Risk Mitigation

SOC 2 CC9: Common Criteria related to Risk Mitigation

What is SOC 2 Risk Mitigation (CC9)?

Risk mitigation is an incredibly important aspect of managing your organization’s security. While being able to respond to security incidents is essential, the best way to safeguard your organization is to reduce the likelihood of problems occurring in the first place. Your risk mitigation plan needs to be strategic, and the guidelines outlined in SOC 2 Common Criteria related to Risk Mitigation (CC9) can help ensure your assets are protected— and that your organization’s propensity for risk is minimized.

After determining whether or not you need a SOC report, following the Common Criteria related to Risk Mitigation will help keep your organization safe, and reduce the chances of your business facing issues such as business disruption or a breach in security. These guidelines also include specific measures for risk mitigation related to privacy, availability, and confidentiality.

What are the Requirements for SOC 2’s CC9?

The SOC CC9 guidelines provide guidance and clear-cut, actionable ways to implement risk mitigation. It’s an approach that works to not only prevent problems, but also to lessen the negative impact of security incidents if and when they should occur. CC9 is a bit more straight forward than some of the previous ones we’ve written about, so we’ll break it down at the Criteria level as the words simply look better that way.

Common Criteria 9.1

The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

In a way, CC9.1 is very similar to CC7.5’s requirements to recover from security incidents, but at the same time, it’s not. It’s asking you to take a further step back and think through the impact of a security incident that disrupts business operations – which is more than CC7.5’s more tactical approach to adding some duct tape to it and getting moving again. Controls to consider here would be related to systems backup and restoration procedures, a business continuity plan or a disaster recovery plan. You’ll also find yourself using some of the same thought processes from CC3, CC4 and CC5 related to risk assessment and related follow up.

The other part of CC9.1 is to “consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives.” While the AICPA is certainly using the term “consider”, we’ve yet to run into a client that hasn’t had it or wasn’t willing to get it as it’s usually something that gets required by your customers before they start demanding a SOC 2 report.

Common Criteria 9.2

The entity assesses and manages risks associated with vendors and business partners.

To summarize, CC9.2 wants you to have a vendor risk management program to manage the risks associated to your vendors. This is because you can always outsource your work but you cannot outsource your responsibilities and commitments that you’ve made to your customers related to security (or anything else you agreed to do for them). We did a deeper dive in this within our Vendor Management: What You Need to Know article, but we’ve summarized the points of focus here as well.

  • Establishing set requirements such as scope, responsibilities, compliance requirements, and service levels for entities your organization works with (such as vendors or business partners).
  • Assessing vendor and business partner risk levels on a periodic basis, as well as the risk levels of anyone whom those vendors and partners work with.
  • Establishing accountability and defined responsibility related to risk mitigation for vendors and business partners.
  • Establishing clear-cut communication and resolution protocols for vendors and business partners.
  • Having exception handling procedures in place for vendors and partners.
  • Periodically and systematically assessing the performance of your business partners and vendors.
  • Having a system in place for handling issues that may arise with your partners and vendors.
  • Having a system in place for terminating vendors and ending business partner relationships if needed.

Bonus Points related to Confidentiality

In cases where the SOC CC9 guidelines are being used for confidentiality, additional requirements include:

  • Obtaining confidentiality commitments from vendors and business partners who have access to confidential information.
  • Assessing the compliance of these confidentiality commits from business partners and vendors on both an ongoing and as-needed basis.

Bonus Points related to Privacy

In cases where the SOC CC9 guidelines are being used for privacy, additional requirements include:

  • Obtaining privacy commitments from vendors and business partners who have access to personal information.
  • Assessing the compliance of these privacy commits from business partners and vendors on both an ongoing and as-needed basis.

The goal of these guidelines is to help your organization be prepared for a variety of scenarios that may present a threat to security. By paying attention to aspects of your business such as vendors you work with, environmental risks, and backup data needs, you can reduce the chance and severity of common (and serious) issues from occurring.


Now that you understand how to abide by the CC9 guidelines, and you’ve looked at your own organization through the lens of the SOC 2, it’s time to develop ways you can better align your organization’s protocols with these best practices.

Take a look at these action items that will help you implement a strong risk mitigation strategy:

  • Understand what could lead to business disruptions, and have a plan (which you constantly evaluate, update, and monitor) in place to deal with a disruption of business should it occur.
  • Consider using insurance.
  • Be diligent about the vendors and business partners you work with, and plan for everything from defining roles, to monitoring performance, to terminating the relationship.
  • Plan for environmental threats, and consider backing up your data in an offsite location.

Risk mitigation is one of the cornerstones of organizational security. Addressing risks within your own organization isn’t enough—instead you need to take a broader approach to reduce the likelihood of incidents occurring, and to lessen their impacts when they happen.

By now, hopefully you have a grasp on the requirements of the CC9. It’s a important and far-reaching topic, and the implications of enacting them properly can impact every facet of your business. If you want professional help with risk mitigation, or any of the other components of the SOC 2 guidelines, reach out to our team of experts today.