Obtain and Use Relevant, Quality Information

SOC 2 CC.1 requires organizations to obtain or generate and use relevant, quality information to support the functioning of internal control. This means identifying information requirements and capturing internal and external data that is timely, current, accurate, and complete.

Auditors typically look for screenshots of monitoring dashboards, system performance metrics, and sample logs or alerts from monitoring tools. They want to verify that logging and monitoring software is properly configured to collect data from infrastructure components and endpoint systems.

Organizations define information requirements by identifying the specific data needed to support the functioning of internal control components and the achievement of organizational objectives. This includes evaluating the necessary data sources, setting logging configurations, and establishing metric definitions.

You can prove data quality by demonstrating that information systems maintain quality throughout processing. This involves utilizing automated centralized logging tools, protecting data integrity with access controls, and conducting regular reviews to assess the relevance and accuracy of the information. Tools like WatchDog Security's Compliance Center can help track evidence completeness and freshness by mapping required logs, dashboards, and reports to CC2.1 and highlighting missing periods or overdue reviews.

Common failures include incomplete system logging, failing to configure alerts for critical security events, or relying on manual data extracts that lack integrity controls. Auditors may also issue exceptions if management cannot prove that the data used for monitoring internal controls is reliable.

Dashboards and metrics process relevant data into actionable information, allowing management to visualize system performance, potential vulnerabilities, and resource utilization. These tools provide continuous visibility, ensuring that the organization actively uses quality information to support internal control.

Internal and external data sources should be captured by securely configured information systems and validated through automated integrity checks. Organizations must ensure that data imported from external vendors or third-party tools is verifiable, protected, and retained appropriately.

To ensure information quality, organizations must implement systems that capture, transform, and process data while rigorously maintaining its integrity. Processes should include secure log aggregation, strict access controls over reporting tools, and periodic reviews to verify data accuracy.

SOC 2 CC.1 directly aligns with COSO Principle 13, which emphasizes that an entity must use relevant, quality information to support the functioning of internal control. Accurate reporting relies on capturing robust internal and external data to inform management decisions and compliance activities.

Operationalizing this control requires cross-functional collaboration to define logging standards, deploy centralized monitoring solutions, and establish clear alerting thresholds. Teams must work together to ensure that dashboards and reports reflect accurate, real-time data supporting organizational objectives.

SOC 2 CC2.1 often fails when evidence is scattered across tools and collected inconsistently, making it hard to show completeness and timeliness. Tools like WatchDog Security's Compliance Center can centralize evidence requests, automate recurring evidence collection, and flag missing or stale artifacts so teams can demonstrate that monitoring data and reports are current and reliable.

Keeping dashboards and monthly reports current requires clear ownership, collection schedules, and a way to spot gaps before an audit. Tools like WatchDog Security's Policy Management can track control owners and review cadences, while WatchDog Security's Compliance Center can map required artifacts to CC2.1 and highlight overdue evidence so reporting remains timely.