← Frameworks / SOC 2 TSC / Coverage Analysis

SOC 2 Trust Services Criteria — SP 800-53 Coverage

How well do NIST SP 800-53 Rev 5 controls address each SOC 2 TSC requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.

Clauses: 122
Avg Coverage: 65.5%
Publisher: AICPA
Coverage Distribution
Full (85-100%): 47 Substantial (65-84%): 22 Partial (40-64%): 35 Weak (1-39%): 18
SOC 2 TSC → SP 800-53 SP 800-53 → SOC 2 TSC Coverage Analysis

Clause-by-Clause Analysis

Sorted by clause
A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives
SC-05 SC-06
65%

Rationale

AU-04, SC-05, CP-02, and CA-07 partially address capacity management in specific contexts.

Gaps

Lacks comprehensive capacity management. SOC 2 A1.1 requires proactive capacity planning across all system components; SP 800-53 addresses capacity in narrow contexts (audit storage, DoS).

Mapped Controls

SC-05 SC-06
A1.1-POF1 A1.1 POF1: Manages capacity to meet objectives — Processing capacity and use of system components are managed
SC-05
60%

Rationale

AU-04 manages audit storage capacity; SC-05 protects against capacity exhaustion through DoS.

Gaps

Gaps in comprehensive capacity planning, trending, threshold alerting, and proactive management across all infrastructure components.

Mapped Controls

SC-05
A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives
CP-01 CP-02 CP-06 CP-07 +17
85%

Rationale

PE family, CP-09, CP-06/CP-07/CP-08, and CP-10 provide comprehensive availability infrastructure. SC-24 (new in Rev 5) adds fail-safe recovery.

Gaps

Strong coverage. SP 800-53 environmental and recovery controls are comprehensive.

Mapped Controls

CP-01 CP-02 CP-06 CP-07 CP-08 CP-09 CP-10 PE-01 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18 PE-19 RA-03 SC-24
A1.2-POF1 A1.2 POF1: Implements recovery infrastructure and software — Recovery infrastructure is implemented and maintained
CP-01 CP-02 CP-10 PE-01 +1
85%

Rationale

CP-06, CP-07, CP-09, and CP-10 provide recovery infrastructure.

Gaps

Minimal gap. Recovery infrastructure well-addressed.

Mapped Controls

CP-01 CP-02 CP-10 PE-01 RA-01
A1.2-POF2 A1.2 POF2: Implements environmental protections — Environmental protections for data centers and facilities are implemented
CP-01 CP-02 CP-10 PE-01 +1
90%

Rationale

PE-09 through PE-15 provide comprehensive environmental protections for power, fire, temperature, and water damage.

Gaps

Excellent coverage. PE family is comprehensive for environmental protections.

Mapped Controls

CP-01 CP-02 CP-10 PE-01 PE-14
A1.2-POF3 A1.2 POF3: Implements data backup processes — Data backup and recovery processes are implemented and maintained
CP-01 CP-02 CP-10 PE-01
90%

Rationale

CP-09 directly addresses data backup processes including scheduling, testing, and offsite storage.

Gaps

Minimal gap. CP-09 comprehensively covers data backup.

Mapped Controls

CP-01 CP-02 CP-10 PE-01
A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives
CP-04
90%

Rationale

CP-04, CP-03, and IR-03 directly address recovery plan testing.

Gaps

Excellent coverage. CP-04 directly requires recovery plan testing.

Mapped Controls

CP-04
C1.1 The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality
CM-12 MP-01 MP-02
80%

Rationale

RA-02, AC-04, MP-03, and SC-28 address identification and protection. CM-12 (new in Rev 5) strengthens information location tracking.

Gaps

Good coverage. Minor gap: SOC 2 C1.1 uses business-context confidentiality classification; SP 800-53 uses FIPS 199 methodology.

Mapped Controls

CM-12 MP-01 MP-02
C1.1-POF1 C1.1 POF1: Identifies confidential information — The entity has procedures to identify confidential information
PL-02
75%

Rationale

RA-02 covers security categorization; MP-03 covers media labeling.

Gaps

Good coverage through categorization. Minor gap in business-context confidentiality classification beyond security categorization.

Mapped Controls

PL-02
C1.2 The entity disposes of confidential information to meet the entity's objectives related to confidentiality
AU-11 SI-12
85%

Rationale

MP-06, SI-12, and SR-12 address secure disposal of confidential information.

Gaps

Strong coverage. MP-06 provides comprehensive media sanitization; SI-12 covers retention and disposal policies.

Mapped Controls

AU-11 SI-12
CC1.1 COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values
CA-07 PL-04 PL-09 PS-01
35%

Rationale

PS-08 addresses sanctions, PL-04 covers rules of behavior. PL-09 (new in Rev 5) adds central management of policy. However, SP 800-53 is a technical catalog and does not directly address ethical culture.

Gaps

SOC 2 CC1.1 requires codes of conduct, board oversight of ethics, and deviation remediation. SP 800-53 lacks controls for ethical culture establishment and governance-level integrity.

Mapped Controls

CA-07 PL-04 PL-09 PS-01
CC1.1-POF1 CC1.1 POF1: Sets the tone at the top — The board of directors and management demonstrate commitment to integrity and ethical values
PS-01
20%

Rationale

PM-01 and PM-02 establish security program leadership but do not address tone-at-the-top for integrity and ethics.

Gaps

No SP 800-53 equivalent for board/management setting ethical tone. Focuses on security program management, not organizational ethics.

Mapped Controls

PS-01
CC1.1-POF2 CC1.1 POF2: Establishes standards of conduct — Expectations of the board and senior management concerning integrity and ethical values are defined
25%

Rationale

PL-04 (Rules of Behavior) partially covers conduct standards but focuses on system use rather than broad ethics.

Gaps

PL-04 covers system use rules but not enterprise-wide standards of conduct, codes of ethics, or integrity expectations.

CC1.1-POF3 CC1.1 POF3: Evaluates adherence to standards of conduct — Processes are in place to evaluate performance against standards of conduct
CA-02 CA-07 PS-01
20%

Rationale

PS-08 addresses consequences for violations but does not cover systematic evaluation of adherence.

Gaps

No SP 800-53 control for systematic evaluation of adherence to conduct standards. PS-08 is reactive, not proactive.

Mapped Controls

CA-02 CA-07 PS-01
CC1.1-POF4 CC1.1 POF4: Addresses deviations in a timely manner — Deviations from standards of conduct are identified and remedied in a timely manner
PS-08
30%

Rationale

PS-08 and IR-04 partially address deviation handling for security matters.

Gaps

Addresses security-specific deviations but not general conduct deviations. No control for non-security behavioral deviation remediation.

Mapped Controls

PS-08
CC1.2 COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control
PS-02
25%

Rationale

PM-01/PM-02 establish governance roles; CA-02/CA-07 provide assessment. Board independence and oversight of internal control are outside SP 800-53 scope.

Gaps

SOC 2 CC1.2 requires board independence, competence, and oversight. SP 800-53 does not address board governance or board-level oversight.

Mapped Controls

PS-02
CC1.2-POF1 CC1.2 POF1: Establishes oversight responsibilities — The board identifies and accepts its oversight responsibilities in relation to established requirements and expectations
AC-01 AT-01 AU-01 CA-01 +16
20%

Rationale

PM-02 assigns security roles but does not address board-level oversight responsibilities.

Gaps

Focuses on operational security roles, not board governance responsibilities or fiduciary duties.

Mapped Controls

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 PS-02 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
CC1.3 COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
PS-02
45%

Rationale

PM-01, PM-02, and PM-10 establish organizational structures and responsibilities for security. Partially addresses within security scope.

Gaps

Covers security-specific organizational structure but not enterprise-wide organizational design, authority delegation, or non-security reporting lines.

Mapped Controls

PS-02
CC1.3-POF1 CC1.3 POF1: Considers all structures of the entity — Management and the board consider the multiple structures used to support the achievement of objectives
30%

Rationale

PM-07 and PM-01 consider security program structure but not all organizational structures.

Gaps

Addresses security program structure only. SOC 2 requires consideration of all structures including business units, legal entities, and locations.

CC1.4 COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
AT-01 AT-06 PS-01 PS-09 +1
55%

Rationale

PM-13, AT-01/AT-02/AT-03, and PS-02 address workforce competence. AT-06 (new in Rev 5) adds training feedback. PS-09 (new in Rev 5) adds position descriptions.

Gaps

Extends to all personnel, not just security staff. Gaps in general HR competency management, career development, and succession planning.

Mapped Controls

AT-01 AT-06 PS-01 PS-09 SA-02
CC1.4-POF1 CC1.4 POF1: Establishes policies and practices — Policies and practices reflect expectations of competence necessary to support the achievement of objectives
AC-01 AT-01 AU-01 CA-01 +15
50%

Rationale

AT-01 establishes training policy; PM-13 addresses security workforce competence requirements.

Gaps

Covers security competence policies. Gaps in broader organizational competence requirements and enterprise-wide competency frameworks.

Mapped Controls

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
CC1.4-POF2 CC1.4 POF2: Evaluates competence and addresses shortcomings — The board and management evaluate competence and address shortcomings
AT-06 PS-01 PS-02 SA-04 +2
40%

Rationale

PM-13 includes workforce planning; AT-04 tracks training records. AT-06 (new in Rev 5) adds training feedback enabling competence evaluation.

Gaps

Supports competence tracking for security roles. Does not cover board-level or executive competence assessment or enterprise-wide gap remediation.

Mapped Controls

AT-06 PS-01 PS-02 SA-04 SR-01 SR-06
CC1.4-POF3 CC1.4 POF3: Attracts, develops, and retains individuals — The entity provides mentoring and training to attract, develop, and retain sufficient and competent personnel
AT-01 PS-01 SA-04 SR-01 +1
45%

Rationale

AT-02, AT-03 provide training; PM-13 addresses workforce development.

Gaps

Good security training coverage. Gaps in general talent acquisition, mentoring programs, retention strategies, and non-security development.

Mapped Controls

AT-01 PS-01 SA-04 SR-01 SR-06
CC1.4-POF4 CC1.4 POF4: Plans and prepares for succession — Senior management and the board develop succession plans for key roles
15%

Rationale

No direct SP 800-53 control for succession planning.

Gaps

Significant gap. PM-02 identifies key security roles but no succession or continuity of leadership requirements.

CC1.5 COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives
PL-01 PS-02 PS-04 PS-05 +3
50%

Rationale

PS-01, PS-08, PM-02, and PL-04 establish accountability. PS-09 (new in Rev 5) adds position descriptions strengthening role accountability.

Gaps

Covers security accountability through sanctions and role assignment. Lacks broader accountability structures, performance metrics, and incentive alignment.

Mapped Controls

PL-01 PS-02 PS-04 PS-05 PS-06 PS-08 PS-09
CC1.5-POF1 CC1.5 POF1: Enforces accountability through structures, authorities, and responsibilities — Management and the board establish mechanisms to communicate and hold individuals accountable
45%

Rationale

PM-02 assigns authority; PS-08 enforces through sanctions; PL-04 communicates expectations.

Gaps

Covers security-specific accountability. Gaps in enterprise-wide accountability structures and board-level accountability mechanisms.

CC2.1 COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control
MP-01 PL-02
55%

Rationale

AU-02/AU-03/AU-06, SI-04, and RA-03 generate and use security-relevant information. CA-07 uses control information systematically.

Gaps

Good security information coverage. SOC 2 CC2.1 extends to all information supporting internal control including financial and operational.

Mapped Controls

MP-01 PL-02
CC2.1-POF1 CC2.1 POF1: Identifies information requirements — A process is in place to identify information required to support internal control
45%

Rationale

AU-02 identifies auditable events; RA-03 identifies risk information needs.

Gaps

Covers security information requirements. Gaps in identifying information requirements for non-security internal controls and financial reporting.

CC2.2 COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
CA-07 PL-01 PT-01 SA-08 +3
50%

Rationale

AT-02, PM-01, PL-04, and IR-07 support internal communication of security-related information and responsibilities.

Gaps

Covers security communication well. Does not address enterprise-wide internal control communication or management reporting on control effectiveness.

Mapped Controls

CA-07 PL-01 PT-01 SA-08 SC-01 SI-01 SR-07
CC2.2-POF1 CC2.2 POF1: Communicates internal control information — A process is in place to communicate required information to enable all personnel to understand and carry out their responsibilities
AC-01 AT-01 AU-01 CA-01 +15
50%

Rationale

AT-02 communicates security awareness; PL-04 communicates rules of behavior; PM-01 disseminates program plan.

Gaps

Security communication well addressed. Gaps in communicating non-security internal control responsibilities and operational control expectations.

Mapped Controls

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
CC2.2-POF3 CC2.2 POF3: Communicates with the board of directors — Information necessary for the board to oversee internal control is communicated
IR-01 IR-04 PS-01
25%

Rationale

PM-06 and CA-02 produce reports that could inform board communication.

Gaps

SP 800-53 does not require board-level reporting. No control specifies board communication cadence, format, or content requirements.

Mapped Controls

IR-01 IR-04 PS-01
CC2.2-POF7 CC2.2 POF7: Communicates objectives and changes to objectives — The entity communicates its objectives and changes to those objectives
AC-01 AT-01 AU-01 CA-01 +15
40%

Rationale

PM-01 includes security program objectives; CM-03 communicates configuration changes.

Gaps

Security objectives communicated via PM-01. Gaps in communicating enterprise-wide control objectives beyond security.

Mapped Controls

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
CC2.2-POF10 CC2.2 POF10: Provides separate communication lines — Separate communication channels such as whistle-blower hotlines are in place and serve as fail-safe mechanisms
IR-01 IR-04
10%

Rationale

No SP 800-53 control addresses separate communication lines or whistle-blower mechanisms.

Gaps

Significant gap. Does not address anonymous reporting channels, whistle-blower hotlines, or alternative communication paths for control concerns.

Mapped Controls

IR-01 IR-04
CC2.3 COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control
CA-07 IR-06 PL-01
45%

Rationale

IR-06 covers external incident communication; PM-15 addresses external security community; SA-09 addresses service provider communication.

Gaps

Covers security-specific external communication but not broader stakeholder communication about control effectiveness.

Mapped Controls

CA-07 IR-06 PL-01
CC2.3-POF1 CC2.3 POF1: Communicates to external parties — Processes are in place to communicate relevant information to external parties
IR-06
45%

Rationale

IR-06 covers incident reporting to authorities; PM-15 covers security community engagement; CA-03 manages information exchange agreements.

Gaps

Security-specific external communication covered. Gaps in customer communication about controls and regulatory reporting beyond incidents.

Mapped Controls

IR-06
CC2.3-POF12 CC2.3 POF12: Provides information on notification agreements — The entity notifies external parties of system changes affecting their operation
SA-04 SR-01 SR-08
40%

Rationale

SR-08 directly addresses notification requirements in supply chain. CA-03 covers information exchange agreements.

Gaps

SR-08 covers supply chain notification. Gaps in broader customer notification about system changes and proactive stakeholder notification.

Mapped Controls

SA-04 SR-01 SR-08
CC3.1 COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
CA-02 PL-01 RA-01 RA-09 +2
50%

Rationale

PM-01 and PM-09 define security objectives. RA-03 requires clear risk context. RA-09 (new in Rev 5) adds criticality analysis strengthening objective specification.

Gaps

Covers security objective specification but not enterprise-wide objective setting for risk assessment purposes.

Mapped Controls

CA-02 PL-01 RA-01 RA-09 SR-02 SR-07
CC3.2 COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
PT-01 RA-02 RA-07 SA-08 +4
75%

Rationale

RA family comprehensively covers risk identification and analysis. RA-07 (new in Rev 5) adds risk response providing structured risk treatment decisions.

Gaps

Strong security risk coverage. Minor gaps: CC3.2 includes operational and compliance risks beyond information security.

Mapped Controls

PT-01 RA-02 RA-07 SA-08 SC-01 SI-01 SR-02 SR-07
CC3.2-POF1 CC3.2 POF1: Includes entity, subsidiary, division, operating unit, and functional levels
RA-01 RA-03
60%

Rationale

RA-03 covers risk assessment at system and organizational levels. PM-09 addresses organization-wide risk strategy.

Gaps

Addresses risk at system and organizational levels. Gaps in structured assessment across subsidiary/division/functional levels as distinct entities.

Mapped Controls

RA-01 RA-03
CC3.3 COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives
SA-04 SA-09 SR-01 SR-05
30%

Rationale

AC-05 and AU-06 support fraud detection. SI-04 can detect anomalous behavior.

Gaps

Does not explicitly require fraud risk assessment. SOC 2 CC3.3 requires consideration of fraud incentives, opportunities, and rationalizations.

Mapped Controls

SA-04 SA-09 SR-01 SR-05
CC3.3-POF1 CC3.3 POF1: Considers various types of fraud — The entity considers fraudulent reporting, possible loss of assets, and corruption
PS-01
20%

Rationale

AU-06 and SI-04 provide monitoring that could detect fraud indicators.

Gaps

Significant gap. No controls for fraud triangle analysis or assessing fraudulent reporting risk.

Mapped Controls

PS-01
CC3.4 COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control
CM-03 CM-04 PL-01 SA-04 +1
65%

Rationale

CM-03/CM-04, RA-03, and CA-07 address change assessment for security-impacting changes.

Gaps

Good coverage for security changes. SOC 2 CC3.4 extends to regulatory, technology, business model, and personnel changes.

Mapped Controls

CM-03 CM-04 PL-01 SA-04 SR-06
CC3.4-POF1 CC3.4 POF1: Assesses changes in the external environment — The entity considers changes in regulatory, economic, and physical environments
RA-01 RA-03
35%

Rationale

SI-05 and PM-16 address external security environment changes.

Gaps

Covers external security threat landscape. Gaps in regulatory environment changes, economic conditions, and broader external factor impacts.

Mapped Controls

RA-01 RA-03
CC3.4-POF2 CC3.4 POF2: Assesses changes in the business model — The entity considers the impact of new business lines, altered compositions of existing business lines, and acquired or divested business operations
RA-01 RA-03
15%

Rationale

PM-07 touches on business alignment but not business model change assessment.

Gaps

Significant gap. Does not address business model change impact, M&A integration risks, or new business line control requirements.

Mapped Controls

RA-01 RA-03
CC3.4-POF3 CC3.4 POF3: Assesses changes in leadership — The entity considers changes in management and other personnel
RA-01 RA-03
25%

Rationale

PS-04 and PS-05 address personnel changes from a security perspective.

Gaps

Covers access changes due to personnel transitions. Does not address leadership change impact on internal control effectiveness.

Mapped Controls

RA-01 RA-03
CC4.1 COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
CA-01 CA-02 PL-02 RA-01 +4
70%

Rationale

CA-02, CA-07, PM-06, and AU-06 provide strong evaluation capabilities for security controls.

Gaps

Good security control evaluation. SOC 2 CC4.1 extends to all internal control components including non-security controls.

Mapped Controls

CA-01 CA-02 PL-02 RA-01 RA-03 SA-02 SR-02 SR-07
CC4.1-POF1 CC4.1 POF1: Considers a mix of ongoing and separate evaluations — Management includes a balance of ongoing evaluations built into processes and separate evaluations
SA-11
70%

Rationale

CA-07 provides ongoing monitoring; CA-02 provides separate assessments. Good balance for security controls.

Gaps

Well-addressed for security. Gaps in ongoing/separate evaluation methodology for non-security internal controls.

Mapped Controls

SA-11
CC4.2 COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
CA-05
65%

Rationale

CA-05 (POA&M) tracks deficiencies; CA-02 reports results; PM-06 reports metrics. IR-06 covers incident reporting.

Gaps

Good deficiency tracking. SOC 2 CC4.2 requires board-level communication; SP 800-53 POA&M does not explicitly require board reporting.

Mapped Controls

CA-05
CC4.2-POF1 CC4.2 POF1: Assesses results — Management and the board assess results of ongoing and separate evaluations
CA-07
55%

Rationale

CA-02 results feed into authorization decisions; PM-06 provides measures; CA-05 tracks remediation.

Gaps

Security assessment results well-managed. Gaps in board-level assessment and non-security control evaluation reviews.

Mapped Controls

CA-07
CC4.2-POF2 CC4.2 POF2: Communicates deficiencies — Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board as appropriate
CA-07
55%

Rationale

CA-05 communicates through POA&M; IR-06 reports incidents; PM-06 provides metrics.

Gaps

Security deficiency communication well-established. Gaps in board-level deficiency communication and formal escalation paths.

Mapped Controls

CA-07
CC5.1 COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
AC-05 PT-01 RA-01 SA-08 +2
70%

Rationale

The SP 800-53 catalog provides control activities mitigating security risks. PM-09 guides selection; CA-02 validates effectiveness.

Gaps

Strong security control selection. SOC 2 CC5.1 extends to operational and compliance control activities beyond security.

Mapped Controls

AC-05 PT-01 RA-01 SA-08 SC-01 SI-01
CC5.2 COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives
CA-02 PL-01 PT-01 SA-01 +5
85%

Rationale

SP 800-53 comprehensively covers technology general controls across access control, change management, system protection, and monitoring.

Gaps

Excellent coverage. Minor gap: SOC 2 frames these as supporting all objectives; SP 800-53 frames them as security controls.

Mapped Controls

CA-02 PL-01 PT-01 SA-01 SA-03 SA-04 SA-08 SC-01 SI-01
CC5.2-POF1 CC5.2 POF1: Determines dependency between the use of technology in business processes and technology general controls
60%

Rationale

PM-07 and SA-03 address technology-business alignment.

Gaps

Addresses technology controls but explicit dependency mapping between business processes and IT general controls is not directly required.

CC5.3 COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action
AC-01 AT-01 AU-01 CA-01 +18
80%

Rationale

Every family starts with policy/procedure. PL-09 (new in Rev 5) adds central management strengthening policy deployment.

Gaps

Strong coverage. Every family has a -01 policy control. Minor gap: SOC 2 expects policies for all control activities, not just security.

Mapped Controls

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PL-09 PS-01 PS-02 PS-07 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
CC5.3-POF1 CC5.3 POF1: Establishes policies and procedures to support deployment of management's directives
AC-01 AT-01 AU-01 CA-01 +15
80%

Rationale

Every SP 800-53 family includes a -01 control requiring policy and procedures. Consistent pattern.

Gaps

Excellent for security policies and procedures. Minor gap in non-security management directive deployment.

Mapped Controls

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
CC5.3-POF6 CC5.3 POF6: Reassesses policies and procedures — Management periodically reassesses policies and procedures for continued relevance and effectiveness
AC-01 AT-01 AU-01 CA-01 +15
75%

Rationale

All -01 controls require periodic review and update. PM-01 requires program plan updates.

Gaps

Requires periodic review of all security policies. Minor gap in linking reassessment to changing business conditions.

Mapped Controls

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SR-01
CC6.1 Logical and Physical Access Controls — The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives
AC-01 AC-02 AC-03 AC-04 +13
90%

Rationale

AC, IA, PE families and SC-07 provide comprehensive access controls. CA-09 (new in Rev 5) adds internal system connections strengthening internal access governance.

Gaps

Excellent coverage. Minor gap: SOC 2 frames in entity objective terms; SP 800-53 is more technically prescriptive.

Mapped Controls

AC-01 AC-02 AC-03 AC-04 AC-06 CA-09 IA-01 IA-02 IA-03 IA-04 IA-05 SC-01 SC-07 SC-08 SC-12 SC-13 SC-17
CC6.1-POF1 CC6.1 POF1: Identifies and manages the inventory of information assets — The entity identifies and manages information assets
CM-08 CM-12 SA-05
85%

Rationale

CM-08 and PM-05 cover asset identification. CM-12 (new in Rev 5) adds information location tracking strengthening asset-to-data mapping.

Gaps

Good asset inventory. Minor gap in non-IT information asset inventory (paper records, intellectual property catalogs).

Mapped Controls

CM-08 CM-12 SA-05
CC6.1-POF2 CC6.1 POF2: Restricts logical access — Access to information assets is restricted through logical access security measures
CA-01 CA-02 PT-01 SA-08 +2
95%

Rationale

AC-03, AC-06, AC-02, and AC-17 comprehensively cover logical access restriction.

Gaps

Minimal gap.

Mapped Controls

CA-01 CA-02 PT-01 SA-08 SC-01 SI-01
CC6.1-POF3 CC6.1 POF3: Considers network segmentation — Network segmentation is implemented to restrict access
AC-01 IA-01 IA-02 IA-03 +1
95%

Rationale

SC-07 directly addresses network segmentation. AC-04 controls data flow between segments.

Gaps

Minimal gap. SC-07 is comprehensive for network segmentation.

Mapped Controls

AC-01 IA-01 IA-02 IA-03 IA-04
CC6.1-POF4 CC6.1 POF4: Manages points of access — Points of access to information assets are managed and protected
IA-02 IA-04
90%

Rationale

SC-07 manages network access points; AC-17 manages remote entry points; PE-03 manages physical access points.

Gaps

Strong coverage. Minor gap in comprehensive access point inventory as a unified concept.

Mapped Controls

IA-02 IA-04
CC6.1-POF5 CC6.1 POF5: Restricts access to information assets — Access to information assets is restricted through identity management
SC-01 SC-07
95%

Rationale

IA-02, IA-04, IA-05, and AC-02 provide comprehensive identity-based access restriction.

Gaps

Minimal gap.

Mapped Controls

SC-01 SC-07
CC6.1-POF6 CC6.1 POF6: Manages identification and authentication — User identification and authentication is managed
AC-04
95%

Rationale

IA family comprehensively covers identification and authentication including MFA, authenticator lifecycle, and identity proofing.

Gaps

Minimal gap.

Mapped Controls

AC-04
CC6.1-POF7 CC6.1 POF7: Manages credentials for infrastructure and software — System and application credentials are managed
AC-01 AC-06 AU-02 CM-02 +4
90%

Rationale

IA-05 covers credential management; CM-06 includes credential configuration; SA-04 requires security capabilities in acquisitions.

Gaps

Strong coverage. Minor gap in application-level credential management and service account lifecycle.

Mapped Controls

AC-01 AC-06 AU-02 CM-02 CM-06 CM-07 IA-01 SA-08
CC6.1-POF8 CC6.1 POF8: Uses encryption to protect data — Encryption is used to protect data at rest and in transit
AC-01 IA-01 IA-02 IA-03
90%

Rationale

SC-12, SC-13, SC-08, and SC-28 provide comprehensive encryption coverage for data at rest and in transit.

Gaps

Excellent encryption coverage. Minor gap: SOC 2 frames in access control context; SP 800-53 treats as system/communications protection.

Mapped Controls

AC-01 IA-01 IA-02 IA-03
CC6.1-POF9 CC6.1 POF9: Protects encryption keys — Encryption keys are managed to protect data
AC-01 CA-01 CA-06 IA-01
90%

Rationale

SC-12 directly addresses key management including generation, distribution, storage, and destruction.

Gaps

Strong coverage. SC-12 comprehensively addresses key management lifecycle.

Mapped Controls

AC-01 CA-01 CA-06 IA-01
CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity
90%

Rationale

AC-02 covers user registration, authorization, and provisioning. PS-03 covers pre-access screening. IA-04 covers credential issuance.

Gaps

Excellent coverage. Minor gap in external user lifecycle management specifics.

CC6.2-POF1 CC6.2 POF1: Controls access credentials to protected assets — New internal and external users are registered and authorized prior to being issued credentials and granted access
90%

Rationale

AC-02 requires authorization before account creation; PS-03 requires screening; IA-04 manages identifiers.

Gaps

Minimal gap. Pre-access authorization well covered.

CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties
95%

Rationale

AC-02, AC-03, AC-05, AC-06, PS-04, and PS-05 directly address access lifecycle with least privilege and SoD.

Gaps

Minimal gap. Comprehensively covers access authorization, modification, and removal.

CC6.3-POF1 CC6.3 POF1: Creates or modifies access — Processes are in place to create or modify access to protected assets
95%

Rationale

AC-02 covers account creation, modification, and lifecycle management. AC-06 enforces least privilege.

Gaps

Minimal gap.

CC6.4 The entity restricts physical access to facilities and protected information assets to authorized personnel to meet the entity's objectives
PE-01 PE-02 PE-03
90%

Rationale

PE-02, PE-03, PE-06, and PE-08 provide comprehensive physical access control.

Gaps

Excellent coverage. PE family directly addresses physical access restriction.

Mapped Controls

PE-01 PE-02 PE-03
CC6.5 The entity discontinues logical and physical access to protected information assets when that access is no longer required
MP-01 MP-06 SI-12 SR-12
90%

Rationale

PS-04, PS-05, AC-02, and PE-02 address access discontinuation across logical and physical access.

Gaps

Excellent coverage. Access revocation on termination and transfer well-addressed.

Mapped Controls

MP-01 MP-06 SI-12 SR-12
CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries
AC-01 AC-02 AC-03 AC-04 +11
90%

Rationale

SC-07, AC-04, SI-03, SI-04, SC-08, and AC-17 provide defense against external threats.

Gaps

Excellent coverage. Boundary protection and external threat mitigation are comprehensive.

Mapped Controls

AC-01 AC-02 AC-03 AC-04 AC-05 AC-17 IA-01 IA-04 SC-01 SC-07 SI-03 SI-04 SI-05 SI-07 SI-10
CC6.6-POF1 CC6.6 POF1: Restricts access — The entity restricts access through network security and entry points
AC-04 SC-01 SC-07
90%

Rationale

SC-07 provides boundary protection; AC-17 manages remote access; SC-08 protects transmissions.

Gaps

Minimal gap. Network access restriction from external sources well-covered.

Mapped Controls

AC-04 SC-01 SC-07
CC6.6-POF2 CC6.6 POF2: Protects identification and authentication credentials — Identification and authentication credentials are protected during transmission outside system boundaries
AC-01 AC-02 AC-03 AC-05 +9
90%

Rationale

SC-08, SC-13, and IA-05 protect credentials in transit.

Gaps

Strong coverage for credential protection during external transmission.

Mapped Controls

AC-01 AC-02 AC-03 AC-05 IA-01 IA-04 SC-01 SC-13 SI-03 SI-04 SI-05 SI-07 SI-10
CC6.6-POF3 CC6.6 POF3: Requires additional authentication or credentials — Additional authentication measures are required for access from outside system boundaries
AC-01 AC-17 IA-01 IA-04 +2
85%

Rationale

AC-17 and IA-02 (MFA for remote) address additional authentication for external access.

Gaps

Good coverage. Minor gap in adaptive authentication requirements.

Mapped Controls

AC-01 AC-17 IA-01 IA-04 SC-01 SC-07
CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives
AC-20 CM-13 MP-01 SC-08 +1
85%

Rationale

AC-04, MP-05, SC-07, SC-08, SC-28, and PE-16 cover information movement. CM-13 (new in Rev 5) adds data action mapping for tracking data flows.

Gaps

Strong coverage. Minor gap in comprehensive data loss prevention as an integrated concept.

Mapped Controls

AC-20 CM-13 MP-01 SC-08 SC-13
CC6.7-POF1 CC6.7 POF1: Restricts the ability to perform transmission — Data loss prevention processes are in place to detect and prevent unauthorized transmission
AU-02 CM-02 CM-06 CM-07 +1
75%

Rationale

AC-04, SC-07, SI-04, and PE-19 partially address DLP.

Gaps

Provides building blocks for DLP but no single integrated DLP control. Gaps in comprehensive DLP covering all transmission vectors.

Mapped Controls

AU-02 CM-02 CM-06 CM-07 SA-08
CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives
SC-07 SI-03 SI-07
90%

Rationale

SI-03, SI-07, CM-07, CM-11, and SI-04 comprehensively address malware prevention and detection.

Gaps

Excellent coverage. SI-03 directly addresses malicious code protection.

Mapped Controls

SC-07 SI-03 SI-07
CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities
AU-02 CA-09 CM-01 CM-02 +4
90%

Rationale

CM-03/CM-04, RA-05, SI-04, SI-05, and CA-07 provide comprehensive detection. CA-09 (new in Rev 5) monitors internal connections. SC-45 (new in Rev 5) adds time synchronization for monitoring accuracy.

Gaps

Excellent coverage. Vulnerability and configuration monitoring is comprehensive.

Mapped Controls

AU-02 CA-09 CM-01 CM-02 CM-06 RA-05 SA-08 SC-45
CC7.1-POF1 CC7.1 POF1: Uses defined configuration standards — The entity uses defined configuration standards to assess newly deployed or changed IT assets
AU-02 CM-01 CM-02 CM-06 +1
90%

Rationale

CM-02, CM-06, and CM-03 directly address configuration standards.

Gaps

Minimal gap. Configuration baseline and standard management well-covered.

Mapped Controls

AU-02 CM-01 CM-02 CM-06 SA-08
CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events
AU-01 AU-02 AU-06 AU-07 +2
90%

Rationale

SI-04, AU-06, IR-04, IR-05, and CA-07 provide comprehensive anomaly detection. SC-45 (new in Rev 5) ensures accurate timestamps for correlation.

Gaps

Excellent coverage. Monitoring, detection, and analysis capabilities are comprehensive.

Mapped Controls

AU-01 AU-02 AU-06 AU-07 SC-45 SI-04
CC7.2-POF1 CC7.2 POF1: Implements detection policies, procedures, and tools — The entity implements and maintains detection policies, procedures, and tools
AC-01 AT-01 AU-01 AU-02 +18
90%

Rationale

SI-04, AU-02, AU-06, and IR-01 cover detection policies, procedures, and tools.

Gaps

Minimal gap. Detection capability well-addressed.

Mapped Controls

AC-01 AT-01 AU-01 AU-02 AU-06 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 PT-01 RA-01 SA-01 SC-01 SI-01 SI-04 SR-01
CC7.2-POF2 CC7.2 POF2: Designs detection measures — Detection measures are designed to identify anomalies including known and unknown threats
85%

Rationale

SI-04 monitors for anomalies; PM-16 covers threat intelligence; RA-05 identifies vulnerabilities.

Gaps

Good known threat coverage. Minor gap in explicit requirements for unknown/zero-day threat detection and behavioral analytics.

CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures
AU-02 AU-06 AU-07 IR-01 +3
90%

Rationale

IR-04, IR-05, IR-06, and AU-06 provide comprehensive event evaluation and incident determination.

Gaps

Excellent coverage. IR family directly addresses event evaluation and corrective action.

Mapped Controls

AU-02 AU-06 AU-07 IR-01 IR-04 RA-03 SI-04
CC7.3-POF1 CC7.3 POF1: Responds to security incidents — Procedures are in place to respond to security incidents
IR-01 IR-04
90%

Rationale

IR-01, IR-04, and IR-08 directly cover incident response procedures.

Gaps

Minimal gap.

Mapped Controls

IR-01 IR-04
CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate
IR-01 IR-04 IR-05 IR-06 +1
90%

Rationale

IR family provides a complete incident response program. IR-09 (new in Rev 5) adds information spillage response for data breach scenarios.

Gaps

Excellent coverage. SP 800-53 IR family is comprehensive for incident response.

Mapped Controls

IR-01 IR-04 IR-05 IR-06 IR-09
CC7.4-POF1 CC7.4 POF1: Assigns roles and responsibilities — Roles and responsibilities for responding to incidents are assigned
IR-01 IR-04
90%

Rationale

IR-01 and IR-08 define incident response roles; PM-02 assigns security roles.

Gaps

Minimal gap.

Mapped Controls

IR-01 IR-04
CC7.4-POF2 CC7.4 POF2: Contains security incidents — Processes are in place to contain security incidents
IR-01 IR-04
90%

Rationale

IR-04 directly addresses containment activities.

Gaps

Minimal gap.

Mapped Controls

IR-01 IR-04
CC7.4-POF3 CC7.4 POF3: Mitigates ongoing security incidents — Procedures are in place to mitigate the effects of ongoing incidents
IR-01 IR-04
85%

Rationale

IR-04 covers mitigation; SI-02 supports remediation activities.

Gaps

Good coverage. Minor gap in explicit ongoing mitigation versus containment distinction.

Mapped Controls

IR-01 IR-04
CC7.4-POF4 CC7.4 POF4: Ends threats posed by security incidents — Steps are taken to end the threats posed by security incidents
IR-01 IR-04
85%

Rationale

IR-04 includes eradication; CP-10 addresses reconstitution.

Gaps

Good coverage. Minor gap in explicit threat elimination verification requirements.

Mapped Controls

IR-01 IR-04
CC7.4-POF5 CC7.4 POF5: Restores operations — Procedures are in place to restore normal operations
CP-01 CP-02 CP-10 IR-01 +2
85%

Rationale

CP-10, CP-02, and IR-04 include recovery. SC-24 (new in Rev 5) adds fail-in-known-state capability ensuring systems restore to secure configurations.

Gaps

Good coverage. CP family addresses recovery. Minor gap in linking recovery to business objectives explicitly.

Mapped Controls

CP-01 CP-02 CP-10 IR-01 IR-04 SC-24
CC7.4-POF6 CC7.4 POF6: Develops and implements communication protocols for security incidents
IR-01 IR-04 IR-05 IR-06
80%

Rationale

IR-06, IR-07, and IR-08 include communication elements.

Gaps

Good internal communication. Minor gap in structured external communication protocols for customer/stakeholder incidents.

Mapped Controls

IR-01 IR-04 IR-05 IR-06
CC7.4-POF10 CC7.4 POF10: Meets regulatory notification requirements — The entity meets notification requirements for security incidents
CP-04 IR-01 IR-04
75%

Rationale

IR-06 addresses reporting to authorities.

Gaps

Covers reporting to designated authorities. Gaps in multi-jurisdiction notification requirements and notification timeline management.

Mapped Controls

CP-04 IR-01 IR-04
CC7.4-POF11 CC7.4 POF11: Obtains understanding of nature of incident — The entity obtains understanding of the incident nature and scope
IR-01 IR-04
85%

Rationale

IR-04 includes analysis and scoping; AU-06 supports forensic analysis.

Gaps

Good coverage. Incident analysis and scoping well-addressed.

Mapped Controls

IR-01 IR-04
CC7.4-POF12 CC7.4 POF12: Remediates identified vulnerabilities — The entity remediates identified vulnerabilities following incidents
IR-01 IR-04
85%

Rationale

SI-02, CA-05, and IR-03 address post-incident vulnerability remediation.

Gaps

Good coverage. Minor gap in formal post-incident remediation verification.

Mapped Controls

IR-01 IR-04
CC7.4-POF13 CC7.4 POF13: Evaluates the effectiveness of incident response — The entity evaluates incident response effectiveness
IR-01 IR-04 IR-06
80%

Rationale

IR-03 includes lessons learned and effectiveness evaluation. CA-02 provides broader assessment.

Gaps

Good coverage. Minor gap in formal metrics-based incident response program improvement.

Mapped Controls

IR-01 IR-04 IR-06
CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents
CP-01 CP-02 CP-04 CP-09 +1
85%

Rationale

CP-02, CP-10, IR-04, and IR-03 address incident recovery.

Gaps

Good coverage. Minor gap in explicit post-incident business recovery planning.

Mapped Controls

CP-01 CP-02 CP-04 CP-09 CP-10
CC8.1 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures required to meet its objectives
AU-02 CM-02 CM-03 CM-06 +2
85%

Rationale

CM-03, CM-04, CM-05, SA-10, SA-11, and SA-04 comprehensively cover change management.

Gaps

Strong coverage. Minor gap: SOC 2 includes procedure and data changes explicitly; SP 800-53 focuses primarily on IT configuration changes.

Mapped Controls

AU-02 CM-02 CM-03 CM-06 SA-03 SA-08
CC8.1-POF1 CC8.1 POF1: Manages changes throughout the system life cycle — Processes are in place to manage changes to system components through the life cycle
CM-03 SA-03
85%

Rationale

SA-03, CM-03, and SA-10 cover lifecycle change management.

Gaps

Good coverage. Minor gap in managing changes to business processes and procedures beyond IT systems.

Mapped Controls

CM-03 SA-03
CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions
CP-01 CP-02 CP-10 RA-01 +8
75%

Rationale

CP-01/CP-02/CP-04, RA-03, and PM-09 address disruption risk. RA-07 (new in Rev 5) adds structured risk response. RA-09 (new in Rev 5) adds criticality analysis for prioritization.

Gaps

Good IT disruption coverage. SOC 2 CC9.1 extends to non-IT, supply chain, and market disruptions.

Mapped Controls

CP-01 CP-02 CP-10 RA-01 RA-07 RA-09 SA-04 SR-01 SR-02 SR-03 SR-05 SR-06
CC9.1-POF1 CC9.1 POF1: Considers mitigation through business continuity — The entity considers mitigation through contingency planning
CP-01 CP-02 CP-10
80%

Rationale

CP family provides comprehensive contingency planning and business continuity for IT systems.

Gaps

Strong IT continuity coverage. Minor gap in non-IT business continuity and crisis management.

Mapped Controls

CP-01 CP-02 CP-10
CC9.2 The entity assesses and manages risks associated with vendors and business partners
SA-04 SR-01 SR-02 SR-07
80%

Rationale

SA-04, SA-09, SR-01/SR-02/SR-03, SR-05, and SR-06 provide vendor risk management.

Gaps

Good technology vendor coverage. Gaps in non-technology vendor and business partner risk assessment.

Mapped Controls

SA-04 SR-01 SR-02 SR-07
CC9.2-POF1 CC9.2 POF1: Creates policies for vendor and business partner risk management — Vendor risk management processes are established
SA-04 SR-01 SR-02 SR-07
80%

Rationale

SR-01 and SA-04 establish vendor management policies.

Gaps

Good IT vendor policies. Minor gap in non-technology vendor and business partner risk policies.

Mapped Controls

SA-04 SR-01 SR-02 SR-07
CC9.2-POF13 CC9.2 POF13: Assesses vendor and business partner risks — The entity periodically assesses vendor and business partner risks
RA-05 SI-02 SI-03 SI-05 +2
75%

Rationale

SR-06 directly addresses periodic vendor assessment.

Gaps

Good coverage. Gaps in non-supplier business partner risk assessment and comprehensive vendor risk scoring.

Mapped Controls

RA-05 SI-02 SI-03 SI-05 SR-06 SR-08
P1.0 Privacy Criteria Introduction — The entity's privacy practices meet its objectives
PT-01 SC-42
45%

Rationale

PT family added in Rev 5 provides privacy controls. PM-25/PM-26/PM-27 address privacy program management. SC-42 (new in Rev 5) adds sensor capability controls for privacy-invasive data collection.

Gaps

Rev 5 improved privacy coverage with PT family. SOC 2 privacy criteria are based on GAPP which is broader than federal privacy in SP 800-53.

Mapped Controls

PT-01 SC-42
P1.1 The entity provides notice to data subjects about its privacy practices to meet the entity's objectives related to privacy
PT-05
55%

Rationale

PT-05 directly addresses privacy notice. PT-03 requires purpose specification.

Gaps

PT-05 covers notice. Gaps in notice timing, content specifics, and accessibility across all channels.

Mapped Controls

PT-05
P1.1-POF1 P1.1 POF1: Communicates to data subjects — Privacy notices are provided to data subjects
PT-03 PT-05
55%

Rationale

PT-05 addresses notice provision.

Gaps

Covers notice delivery. Gaps in specific content requirements, multi-language support, and channel-specific formats.

Mapped Controls

PT-03 PT-05
P1.1-POF5 P1.1 POF5: Provides notice of changes — Data subjects are notified of changes to the entity's privacy practices
AC-01 AT-01 AU-01 CA-01 +16
40%

Rationale

PT-05 may require notice updates. No specific control for change notification to data subjects.

Gaps

Does not explicitly require notification to data subjects when privacy practices change. Gap in change notification timing and opt-out.

Mapped Controls

AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 PT-01 PT-05 RA-01 SA-01 SC-01 SI-01 SR-01
P1.2 The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects and obtains consent
40%

Rationale

PT-04 addresses consent. PT-02 covers legal basis for processing.

Gaps

Gaps in comprehensive choice mechanisms (opt-in/out, granular consent), presentation at collection, and ongoing consent management.

P1.3 The entity collects personal information only for the purposes identified in the notice to the data subject
CM-13 SC-42
50%

Rationale

PT-03 requires purpose specification. PT-02 limits processing to authorized purposes. CM-13 (new in Rev 5) maps data actions. SC-42 (new in Rev 5) controls sensor data collection.

Gaps

Addresses purpose limitation. Gaps in purpose enforcement at collection point and preventing scope creep.

Mapped Controls

CM-13 SC-42
P1.4 The entity limits the use of personal information to the purposes identified in the notice and for which the data subject has provided explicit consent
CM-13
50%

Rationale

PT-03 and PT-02 address use limitation. CM-13 (new in Rev 5) data action mapping helps document and enforce use boundaries.

Gaps

Covers purpose limitation conceptually. Gaps in enforcement mechanisms, secondary use prevention, and audit of actual use against stated purposes.

Mapped Controls

CM-13
P1.5 The entity retains personal information consistent with the entity's objectives related to privacy
CM-13
55%

Rationale

SI-12 and PT-03 address retention. MP-06 supports disposal. CM-13 (new in Rev 5) helps document retention context through data action mapping.

Gaps

Covers retention and disposal. Gaps in retention schedule alignment with privacy notice and automated enforcement based on purpose completion.

Mapped Controls

CM-13
P1.6 The entity disposes of personal information to meet the entity's privacy objectives
CM-13
65%

Rationale

MP-06, SI-12, and SR-12 address secure disposal. CM-13 (new in Rev 5) supports disposal tracking through data action mapping.

Gaps

Good technical disposal coverage. Minor gaps in privacy-specific disposal triggers and third-party disposal enforcement.

Mapped Controls

CM-13
P1.7 The entity discloses personal information to third parties with the consent of the data subject or as authorized under applicable law or regulation
CM-13
40%

Rationale

PT-04 and SA-09 partially address third-party disclosure. CM-13 (new in Rev 5) data action mapping helps track disclosure flows.

Gaps

Gaps in third-party disclosure tracking, consent verification before sharing, use limitation agreements, and cross-border transfer requirements.

Mapped Controls

CM-13
P1.8 The entity provides data subjects with access to their personal information for review and correction
SI-18
30%

Rationale

PT-06 addresses individual access in the federal context. SI-18 (new in Rev 5) adds PII quality operations supporting data accuracy mechanisms.

Gaps

PT-06 is Privacy Act-specific. Gaps in general data subject access rights, access request processing, and identity verification for requests.

Mapped Controls

SI-18
P1.9 The entity provides data subjects the ability to update and correct personal information
SI-18
25%

Rationale

PT-06 addresses correction in federal context. SI-18 (new in Rev 5) PII quality operations supports data correction and accuracy maintenance.

Gaps

Significant gap for commercial context. No general control for correction mechanisms, verification, or propagation of corrections to third parties.

Mapped Controls

SI-18
PI1.1 The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services
SA-01
50%

Rationale

SA-05, SI-10, and SI-12 partially address processing information quality.

Gaps

SOC 2 PI1.1 focuses on processing integrity including data definitions and specifications. SP 800-53 addresses validation and documentation but not business-level processing specs.

Mapped Controls

SA-01
PI1.2 The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives
PL-01 SA-01 SA-04
60%

Rationale

SI-09, SI-10, and AU-10 address input controls.

Gaps

Provides input validation and accuracy controls. Gaps in comprehensive input completeness verification and end-to-end processing integrity.

Mapped Controls

PL-01 SA-01 SA-04
PI1.3 The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity's objectives
PL-01 SA-01 SA-04
55%

Rationale

SI-07, SI-10, and AU-02/AU-03 address processing controls.

Gaps

Provides integrity verification and audit. Gaps in business process validation, transaction processing integrity, and output reconciliation.

Mapped Controls

PL-01 SA-01 SA-04
PI1.4 The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity's objectives
AU-02 AU-03 AU-09 PE-05 +1
50%

Rationale

SI-12, AU-03, and PE-05 partially address output controls.

Gaps

Addresses output handling and audit trails. Gaps in output completeness verification, accuracy validation, and delivery confirmation.

Mapped Controls

AU-02 AU-03 AU-09 PE-05 SA-01
PI1.5 The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives
AU-09 MP-01 SA-01 SI-12
55%

Rationale

SC-28, MP-04, CP-09, and SI-12 address storage of processing data.

Gaps

Covers data storage protection and backup. Gaps in storage integrity verification for processing items and specification-based storage validation.

Mapped Controls

AU-09 MP-01 SA-01 SI-12

Methodology and Disclaimer

This coverage analysis maps from SOC 2 TSC clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.

Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.

This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.