What is CC6.1 in SOC 2 and what evidence does it require?
March 6, 20262 min readSOC 2 Evidence Collection
What Is CC6.1?
CC6.1 falls under the Security category of Trust Services Criteria. It states that "the entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events." In plain language: you must control who can access your systems and data.
It's almost always the most evidence-heavy criterion in a SOC 2 audit.
Evidence Auditors Need for CC6.1
| Control Area | Evidence Required |
|---|---|
| Authentication | Screenshot of SSO/MFA settings showing enforcement |
| Role-based access | User list showing role assignments, permission matrix |
| Least privilege | Evidence that users only have access they need for their job |
| Access provisioning | Ticket or record of access request and approval for a new hire |
| Access revocation | Evidence showing access removed for terminated employees |
| Access reviews | Quarterly review documentation showing who was reviewed and outcomes |
| Shared accounts | Evidence that shared credentials are prohibited or exception-documented |
How Startups Can Satisfy CC6.1
- Use SSO with MFA. Google Workspace or Okta with enforced MFA covers your identity layer.
- Implement basic RBAC. Even two roles (admin vs. member) in GitHub and your cloud provider demonstrates least privilege.
- Document onboarding/offboarding. Create a checklist of systems accessed, who grants/revokes, and keep records.
- Run quarterly access reviews. Export user lists from each system, confirm each user still needs access, document the review with date and reviewer.
- Screenshot everything. Capture MFA settings, role assignments, and branch protection rules with timestamps.
Common Findings
- MFA available but not enforced (users can opt out)
- Former employees still have active accounts
- All engineers have admin access with no role differentiation
- No documented access review within the audit period