Skip to content
AuditFront
CC6.1 SOC 2

SOC 2 CC6.1: Logical and Physical Access - Security Software, Infrastructure, and Architectures

What This Control Requires

The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. The entity uses a combination of security technologies including firewalls, intrusion detection, identity management, and encryption to protect information assets.

In Plain Language

When auditors look at CC6.1, they're assessing whether your technical security stack actually works as a coherent whole. It's not enough to have a firewall here and an antivirus there - your identity management, network controls, encryption, and monitoring tools need to form an integrated security architecture that protects your systems and data from real threats.

This covers the full range of security technologies: identity providers and SSO, firewalls and network segmentation, intrusion detection and prevention, endpoint protection, encryption for data at rest and in transit, and SIEM or equivalent monitoring. These need to work together, not exist as isolated point solutions.

Auditors evaluate the architecture holistically. They check whether security technologies are properly configured, actively monitored, and regularly updated. The question isn't whether you have the right tools on a checklist - it's whether your architecture provides adequate protection for the specific risks your organisation faces.

How to Implement

Design a security architecture that provides protection at every layer: network perimeter, internal network, host/endpoint, application, and data. Document how all security technologies relate to each other and use defence-in-depth principles so that compromise of any single layer doesn't mean total exposure.

Make identity and access management the foundation of your logical access controls. Deploy a centralised identity provider, SSO for all applications, MFA (especially for privileged and remote access), and role-based access control. Integrate IAM with HR processes so onboarding, role changes, and offboarding automatically flow through.

Deploy network security controls: next-generation firewalls with application-level inspection, network segmentation to isolate sensitive systems, web application firewalls for internet-facing applications, DNS security and content filtering, and VPN or zero-trust network access for remote connectivity.

Implement encryption consistently. Use TLS 1.2 or higher for all data in transit. Encrypt sensitive data at rest with AES-256 or equivalent. Manage keys through a proper key management system with appropriate controls. Apply encryption across all environments - cloud, on-premises, and backup storage.

Protect endpoints with EDR tools, host-based firewalls, disk encryption, application whitelisting where appropriate, and mobile device management for corporate devices. Make sure every endpoint is enrolled in your security management platform.

Set up security monitoring and detection: SIEM or equivalent for log aggregation and correlation, intrusion detection for network and host-based threats, and automated alerting for security events. Ensure 24/7 coverage, either through an internal SOC or a managed security service.

Evidence Your Auditor Will Request

  • Security architecture diagram showing all security technologies and their integration
  • IAM system configuration documentation including MFA, SSO, and RBAC implementation
  • Network security architecture including firewall rules, segmentation design, and IDS/IPS deployment
  • Encryption standards documentation and evidence of implementation for data at rest and in transit
  • Endpoint security deployment records and configuration standards

Common Mistakes

  • Security technologies are deployed as isolated point solutions without integration or centralized management
  • Multi-factor authentication is not enforced for all administrative and remote access
  • Network segmentation is insufficient, allowing lateral movement between environments
  • Encryption is not consistently applied across all environments, leaving gaps in data protection
  • Security monitoring generates alerts but lacks adequate staffing or processes for timely response

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.8.1 Related
ISO 27001 A.8.5 Related
ISO 27001 A.8.20 Related
ISO 27001 A.8.24 Related
nist-csf PR.DS-01 Partial overlap
nist-csf PR.DS-02 Partial overlap

Frequently Asked Questions

Do we need a dedicated SIEM solution?
For medium and large organisations, a dedicated SIEM is ideal. Smaller organisations can meet the requirement with cloud-native security monitoring tools, centralised logging solutions, or managed detection and response (MDR) services. What matters is the capability to aggregate, correlate, and alert on security events across your environment - not the specific tool you use.
Is zero trust required for SOC 2?
Not explicitly, but many zero trust principles align naturally with SOC 2 criteria - particularly around access control, segmentation, and continuous verification. Adopt zero trust principles where they make practical sense for your environment. A well-implemented traditional architecture can also meet SOC 2 requirements. It's about effective protection, not following a specific model.
How do we secure cloud environments?
Apply the same security principles you'd use on-premises, adapted for the cloud model. Use cloud-native security tools (AWS GuardDuty, Azure Defender, GCP Security Command Center), implement infrastructure as code for consistent configuration, leverage cloud identity services with MFA, encrypt everything using cloud KMS, and configure security groups and VPCs for proper segmentation. The principles don't change - the implementation does.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment