CC9.1 SOC 2

SOC 2 CC9.1: Risk Mitigation - Risk Mitigation Activities

What This Control Requires

The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. The entity considers the use of insurance, business continuity planning, and other risk mitigation strategies to address identified risks.

In Plain Language

No amount of security controls eliminates all risk. CC9.1 recognises that and asks a practical question: what's your plan when things go sideways despite your best efforts?

This goes beyond traditional security controls into business continuity planning, cyber insurance, risk transfer through vendor contracts, and alternative processing arrangements. The goal is ensuring your organisation can survive a significant disruption - whether that's a ransomware attack, a data centre outage, a key vendor failure, or a natural disaster.

Auditors evaluate whether you've identified your disruption risks, chosen appropriate mitigation strategies, tested your business continuity plans, and considered insurance for residual risks that controls alone can't fully address. A business continuity plan that's never been tested is a common and serious finding.

How to Implement

Run a business impact analysis (BIA) to identify critical business processes, their technology dependencies, and the impact of disruption. For each critical process, determine maximum tolerable downtime, minimum resources for continued operation, and recovery priority relative to other processes.

Write a business continuity plan (BCP) covering how you'll maintain critical operations during various scenarios: technology failures, natural disasters, pandemics, supply chain disruptions, and cyber attacks. Include alternative processing arrangements, communication plans, and resource allocation.

Build disaster recovery capabilities for critical systems. Set up redundant infrastructure in geographically separate locations, automated failover for critical services, tested recovery procedures with documented RTOs and RPOs, and regular DR exercises that prove you can actually recover.

Get appropriate cyber insurance. Your policy should cover data breach costs, business interruption, regulatory fines, legal defence, and notification expenses. Review coverage limits annually against your risk profile and potential exposure. Understand the exclusions and requirements - policies often have conditions around security controls that you need to meet for claims to be valid.

Set vendor continuity requirements. Critical vendors need to provide their own BCP and DR documentation. Include continuity requirements in contracts, assess preparedness during due diligence, and have contingency plans for critical vendor failures including identified alternatives.

Test the BCP at least annually through tabletop exercises, functional exercises, or full-scale tests. Document results, identify gaps, and update the plan. Make sure everyone knows their role during a disruption.

Evidence Your Auditor Will Request

Business impact analysis identifying critical processes, dependencies, and recovery priorities
Business continuity plan covering multiple disruption scenarios with alternative processing arrangements
Disaster recovery documentation including infrastructure redundancy and tested recovery procedures
Cyber insurance policy documentation showing coverage scope and limits
Business continuity plan test results with identified gaps and improvement actions

Common Mistakes

No business impact analysis has been conducted to identify and prioritize critical business processes
Business continuity plan exists but has never been tested through exercises or simulations
Disaster recovery capabilities have not been validated through actual recovery tests
Cyber insurance coverage is insufficient for the organization's risk exposure or has significant exclusions
Vendor continuity risks are not assessed, leaving the organization exposed to critical vendor failures

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.29	Equivalent
ISO 27001	A.5.30	Related
nist-csf	RC.RP-01	Related
nist-csf	GV.RM-04	Partial overlap

Frequently Asked Questions

Do we need cyber insurance for SOC 2?

It's not explicitly required, but auditors may note its absence and it's strongly recommended. Breach-related costs can escalate fast - legal fees, notification costs, regulatory fines, business interruption. Most organisations can't absorb those costs out of pocket. Evaluate your risk exposure to determine the right coverage level.

How often should the business continuity plan be tested?

Annually at minimum. A good cadence is: tabletop exercise annually, functional exercise semi-annually, and component tests (like DR failovers) quarterly. Test again after significant changes to your organisation, technology, or vendor landscape. Document every test and feed the results back into plan improvements.

What should our disaster recovery architecture look like?

Match it to your RTO and RPO requirements. Critical services needing near-zero downtime call for active-active configurations across multiple availability zones or regions. Services that can tolerate some downtime can use warm standby with regular data replication. The key principle: your DR infrastructure must be geographically separate from your primary environment.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment