O
Ocybersec
Cybersecurity & vCISO Services
Free Assessment Tool
SOC 2 Type 1 · CC1 · Control Environment
How ready is your organization
for SOC 2 CC1 compliance?
Answer 25 questions across the 5 COSO Control Environment principles and get an instant compliance readiness score — no email required.
✓ 25 questions · ~5 minutes
✓ Instant donut chart results
✓ Covers all 5 CC1 criteria
✓ 100% free
Assessment Progress
0 of 25 answered
1
CC1.1 — Commitment to Integrity & Ethical Values
COSO Principle 1 · The entity demonstrates a commitment to integrity and ethical values
CC1.1 — Q1
Does your organization have a formally documented Code of Conduct or Code of Ethics that has been approved by senior management or the board?
CC1.1 — Q2
Is the Code of Conduct communicated to all employees, contractors, and relevant third parties, with acknowledgment of receipt documented?
CC1.1 — Q3
Does your organization have a whistleblower or ethics reporting mechanism (e.g., hotline or anonymous reporting channel) for employees to report policy violations?
CC1.1 — Q4
Are deviations from the Code of Conduct investigated and addressed consistently, with disciplinary actions applied when warranted?
CC1.1 — Q5
Does senior leadership visibly model and reinforce ethical behavior in day-to-day operations, demonstrating a "tone at the top" culture?
2
CC1.2 — Board Independence & Oversight
COSO Principle 2 · The board demonstrates independence from management and exercises oversight
CC1.2 — Q1
Does your organization have a board of directors, advisory board, or equivalent oversight body that includes members independent of management?
CC1.2 — Q2
Does the oversight body have defined responsibilities for cybersecurity and internal control oversight, documented in a charter or governance policy?
CC1.2 — Q3
Does the oversight body receive regular reports on cybersecurity risks, incidents, and the status of security controls at least quarterly?
CC1.2 — Q4
Are board or oversight meeting minutes documented and retained as evidence of governance decisions and cybersecurity discussions?
CC1.2 — Q5
Does the oversight body have the authority and demonstrated willingness to challenge management on security and control matters when necessary?
3
CC1.3 — Organizational Structure & Authority
COSO Principle 3 · Management establishes structure, reporting lines, and appropriate authorities
CC1.3 — Q1
Does your organization have a documented organizational chart with clearly defined reporting lines for security and IT functions?
CC1.3 — Q2
Are security roles and responsibilities formally assigned and documented (e.g., in job descriptions or a RACI matrix), including who owns security policy and risk management?
CC1.3 — Q3
Does your organization have a designated security function or individual (e.g., CISO, vCISO, or Security Manager) with adequate authority to implement and enforce security controls?
CC1.3 — Q4
Are security and compliance responsibilities embedded into business processes, with clear escalation paths for security incidents and policy exceptions?
CC1.3 — Q5
Does your organization review and update its security organizational structure at least annually, or when significant changes occur (e.g., M&A, leadership changes)?
4
CC1.4 — Competence & Talent Development
COSO Principle 4 · The entity demonstrates commitment to attract, develop, and retain competent individuals
CC1.4 — Q1
Does your organization define and document the cybersecurity skills and competencies required for all security-relevant roles?
CC1.4 — Q2
Is there a formal security awareness training program in place that is completed by all employees at onboarding and at least annually thereafter?
CC1.4 — Q3
Does your organization conduct background checks for employees and contractors in roles with access to sensitive systems or data?
CC1.4 — Q4
Are performance evaluations for security personnel tied to security objectives, and is there a process to address skill gaps through training or recruitment?
CC1.4 — Q5
Does your organization have documented succession or contingency plans for critical security roles to ensure continuity if key personnel depart?
5
CC1.5 — Accountability & Performance
COSO Principle 5 · The entity holds individuals accountable for internal control responsibilities
CC1.5 — Q1
Are security control responsibilities explicitly assigned to named individuals or roles, with clear accountability for control design, operation, and monitoring?
CC1.5 — Q2
Does your organization measure and report security performance metrics (e.g., vulnerability remediation SLAs, training completion rates, incident response times) to management?
CC1.5 — Q3
Are security-related KPIs and control deficiencies formally tracked, with remediation owners and target dates assigned?
CC1.5 — Q4
Are there formal consequences (e.g., performance impact, disciplinary action) for employees who fail to meet their internal control obligations, consistently applied across the organization?
CC1.5 — Q5
Does management conduct periodic reviews of internal control effectiveness for CC1 and report findings to the oversight body with evidence of corrective actions taken?
Answer all 25 questions to generate your report
0%
CC1 Score
Calculating...
Score Summary
✓ Compliant controls
–
~ Partial controls
–
✕ Non-compliant controls
–
Total questions
25
Weighted score
–
Score by CC1 Criteria
Key Gaps Identified
Next Step · Free Full Assessment
This was just CC1.
SOC 2 has 9 criteria (CC1–CC9).
Book a free 30-minute discovery call and receive a complete SOC 2 Type 1 Security TSC & CCPA gap assessment covering all 9 Common Criteria — delivered within 10 business days.
🔍 Full CC1–CC9 gap assessment
📋 Prioritized remediation roadmap
🤝 No obligation · 30 minutes
🤖 AI-powered · Results in 10 days
Founder-led · 25+ years experience · Serving US Startups & SMBs