Skip to content
AuditFront
CC5.3 SOC 2

SOC 2 CC5.3: COSO Principle 12: Deploys Through Policies and Procedures

What This Control Requires

The entity deploys control activities through policies that establish what is expected and procedures that put policies into action. Policies reflect management's directives and are implemented through procedures that ensure consistent execution of control activities.

In Plain Language

Auditors consistently flag the same problem: controls that live in people's heads rather than in documented policies and procedures. When a key person leaves, the control leaves with them. CC5.3 is about formalising your controls so they're consistent, repeatable, and auditable. Policies define the rules - what the organisation expects. Procedures describe the steps - how to actually carry out those rules. Every significant control area needs both. For example, an access management policy establishes the principles of least privilege and separation of duties, while the corresponding procedures describe how to request, approve, provision, review, and revoke access. For the audit, documented policies and procedures are a baseline expectation. Assessors will review policies for completeness, check that procedures are detailed enough to follow consistently, and test whether what actually happens matches what's documented. The gap between documentation and reality is one of the most frequent findings in SOC 2 audits.

How to Implement

Start with a policy framework that establishes the structure, format, and governance for all security and IT policies. Define standard sections (purpose, scope, policy statements, roles and responsibilities, exceptions, enforcement, review schedule), approval requirements, and the lifecycle for creating, reviewing, and retiring policies. Write policies for all major control areas in your SOC 2 scope. At minimum, cover: information security, access management, change management, incident response, data classification and handling, acceptable use, vendor management, business continuity and disaster recovery, encryption, and data retention and disposal. For each policy, create corresponding procedures with step-by-step guidance. A procedure should be specific enough that a qualified person encountering the task for the first time can follow it successfully. Include decision criteria, tool references, templates, and expected outcomes for each step. Set up policy governance. Mandate review cycles (at least annual), define the approval chain (typically the policy owner, security leadership, and executive management), maintain version control and change tracking, and ensure everyone who needs current versions can find them. Keep policies accessible. Use a centralised repository - an intranet, document management system, or GRC platform - with search and version control. Notify affected people when policies change, and require acknowledgement of critical policies. Audit compliance regularly. Compare actual practices against documented procedures and close any gaps - either update the documentation to reflect genuinely improved practices, or correct the practices to match the documentation. Never leave a known gap between the two.

Evidence Your Auditor Will Request

  • Policy framework document defining standards for policy creation, review, and governance
  • Complete set of security and IT policies covering all major control areas in SOC 2 scope
  • Corresponding procedures for each policy with step-by-step implementation guidance
  • Policy review and approval records showing regular review cycles and version control
  • Policy acknowledgment records and evidence of employee access to current policy versions

Common Mistakes

  • Policies exist but corresponding procedures are missing, leaving implementation to individual interpretation
  • Policies have not been reviewed or updated in over a year and do not reflect current practices or technologies
  • Procedures are outdated and reference tools or processes that are no longer in use
  • Policies are stored in locations that are not easily accessible to the employees who need them
  • Actual practices differ significantly from documented procedures with no plan to reconcile the gap

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.1 Equivalent
ISO 27001 A.5.37 Related
nist-csf GV.PO-01 Equivalent

Frequently Asked Questions

How many security policies do we need?
A typical mid-size organisation needs 10 to 15 core security policies. Smaller organisations can consolidate related topics into fewer, broader documents. What matters is complete coverage of all control areas, not hitting a specific number. Avoid both extremes - a single monolithic policy that nobody reads, and dozens of narrow policies that nobody can navigate.
Who should approve security policies?
The policy owner (usually the CISO or equivalent), executive management (showing organisational commitment), and in some cases legal and compliance teams (for regulatory alignment). The board or audit committee should approve the overarching information security policy. Document the approval chain for each policy so auditors can verify governance is in place.
What is the difference between a policy, standard, procedure, and guideline?
A policy states organisational intent at a high level - it's mandatory. A standard sets the minimum requirements for implementing a policy - also mandatory. A procedure gives step-by-step instructions for carrying out a standard or policy - mandatory. A guideline recommends best practices but isn't compulsory. For SOC 2, you need policies and procedures at minimum. Standards and guidelines are useful but not strictly required.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment