SentriAI Feature

The SOC 2 Criteria Action Governance Was Built For

CC6 (logical access) and CC7 (system operations) ask you to prove access is authorized and activity is monitored. A per-action decision that authorizes and logs is exactly that proof.

Talk to usFree to start - no card required.
SentriAI · CC6 / CC7
CC6.7
AC-001
authorization
CC7.45
LOG-003
logging
EVIDENCE
per action
hash-chained
Access request authorized by PDPCC6.7 evidence
Decision logged to ledgerCC7.45 evidence
Cross-tenant access deniedCC6 enforced
Approver-over-limit → AC-003access control
Deterministic crosswalkmap_action_to_controls

Illustrative product view

What CC6 and CC7 actually ask for

SOC 2’s Common Criteria CC6 covers logical and physical access - the requirement that access is authorized, restricted, and appropriate. CC7 covers system operations - detecting and monitoring events. Both are fundamentally about actions: was this access authorized, and was activity recorded? Fintra’s decision point answers both at the moment access is requested and logs the answer.

How actions map to CC6 and CC7

ActionInternal controlSOC 2 criterion
Authorize an access or actionAC-001CC6.7 (logical access)
Log the authorization decisionLOG-003CC7.45 (monitoring)
Approver-over-limit controlAC-003CC6 (access)
Deny cross-tenant accessTenant isolationCC6 (access boundary)
The deterministic crosswalk to CC6 / CC7

Why this is stronger evidence

  • Evidence is per-action, not a point-in-time snapshot
  • The crosswalk is deterministic, so the same action always maps the same way
  • Each evidence item is hash-chained and tamper-evident
  • Authorization and monitoring are proven together from one decision

How it connects

CC6/CC7 evidence lives in the same control library as the rest of your SOC 2 program, is verifiable via the trust ledger, watched by continuous monitoring, and exposed to your assessor through the auditor portal. It is one strand of a broader SOC 2 evidence-automation story.

Frequently asked questions

What are SOC 2 CC6 and CC7 controls?

CC6 is the Common Criteria series for logical and physical access - authorizing and restricting access appropriately. CC7 covers system operations, including detecting and monitoring events. Both are action-centric, which is why a per-action authorization-and-logging decision maps cleanly onto them.

What is SOC 2 CC6.7?

CC6.7 concerns restricting the transmission, movement, and access of information to authorized users and processes. Fintra maps an authorization decision to internal control AC-001 and to CC6.7, so authorizing an access action produces CC6.7 evidence directly when the compliance loop is enabled.

How does a logged decision satisfy CC7?

CC7 expects monitoring of system activity. When the decision point logs an authorization, that logging maps to internal control LOG-003 and to CC7.45, producing monitoring evidence. Authorizing and logging in one action means CC6 and CC7 evidence are generated together.

Is this better than screenshot-based evidence?

It is more durable. A screenshot proves a setting at one moment; a per-action, hash-chained authorization record proves each access was authorized against policy and cannot be silently altered. It shifts evidence from point-in-time snapshots to a continuous, verifiable record.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

Evidence CC6 and CC7 from the action

Authorize and log in one decision, and produce access and monitoring evidence.

Talk to us