CC5.2 SOC 2

SOC 2 CC5.2: COSO Principle 11: Selects and Develops General Controls Over Technology

What This Control Requires

The entity also selects and develops general control activities over technology to support the achievement of objectives. Technology general controls include controls over the technology infrastructure, security management process, and technology acquisition, development, and maintenance.

In Plain Language

IT general controls (ITGCs) are the foundation everything else sits on. If your infrastructure access management, change management, or operational controls are weak, then every application-level control built on top of them becomes unreliable. Auditors know this, which is why ITGCs are typically the most heavily tested area in a SOC 2 audit. ITGCs cover how systems are managed, secured, changed, and maintained. This includes access management for infrastructure and applications, change management for software and configurations, IT operations like backup and monitoring, and security of your development and deployment pipeline. Weaknesses here have cascading effects. A poorly controlled change management process, for instance, can undermine the integrity of every application in your environment. That's why ITGC failures can lead to qualified audit opinions even when your application-level controls look fine on paper.

How to Implement

Get access management right across all technology infrastructure. Implement identity and access management, role-based access control, privileged access management, MFA for administrative access, and regular access reviews. Follow least privilege, and make sure terminations and role changes trigger timely access updates. Formalize your change management process for all technology changes - application code, system configurations, infrastructure modifications, and database changes. Every change should have documentation, risk/impact assessment, testing, approval, implementation steps, and a rollback plan. Keep development, testing, and production environments separated. Build solid IT operations controls. Automate backups and regularly test recovery. Monitor systems for performance and availability issues. Manage job scheduling and batch processing. Have incident management procedures ready for technology issues. Secure your software development lifecycle. Implement secure coding practices, require code reviews, run static and dynamic application security testing, scan dependencies for vulnerabilities, and integrate security testing into your CI/CD pipeline. Security should be baked into development, not bolted on at the end. Harden all infrastructure against industry benchmarks like CIS Benchmarks. Use configuration management tools to enforce and monitor compliance. Document baseline configurations and track any deviations. Implement network security controls: firewall management, network segmentation, intrusion detection and prevention, and encryption for data in transit. Review firewall rules, network architecture, and security configurations regularly to keep them current.

Evidence Your Auditor Will Request

Access management policies and procedures with evidence of least privilege implementation
Change management process documentation with records of changes, approvals, and testing
IT operations procedures including backup schedules, monitoring configurations, and recovery test results
SDLC security controls documentation including code review and security testing evidence
Infrastructure hardening standards and configuration compliance monitoring results

Common Mistakes

Privileged access is broadly granted without the principle of least privilege or regular review
Change management process is bypassed for emergency changes without adequate documentation or post-review
Backups are performed but never tested for recoverability, creating false confidence in disaster recovery
Development and production environments share access or are not adequately separated
Infrastructure is deployed with default configurations without applying security hardening standards

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.8.1	Related
ISO 27001	A.8.9	Related
ISO 27001	A.8.25	Related
nist-csf	PR.DS-01	Partial overlap

Frequently Asked Questions

What are the most critical ITGCs for SOC 2?

Access management (especially privileged access), change management (especially the path to production), and operational controls (especially backup and recovery). These three areas get the most scrutiny in every SOC 2 audit. Get them solid first, then expand to other ITGC domains.

How do we handle emergency changes?

Define an emergency change process that allows speed when needed but includes compensating controls. At minimum, every emergency change needs post-implementation review and approval, documented justification, testing as soon as practical after deployment, and change management review. Track how often emergency changes happen - a high frequency usually signals a maturity problem in your normal process.

Do cloud environments change our ITGC requirements?

They shift some responsibilities to the cloud provider under the shared responsibility model, but you're still on the hook for configuring cloud services securely, managing access, implementing change management, and monitoring operations. Understand exactly where your provider's responsibility ends and yours begins, and make sure your ITGCs cover your side of that line.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment