Skip to content
AuditFront
CC5.1 SOC 2

SOC 2 CC5.1: COSO Principle 10: Selects and Develops Control Activities That Mitigate Risks

What This Control Requires

The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Control activities include a range of actions including approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

In Plain Language

This is where your risk assessment becomes real. You've identified the risks - now you need specific controls that actually reduce them to acceptable levels. Auditors want to see that every control you implement traces back to a risk, and that every significant risk has at least one control addressing it. Controls chosen because "everyone does it" without a risk rationale will raise questions.

In practice, take your risk assessment results and design controls that directly target the identified risks. You need both preventive controls (stopping bad things before they happen - access restrictions, approval workflows) and detective controls (spotting when something has gone wrong - log monitoring, reconciliations). The mix should match the risk level.

Auditors evaluate whether control activities link directly to identified risks, whether their rigour is proportional to the risk level, and whether you've considered both prevention and detection. Controls without a clear risk rationale, and risks without corresponding controls, are both problems.

How to Implement

Map each risk from your risk register to one or more control activities. Build a risk-control matrix that makes this linkage explicit. This is arguably the single most important artefact for demonstrating that your controls are purposeful rather than arbitrary.

Specify each control clearly: what risk it mitigates, what activity is performed, how often, who performs it, what evidence is generated, and how effectiveness is verified. Vague control descriptions are difficult to test and even harder to audit.

Use a layered defence approach. For critical risks, combine preventive controls (access restrictions, configuration hardening) with detective controls (monitoring, alerting) and corrective controls (incident response, backup recovery). No single control failure should lead to an unacceptable outcome.

Automate where you can. Automated controls are more consistent and reliable than manual ones. Automated access provisioning/deprovisioning, configuration compliance checks, backup verification, and vulnerability scanning all reduce human error. Document both automated and manual controls clearly.

Build approval and authorisation workflows for sensitive operations. Define what requires management approval, what needs dual approval, and how exceptions are escalated. Implement these in your tooling rather than relying on informal processes.

Review control activities at least annually, or whenever the risk environment shifts. Assess whether existing controls are still effective, whether new ones are needed, and whether any can be streamlined without increasing risk.

Evidence Your Auditor Will Request

  • Risk-control matrix linking identified risks to specific control activities
  • Control activity specifications including objectives, frequency, owners, and evidence requirements
  • Documentation of preventive, detective, and corrective controls for critical risk areas
  • Automated control configurations and manual control procedure documentation
  • Approval and authorization workflow documentation with evidence of execution

Common Mistakes

  • Controls exist without a clear link to identified risks, suggesting they were implemented without risk-based rationale
  • Over-reliance on preventive controls without detective measures to identify when prevention fails
  • Manual controls are poorly documented and performed inconsistently across different teams or shifts
  • Control activities are not reviewed or updated when the risk environment changes
  • Approval workflows have exceptions that are too broadly applied, undermining the control's effectiveness

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.1 Related
ISO 27001 A.8.1 Partial overlap
nist-csf PR.AA-01 Partial overlap

Frequently Asked Questions

How do we decide between preventive and detective controls?
Use both whenever you can. Preventive controls are your first line of defence, but they can fail or be bypassed. Detective controls catch what prevention misses. For critical risks, always layer both. For lower-level risks, a detective control on its own may be sufficient if the potential impact is manageable and you can respond quickly.
Should we automate all controls?
Automate wherever it's practical. Automated controls are more consistent, scalable, and easier to audit than manual ones. But some controls genuinely need human judgement - exception approvals, risk assessments, context-sensitive decisions. Focus your automation on repetitive, high-volume, and time-sensitive activities, and make sure your remaining manual controls are well-documented and consistently executed.
What if a single control mitigates multiple risks?
That's common and efficient. MFA, for example, addresses unauthorised access, credential theft, and account compromise all at once. Document every risk each control covers in your risk-control matrix. Just don't rely on a single control for any critical risk - layered controls give you much better assurance if one layer fails.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment