SOC 1 (SSAE 18 / ISAE 3402)

International

11 domains

32 controls

SOC 1 Type 1/2 reporting on controls relevant to user entities' Internal Control over Financial Reporting (ICFR).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (11)

Backup and Recovery

3 controls

Controls in the Backup and Recovery domain of SOC 1 (SSAE 18 / ISAE 3402) — 3 controls
Code	Title	Description
CO-Backup-1	Backup Execution	Backups of in-scope financial system data are performed according to documented schedules and retention requirements
CO-Backup-2	Backup Restoration Testing	Backup restoration is tested periodically to verify recoverability of in-scope data
CO-Backup-3	Backup Offsite Storage and Encryption	Backups of in-scope data are stored at offsite or alternate locations and protected by encryption

Change Management

5 controls

Controls in the Change Management domain of SOC 1 (SSAE 18 / ISAE 3402) — 5 controls
Code	Title	Description
CO-ChangeMgmt-1	Change Authorization and Approval	Changes to in-scope production systems are authorized and approved by appropriate stakeholders before implementation
CO-ChangeMgmt-2	Change Testing	Production changes are tested in non-production environments and test results are documented and approved before deploym...
CO-ChangeMgmt-3	Segregation of Duties in Change Deployment	Developers cannot deploy their own changes to production; deployment is performed by separate personnel or automated pip...
CO-ChangeMgmt-4	Emergency Change Management	Emergency changes follow an expedited but documented approval process and receive retroactive review
CO-ChangeMgmt-5	Infrastructure and Database Change Control	Changes to infrastructure components and databases supporting in-scope financial systems follow the change management pr...

Computer Operations

3 controls

Controls in the Computer Operations domain of SOC 1 (SSAE 18 / ISAE 3402) — 3 controls
Code	Title	Description
CO-ComputerOps-1	Job Scheduling and Monitoring	Batch jobs supporting financial processing are scheduled, executed, and monitored; failures are identified and resolved...
CO-ComputerOps-2	Problem and Incident Management	Operational incidents affecting in-scope systems are identified, logged, prioritized, resolved, and reviewed
CO-ComputerOps-3	Capacity and Performance Monitoring	System capacity and performance metrics are monitored and reviewed to ensure in-scope systems meet operational requireme...

Data Integrity / Processing

2 controls

Controls in the Data Integrity / Processing domain of SOC 1 (SSAE 18 / ISAE 3402) — 2 controls
Code	Title	Description
CO-DataIntegrity-1	Data Input and Processing Integrity	Input validation, processing controls, and reconciliations ensure financial data is processed completely and accurately
CO-DataIntegrity-2	Interface and File Transfer Controls	Data interfaces and file transfers to and from in-scope systems are monitored for completeness, accuracy, and authentici...

Incident Response

2 controls

Controls in the Incident Response domain of SOC 1 (SSAE 18 / ISAE 3402) — 2 controls
Code	Title	Description
CO-Incident-1	Incident Response Plan	A documented incident response plan addresses security incidents affecting in-scope financial systems
CO-Incident-2	Security Incident Detection and Response	Security incidents impacting financial-system integrity are detected, escalated, contained, and remediated per the IR pl...

Logical Access

7 controls

Controls in the Logical Access domain of SOC 1 (SSAE 18 / ISAE 3402) — 7 controls
Code	Title	Description
CO-LogicalAccess-1	User Access Provisioning	New user access to in-scope financial systems is approved and provisioned based on documented authorization aligned with...
CO-LogicalAccess-2	User Access Termination	Access to in-scope systems is revoked timely upon termination or role change to prevent unauthorized financial transacti...
CO-LogicalAccess-3	Periodic User Access Review	User access to financially relevant systems is reviewed periodically by system owners to confirm continued appropriatene...
CO-LogicalAccess-4	Privileged Access Management	Privileged and administrative access to in-scope systems is restricted, approved, monitored, and reviewed
CO-LogicalAccess-5	Password and Authentication Configuration	Authentication configurations for in-scope systems enforce password complexity, length, expiration, and lockout aligned...
CO-LogicalAccess-6	Multi-Factor Authentication	Multi-factor authentication is enforced for remote access and privileged access to in-scope systems
CO-LogicalAccess-7	Segregation of Duties in Financial Systems	Conflicting duties within financially relevant applications are segregated to prevent a single user from initiating and...

Monitoring

3 controls

Controls in the Monitoring domain of SOC 1 (SSAE 18 / ISAE 3402) — 3 controls
Code	Title	Description
CO-Monitoring-1	Security Event Logging	Security-relevant events on in-scope systems are logged, retained, and protected from unauthorized modification
CO-Monitoring-2	Intrusion Detection and Alerting	Intrusion detection and security alerting mechanisms monitor in-scope systems and generate alerts for investigation
CO-Monitoring-3	Vulnerability Management	Vulnerabilities on in-scope systems are identified through scanning, prioritized, and remediated within defined SLAs

New Development

2 controls

Controls in the New Development domain of SOC 1 (SSAE 18 / ISAE 3402) — 2 controls
Code	Title	Description
CO-NewDev-1	System Development Life Cycle (SDLC)	New development of in-scope systems follows a documented SDLC including requirements, design, development, testing, and...
CO-NewDev-2	Secure Coding and Code Review	Code changes to in-scope systems receive peer review and security scanning before merge to production branches

Other ICFR-relevant

1 controls

Controls in the Other ICFR-relevant domain of SOC 1 (SSAE 18 / ISAE 3402) — 1 controls
Code	Title	Description
CO-Other-1	Risk Assessment for ICFR	A risk assessment process identifies risks to in-scope financial processing and informs the design of controls

Physical Access

2 controls

Controls in the Physical Access domain of SOC 1 (SSAE 18 / ISAE 3402) — 2 controls
Code	Title	Description
CO-PhysicalAccess-1	Data Center Physical Access Restriction	Physical access to data centers hosting in-scope systems is restricted to authorized personnel
CO-PhysicalAccess-2	Physical Access Review	Physical access rights to data centers and restricted areas are reviewed periodically by responsible owners

Vendor Management

2 controls

Controls in the Vendor Management domain of SOC 1 (SSAE 18 / ISAE 3402) — 2 controls
Code	Title	Description
CO-Vendor-1	Subservice Organization Monitoring	Subservice organizations (cloud hosting, key SaaS) supporting in-scope systems are monitored through SOC reports or equi...
CO-Vendor-2	Complementary User Entity Controls (CUEC) Communication	The service organization communicates complementary user entity controls that customers must implement for the service o...

Frequently Asked Questions

What is SOC 1 (SSAE 18 / ISAE 3402)?

SOC 1 (SSAE 18 / ISAE 3402) is a compliance framework from International with 11 domains and 32 controls. SOC 1 Type 1/2 reporting on controls relevant to user entities' Internal Control over Financial Reporting (ICFR). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does SOC 1 (SSAE 18 / ISAE 3402) have?

SOC 1 (SSAE 18 / ISAE 3402) has 32 controls organised across 11 domains. The largest domains are Logical Access (7 controls), Change Management (5 controls), Backup and Recovery (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does SOC 1 (SSAE 18 / ISAE 3402) map to?

SOC 1 (SSAE 18 / ISAE 3402) does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with SOC 1 (SSAE 18 / ISAE 3402) compliance?

Start your SOC 1 (SSAE 18 / ISAE 3402) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about SOC 1 (SSAE 18 / ISAE 3402) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 32 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required