Skip to main content
This page lists the highest-traffic SOC 2 Common Criteria controls and the exact evidence Codex collects for each. Use it during audit prep to predict what your auditor will see.

CC6 — Logical and Physical Access Controls

CC6.1 — Logical access provisioning

When an HRIS connector is wired, Codex correlates the HRIS hire-date record to the IdP provisioning event so auditors see the full chain: HRIS hire → IdP provisioning → app assignments. Evidence shape per provisioning event:
What auditors verify: every provisioning event has a documented business reason. Codex links to the corresponding HRIS new-hire record so the chain is “HRIS hire → IdP provisioning → app assignments” with timestamps showing each step happened in the right order.

CC6.2 — User access reviews

Codex generates a quarterly access-review snapshot:
  • Per user: list of apps assigned, role within each app, last activity date
  • Per app: list of users with access, broken down by role
  • Diff vs previous review: who was added, removed, or changed roles
Reviewers (typically managers) get a Codex link to approve or flag each user. The auditor sees the completed review with reviewer identity + timestamp + decisions.

CC6.3 — Role-based access enforcement

Source data:
  • IdP role assignments per app (via SCIM or app-specific API)
  • Per-app admin/owner/member counts
  • Privileged-access reports (admin role count by app, with named users)
Auditors look for: separation of duties (e.g. the same person isn’t dev + ops + finance admin) and least privilege (e.g. fewer admins than members).

CC6.6 — Logical access removal on termination

The control most companies fail. Codex measures the gap between HRIS termination and IdP deactivation.
For an auditor, this is the killer evidence: a real timestamp diff per terminated employee proving the SLA holds. Codex also flags any termination where IdP deactivation didn’t happen within 24h — those become exceptions you have to remediate before audit.

CC6.7 — Encryption at rest

Codex polls these daily and flags any unencrypted resource as a material exception.

CC6.8 — Endpoint protection

CC7 — System Operations

CC7.1 — Vulnerability management

Codex tracks:
  • All findings from Snyk, Wiz, CrowdStrike, Dependabot, GHAS
  • Time to triage + time to remediate per severity
  • SLA compliance rates (% of High findings resolved within 30d, etc.)

CC7.2 — Security event detection

Source data: SIEM connector events (Datadog, Splunk, Sumo, New Relic). Codex pulls:
  • Event volume per category (auth failures, anomalous logins, privilege escalations)
  • Alert rules configured + last fired
  • Coverage gaps (event sources NOT being collected)

CC7.3 — Incident response

Per-incident evidence:

CC7.4 — Recovery from incidents

Auditors specifically want to see restore tests. Codex sends quarterly reminders to your backup owner to test a restore and upload the result.

CC8 — Change Management

CC8.1 — Change authorization

Codex pulls every merged PR from connected code hosts (GitHub, GitLab) and verifies:
  • Required reviewers met
  • Branch protection rules enforced (no direct pushes to main)
  • CI passed before merge

What this catalog isn’t

This isn’t the complete list — it’s the controls that drive 80% of audit attention. Other CC controls (CC1-5 governance, CC9 risk mitigation) are mostly policy + process, not auto-evidenceable. See the SOC 2 framework guide for the full mapping.