CC1.4 SOC 2

SOC 2 CC1.4: COSO Principle 4: Demonstrates Commitment to Attract, Develop, and Retain Competent Individuals

What This Control Requires

The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The entity establishes policies and practices that support competence requirements for roles and responsibilities, and evaluates competence and addresses shortcomings.

In Plain Language

The best-designed controls in the world still fail if the people running them aren't qualified. This control addresses the human element - making sure you hire the right people, keep their skills current, and don't end up with critical security knowledge locked in a single person's head. It covers the full employee lifecycle: hiring people with appropriate skills and background, providing ongoing training and development, and retaining talent. It also means regularly assessing whether your team has the skills their roles demand and closing any gaps you find. Auditors look at how you ensure security and IT staff are qualified, how security awareness is maintained across the organisation, and whether you have processes for identifying and addressing competency gaps. This includes background checks for sensitive positions, ongoing professional development, and succession planning for key roles.

How to Implement

Build a formal hiring process with competency requirements for each role, especially those with security responsibilities. Define minimum qualifications, certifications, and experience levels. Implement background checks for positions involving access to sensitive data or critical systems. Develop a security awareness training programme for all employees. Include initial training during onboarding and annual refreshers. Cover phishing awareness, data handling procedures, acceptable use policies, and incident reporting. Track and document all training completion. Create role-specific training programmes for security and IT staff covering relevant technologies, security frameworks, and regulatory requirements. Support professional development through certifications (CISSP, CISM, vendor-specific certs), conference attendance, and continuing education. Include security-related competencies in your performance evaluation process. For roles with significant security responsibilities, assess security knowledge, policy adherence, and incident response capabilities. Use results to identify training needs and development opportunities. Develop succession plans for key security and IT roles. Identify backup personnel who can step in if primary role holders are unavailable. Provide cross-training to ensure continuity and prevent single points of failure in the security function. Run periodic competency assessments, particularly after significant changes to technology, processes, or regulatory requirements. Use results to update training programmes and adjust hiring criteria. Document assessment activities and resulting action plans.

Evidence Your Auditor Will Request

Job descriptions with defined competency requirements for security and IT roles
Background check policy and evidence of completion for employees in sensitive positions
Security awareness training program materials, schedules, and completion records for all employees
Role-specific training plans and professional development records for security/IT staff
Performance evaluation records showing assessment of security-related competencies

Common Mistakes

Security awareness training is generic and not tailored to the organization's specific risks and technologies
Background checks are not performed consistently for all employees with access to sensitive systems
No formal competency requirements defined for security and IT roles in job descriptions
Training records are incomplete or not centrally maintained, making it difficult to demonstrate compliance
No succession planning for key security roles, creating single points of failure

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.6.1	Related
ISO 27001	A.6.3	Equivalent
ISO 27001	A.6.6	Partial overlap

Frequently Asked Questions

What certifications should our security team hold?

It depends on your environment and specific roles. CISSP is strong for security leadership, CISM for security management, CompTIA Security+ for general security staff, and cloud-specific certs (AWS Security Specialty, Azure Security Engineer) if you're cloud-heavy. Match certifications to actual job responsibilities rather than collecting them for show.

How often should security awareness training be conducted?

Annually at minimum for all employees, with initial training during onboarding. Best practice layers in supplemental training - monthly phishing simulations, quarterly security newsletters, and ad hoc sessions when new threats emerge or after a significant security incident.

Are background checks required for all employees?

SOC 2 doesn't mandate checks for everyone, but they should be done for any role involving access to sensitive data, critical systems, or privileged access. Scale the scope and depth of checks to the risk of the position, and make sure you're complying with local employment laws.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment