CC6.6 SOC 2

SOC 2 CC6.6: Logical and Physical Access - Security Against Threats Outside System Boundaries

What This Control Requires

The entity implements logical access security measures to protect against threats from sources outside its system boundaries. The entity implements measures to identify and authenticate users, manage access, and protect data from unauthorized external access through boundary protection mechanisms.

In Plain Language

Every service you expose to the internet is a door someone will try to open. CC6.6 is about how well you protect those doors - and whether you even know how many you have.

This covers your perimeter defences: firewalls, web application firewalls, DDoS protection, email security gateways, DNS security, and secure remote access. It also includes how you authenticate external users, protect public-facing applications, and manage the attack surface exposed to the internet.

Auditors evaluate whether you have a clear picture of your external boundary points, whether access is properly authenticated and authorised, what protections sit in front of your internet-facing services, and how you monitor and respond to external threats hitting your perimeter. An incomplete inventory of internet-facing assets is one of the most common findings here.

How to Implement

Map out every point where your environment connects to external networks: internet connections, VPN endpoints, API gateways, partner connections, and anything else externally accessible. Keep this inventory accurate and document the protections at each boundary point.

Layer your boundary protection. Deploy next-generation firewalls with application awareness and intrusion prevention at all internet boundaries. Put a WAF in front of every internet-facing web application. Add DDoS protection for public services. Run email security gateways with anti-phishing, anti-malware, and spam filtering.

Lock down remote access. Use VPN or zero-trust network access with multi-factor authentication. Encrypt all remote sessions, log them, and enforce time limits. Restrict access to only the systems and data each user's role requires.

Actively manage your external attack surface. Run external vulnerability scans and penetration tests regularly. Watch for shadow IT or unauthorised services exposed to the internet. Use attack surface management tooling to discover and track internet-facing assets. Shut down or restrict anything that doesn't need to be externally accessible.

Secure external API integrations through an API gateway with authentication, rate limiting, and input validation. Catalogue all external APIs, their consumers, and the data they expose. Monitor usage for anomalous patterns.

Monitor external threat activity targeting your boundary. Review firewall logs, IDS/IPS alerts, WAF events, and email security reports. Integrate threat intelligence relevant to your industry and tech stack. Set up alerting and response procedures for significant events.

Evidence Your Auditor Will Request

System boundary documentation identifying all external connection points and applied protections
Firewall rule sets and change management records for boundary protection devices
WAF configurations and logs for internet-facing applications
Remote access solution configuration with evidence of MFA enforcement and session controls
External vulnerability scan and penetration test results with remediation evidence

Common Mistakes

Incomplete inventory of internet-facing services, leaving unknown assets unprotected
Firewall rules are overly permissive or include stale rules that are no longer needed
Web applications are exposed to the internet without WAF protection
Remote access is possible without multi-factor authentication
External attack surface is not regularly assessed, allowing new exposures to go undetected

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.8.20	Equivalent
ISO 27001	A.8.21	Related
ISO 27001	A.8.22	Related
nist-csf	PR.DS-02	Partial overlap

Frequently Asked Questions

How often should external vulnerability scans be performed?

Quarterly at minimum, with additional scans after any significant changes to internet-facing infrastructure. Many organisations scan monthly or weekly. Automated continuous scanning is becoming the norm for organisations with significant internet exposure. If PCI DSS is also in scope, you'll need quarterly scans by an Approved Scanning Vendor (ASV).

Do we need a dedicated WAF if we use a CDN with security features?

If your CDN provider (Cloudflare, AWS CloudFront with AWS WAF, Akamai, etc.) includes WAF capabilities, that can absolutely serve as your WAF. Just make sure it provides adequate protection for your specific application vulnerabilities and that the rules are regularly updated and tuned. Auditors care about the protection being effective, not whether it's a standalone product.

How should we handle external API security?

Put an API gateway in front of everything with authentication (OAuth 2.0 or API keys), authorisation (scope-based access control), rate limiting, input validation, and logging. Keep a catalogue of all external APIs. Run dedicated API security testing regularly. Monitor usage for anomalous patterns and set up automated blocking of suspicious activity.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment