The SOC 2 Criteria Action Governance Was Built For
CC6 (logical access) and CC7 (system operations) ask you to prove access is authorized and activity is monitored. A per-action decision that authorizes and logs is exactly that proof.
Illustrative product view
What CC6 and CC7 actually ask for
SOC 2’s Common Criteria CC6 covers logical and physical access - the requirement that access is authorized, restricted, and appropriate. CC7 covers system operations - detecting and monitoring events. Both are fundamentally about actions: was this access authorized, and was activity recorded? Fintra’s decision point answers both at the moment access is requested and logs the answer.
How actions map to CC6 and CC7
| Action | Internal control | SOC 2 criterion |
|---|---|---|
| Authorize an access or action | AC-001 | CC6.7 (logical access) |
| Log the authorization decision | LOG-003 | CC7.45 (monitoring) |
| Approver-over-limit control | AC-003 | CC6 (access) |
| Deny cross-tenant access | Tenant isolation | CC6 (access boundary) |
Why this is stronger evidence
- Evidence is per-action, not a point-in-time snapshot
- The crosswalk is deterministic, so the same action always maps the same way
- Each evidence item is hash-chained and tamper-evident
- Authorization and monitoring are proven together from one decision
How it connects
CC6/CC7 evidence lives in the same control library as the rest of your SOC 2 program, is verifiable via the trust ledger, watched by continuous monitoring, and exposed to your assessor through the auditor portal. It is one strand of a broader SOC 2 evidence-automation story.
Frequently asked questions
What are SOC 2 CC6 and CC7 controls?
CC6 is the Common Criteria series for logical and physical access - authorizing and restricting access appropriately. CC7 covers system operations, including detecting and monitoring events. Both are action-centric, which is why a per-action authorization-and-logging decision maps cleanly onto them.
What is SOC 2 CC6.7?
CC6.7 concerns restricting the transmission, movement, and access of information to authorized users and processes. Fintra maps an authorization decision to internal control AC-001 and to CC6.7, so authorizing an access action produces CC6.7 evidence directly when the compliance loop is enabled.
How does a logged decision satisfy CC7?
CC7 expects monitoring of system activity. When the decision point logs an authorization, that logging maps to internal control LOG-003 and to CC7.45, producing monitoring evidence. Authorizing and logging in one action means CC6 and CC7 evidence are generated together.
Is this better than screenshot-based evidence?
It is more durable. A screenshot proves a setting at one moment; a per-action, hash-chained authorization record proves each access was authorized against policy and cannot be silently altered. It shifts evidence from point-in-time snapshots to a continuous, verifiable record.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
Evidence CC6 and CC7 from the action
Authorize and log in one decision, and produce access and monitoring evidence.
Talk to us