CC2.1 SOC 2

SOC 2 CC2.1: COSO Principle 13: Obtains or Generates Relevant, Quality Information

What This Control Requires

The entity obtains or generates and uses relevant, quality information to support the functioning of internal controls. Information is identified and obtained from relevant internal and external sources, processed into meaningful information, and maintained for quality over time.

In Plain Language

Garbage in, garbage out applies directly to your control environment. If your security logs are incomplete, your asset inventory is stale, or your risk data is months old, you're making decisions in the dark - and auditors will notice.

This means identifying what information you need to manage your control environment, establishing processes for collecting it from internal and external sources, and ensuring it stays accurate, complete, and timely. Think security logs, risk assessments, vulnerability data, compliance reports, and threat intelligence.

Assessors evaluate whether you've defined your information requirements, whether you have reliable processes for gathering and maintaining that information, and whether the information is actually used in decision-making. Collecting data that nobody looks at doesn't satisfy this control.

How to Implement

Identify the information requirements for your internal control environment. Document what data each major control area needs - security monitoring, access management, change management, incident response, risk assessment. Specify sources, frequency, and quality requirements for each type.

Deploy centralised logging and monitoring that captures security-relevant events from all critical systems. Cover authentication events, access changes, system modifications, network activity, and security alerts. Protect logs from tampering, retain them for appropriate periods, and make them available for analysis.

Set up processes for obtaining external information relevant to your security posture: threat intelligence feeds, vendor security advisories, regulatory updates, and industry benchmarking data. Assign someone to monitor these sources and feed relevant information into your risk management processes.

Implement data quality controls for security-relevant information. Validate log data completeness, check accuracy of asset inventories, and reconcile access records with HR data. Regularly audit the quality of your information sources and fix any gaps or inconsistencies.

Build dashboards and reports that turn raw data into actionable information for decision-makers. Management should see key security metrics, control effectiveness indicators, and risk trends. Keep reports timely, accurate, and tailored to different audiences.

Review information requirements at least annually, or whenever there are significant changes to your technology environment, threat landscape, or regulatory obligations. Document the rationale for requirements and any changes made.

Evidence Your Auditor Will Request

Documented information requirements for internal controls including sources, frequency, and quality criteria
Centralized logging architecture documentation and evidence of log completeness monitoring
External threat intelligence and information source subscriptions and integration processes
Data quality validation procedures and results for security-relevant information
Management dashboards and reports demonstrating use of quality information for control decisions

Common Mistakes

Security logs are collected but not centralized or analyzed, providing no actionable information
No formal process for monitoring external threat intelligence or vendor security advisories
Information requirements are not documented, leading to ad hoc and inconsistent data collection
Data quality issues such as incomplete logs, stale asset inventories, or inaccurate access records
Management receives raw data dumps rather than meaningful reports that support decision-making

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	ISO 27001 A.5.7 (related mapping)	Related
ISO 27001	ISO 27001 A.8.15 (partial overlap mapping)	Partial overlap
nist-csf	nist-csf DE.AE-02 (related mapping)	Related

Frequently Asked Questions

What log sources should we centralize at minimum?

Start with authentication systems (SSO, Active Directory), firewalls and network devices, cloud infrastructure (AWS CloudTrail, Azure Activity Log), application servers, database access logs, and endpoint security tools. The exact list depends on your environment, but prioritise systems that process, store, or transmit sensitive data.

How long should we retain security logs?

A common baseline is 90 days of readily accessible logs for operational use and one year of archived logs for investigations and audits. Some regulations require longer retention. Document your retention policy with the rationale for the periods you've chosen - auditors want to see that you've thought it through, not just picked an arbitrary number.

Do we need a commercial SIEM to meet CC2.1?

Not necessarily. A SIEM gives you centralisation and correlation capabilities, but smaller organisations can meet this with well-configured centralised logging (ELK stack, cloud-native logging services) combined with documented procedures for log review and analysis. What matters is having accessible, quality information - not a specific vendor's product.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment