CC2.2 SOC 2

SOC 2 CC2.2: COSO Principle 14: Internally Communicates Information

What This Control Requires

The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal controls. Internal communication enables and supports understanding and execution of internal control objectives, processes, and individual responsibilities at all levels of the entity.

In Plain Language

People can't follow security policies they've never seen, and they can't report incidents if they don't know how. This control is about making sure security information actually flows through your organisation - in all directions. It covers top-down communication of policies, objectives, and expectations from leadership; bottom-up communication of issues, incidents, and concerns from staff; and lateral communication between teams coordinating on security matters. When these channels break down, controls fail because people either don't know what's expected or can't flag problems when they spot them. Auditors assess whether you've established communication channels for security information, whether policies are effectively distributed and understood, whether employees have a clear way to report security concerns, and whether management communicates changes to the control environment promptly.

How to Implement

Set up formal channels for distributing security policies, procedures, and updates to all employees. This should include an accessible policy repository (intranet or document management system), regular security communications (newsletters, bulletins, email updates), and integration of security topics into company-wide meetings. Deploy a security incident reporting mechanism that's easy to use and well-publicised. A dedicated email address, ticketing system, phone hotline, or web form all work. Make sure employees know how to report suspected security incidents, phishing attempts, and policy violations. Give feedback on reported incidents to encourage continued reporting. Create a communication plan for security changes affecting employees. When policies are updated, new tools deployed, or procedures changed, communicate clearly with enough lead time. Explain the rationale, what employees need to do differently, and where to find more information or support. Establish regular security communication touchpoints: monthly newsletters, quarterly town halls, weekly tips, real-time alerts for urgent threats. Vary the format and frequency to keep engagement up and prevent important messages from getting buried in noise. Document who is responsible for creating, reviewing, and distributing security communications. Make sure there's a process for escalating urgent security information and that leadership receives timely reports on the security posture. Measure communication effectiveness through metrics like email open rates, training completion rates, incident reporting rates, and employee surveys. Use these to continuously improve your approach and confirm messages are reaching the right people.

Evidence Your Auditor Will Request

Security policy repository or intranet with evidence of employee access and policy acknowledgment
Security incident reporting mechanism documentation and evidence of employee awareness
Communication records for security policy changes, updates, and new procedures
Regular security communications (newsletters, bulletins, alerts) with distribution records
Communication effectiveness metrics such as policy acknowledgment rates and incident reporting statistics

Common Mistakes

Security policies are stored in a shared drive that employees cannot easily find or navigate
No clear mechanism for employees to report security concerns or suspected incidents
Security communications are sent only by email with no tracking of whether they are read or understood
Policy changes are implemented without advance communication or explanation to affected employees
Internal communication is one-directional (top-down) with no mechanism for upward feedback on security issues

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.4	Related
ISO 27001	A.6.3	Partial overlap
nist-csf	GV.OC-04	Related

Frequently Asked Questions

How do we ensure remote employees receive security communications?

Use multiple channels: email for formal policies, chat platforms (Slack, Teams) for timely updates, video meetings for training and discussions, and a centralised online repository for reference. Track engagement across all channels and follow up with individuals who haven't acknowledged critical communications.

Should we communicate security incidents to all employees?

It depends on the incident. If it affects employees directly - like a phishing campaign targeting the company - broad communication is essential. For contained technical incidents, keep it on a need-to-know basis. Build a communication protocol into your incident response plan that defines when, how, and to whom you communicate about incidents.

How do we handle security communication for non-English speaking employees?

Provide communications and training in the languages your workforce speaks. At minimum, translate critical policies, incident reporting instructions, and security awareness materials. Visual aids and practical demonstrations that transcend language barriers can also go a long way.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment