
Role descriptions are generic and do not specify security-related authorities and responsibilities
No formal delegation of authority matrix exists, leading to ad hoc decision-making
Separation of duties is not documented and critical functions are concentrated in a single individual

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.2	Equivalent
ISO 27001	A.5.3	Related
nist-csf	GV.RR-01	Related

Frequently Asked Questions

Do we need a dedicated CISO to meet CC1.3?

Not necessarily. Smaller organisations can assign CISO responsibilities to a qualified person like a CTO or IT Director, as long as the role is clearly documented and the person has appropriate authority and expertise. What matters is that the security function is clearly assigned and has adequate organisational standing.

How detailed do role descriptions need to be?

Specific enough to establish clear authority boundaries and accountability. At minimum, cover the role's security-relevant responsibilities, decision-making authority, reporting relationships, and any separation of duties requirements. Generic job postings won't cut it.

What if our organization is too small for formal separation of duties?

That's common in smaller teams. Document compensating controls instead - management reviews, audit logging, periodic access reviews. The key is acknowledging the risk and putting reasonable mitigating measures in place for your size. Auditors understand the constraints of a 15-person company.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment