Skip to content
AuditFront
CC2.1 SOC 2

SOC 2 CC2.1: COSO Principle 13: Obtains or Generates Relevant, Quality Information

What This Control Requires

The entity obtains or generates and uses relevant, quality information to support the functioning of internal controls. Information is identified and obtained from relevant internal and external sources, processed into meaningful information, and maintained for quality over time.

In Plain Language

Garbage in, garbage out applies directly to your control environment. If your security logs are incomplete, your asset inventory is stale, or your risk data is months old, you're making decisions in the dark - and auditors will notice.

This means identifying what information you need to manage your control environment, establishing processes for collecting it from internal and external sources, and ensuring it stays accurate, complete, and timely. Think security logs, risk assessments, vulnerability data, compliance reports, and threat intelligence.

Assessors evaluate whether you've defined your information requirements, whether you have reliable processes for gathering and maintaining that information, and whether the information is actually used in decision-making. Collecting data that nobody looks at doesn't satisfy this control.

How to Implement

Identify the information requirements for your internal control environment. Document what data each major control area needs - security monitoring, access management, change management, incident response, risk assessment. Specify sources, frequency, and quality requirements for each type.

Deploy centralised logging and monitoring that captures security-relevant events from all critical systems. Cover authentication events, access changes, system modifications, network activity, and security alerts. Protect logs from tampering, retain them for appropriate periods, and make them available for analysis.

Set up processes for obtaining external information relevant to your security posture: threat intelligence feeds, vendor security advisories, regulatory updates, and industry benchmarking data. Assign someone to monitor these sources and feed relevant information into your risk management processes.

Implement data quality controls for security-relevant information. Validate log data completeness, check accuracy of asset inventories, and reconcile access records with HR data. Regularly audit the quality of your information sources and fix any gaps or inconsistencies.

Build dashboards and reports that turn raw data into actionable information for decision-makers. Management should see key security metrics, control effectiveness indicators, and risk trends. Keep reports timely, accurate, and tailored to different audiences.

Review information requirements at least annually, or whenever there are significant changes to your technology environment, threat landscape, or regulatory obligations. Document the rationale for requirements and any changes made.

Evidence Your Auditor Will Request

  • Documented information requirements for internal controls including sources, frequency, and quality criteria
  • Centralized logging architecture documentation and evidence of log completeness monitoring
  • External threat intelligence and information source subscriptions and integration processes
  • Data quality validation procedures and results for security-relevant information
  • Management dashboards and reports demonstrating use of quality information for control decisions

Common Mistakes

  • Security logs are collected but not centralized or analyzed, providing no actionable information
  • No formal process for monitoring external threat intelligence or vendor security advisories
  • Information requirements are not documented, leading to ad hoc and inconsistent data collection
  • Data quality issues such as incomplete logs, stale asset inventories, or inaccurate access records
  • Management receives raw data dumps rather than meaningful reports that support decision-making

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.7 Related
ISO 27001 A.8.15 Partial overlap
nist-csf DE.AE-02 Related

Frequently Asked Questions

What log sources should we centralize at minimum?
Start with authentication systems (SSO, Active Directory), firewalls and network devices, cloud infrastructure (AWS CloudTrail, Azure Activity Log), application servers, database access logs, and endpoint security tools. The exact list depends on your environment, but prioritise systems that process, store, or transmit sensitive data.
How long should we retain security logs?
A common baseline is 90 days of readily accessible logs for operational use and one year of archived logs for investigations and audits. Some regulations require longer retention. Document your retention policy with the rationale for the periods you've chosen - auditors want to see that you've thought it through, not just picked an arbitrary number.
Do we need a commercial SIEM to meet CC2.1?
Not necessarily. A SIEM gives you centralisation and correlation capabilities, but smaller organisations can meet this with well-configured centralised logging (ELK stack, cloud-native logging services) combined with documented procedures for log review and analysis. What matters is having accessible, quality information - not a specific vendor's product.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment