Overview
Technology General Controls are the policies and procedures that ensure cloud infrastructure is securely configured, changed, and accessed in a controlled manner. This process establishes and annually reviews access management, change management, and configuration controls to meet SOC 2 CC5.2 and CC5.3 requirements.
Step-by-Step Process
Define control scope
The Engineering Lead identifies in-scope cloud environments, accounts, and services supporting SOC 2 systems. Document which production, staging, and shared services are covered and confirm alignment with the system description. The output is an approved Technology Controls Scope document.
Role: Engineering Lead
Review access control design
Review role-based access control, privileged access, and authentication mechanisms for all in-scope environments. Confirm least privilege, MFA enforcement, and separation of duties are defined and implemented. The output is a documented access control design review.
Role: Engineering Lead
Validate change management procedures
Confirm that infrastructure and code changes require documented approval, testing, and rollback plans. Verify that changes are tracked through tickets or pull requests and linked to deployments. The output is a validated change management procedure with examples.
Role: Engineering Lead
Assess configuration baselines
Review baseline configurations for networks, compute, storage, and logging against internal standards. Identify deviations and document remediation actions or risk acceptance. The output is a signed configuration baseline assessment.
Role: Engineering Lead
Test control operation
Select samples of access changes, infrastructure changes, and configuration updates from the review period. Verify evidence shows controls operated as designed. The output is a completed control test worksheet with pass/fail results.
Role: Security Analyst
Document exceptions and remediation
Log any control gaps, exceptions, or failures identified during testing. Assign owners and target remediation dates and track completion. The output is an exception log with status updates.
Role: Engineering Lead
Perform annual management review
Conduct a formal annual review of technology general controls and approve continued effectiveness. Sign and date the review to demonstrate management oversight. The output is a management review sign-off.
Role: Engineering Lead
What You Need Before Starting
- Current SOC 2 system description
- Access to cloud provider admin consoles (AWS, Azure, GCP)
- Change management records (tickets, pull requests, deployment logs)
- Internal security and access control policies
Evidence Your Auditor Expects
- Technology Controls Scope document approved and dated (YYYY-MM-DD)
- Screenshot of MFA and IAM role settings with timestamp visible
- Sample change ticket or pull request showing approval and merge date
- Annual management review sign-off document dated (YYYY-MM-DD)
How This Looks In Your Tools
AWS
Log in to the AWS Management Console and navigate to IAM > Account settings to confirm MFA and password policies. Capture screenshots of root account MFA status and IAM role permissions.
Go to CloudTrail > Trails to verify logging is enabled for all regions and management events. Export the trail configuration page showing last updated date.
Navigate to AWS Config > Rules to review configuration compliance and download the compliance report for in-scope resources.
Azure
Sign in to the Azure Portal and go to Microsoft Entra ID > Security > Conditional Access to review MFA and access policies. Screenshot enabled policies with modification dates.
Navigate to Subscriptions > Activity log and confirm logs are retained and exported to Log Analytics. Export a log settings screenshot.
Go to Azure Policy > Compliance to review policy assignments and download the compliance summary.
GCP
Access the Google Cloud Console and navigate to IAM & Admin > IAM to review roles and members. Capture screenshots showing role assignments and last modified dates.
Go to IAM & Admin > Audit Logs to verify Admin Activity and Data Access logs are enabled. Export settings showing retention configuration.
Navigate to Security > Security Command Center > Settings to review enabled standards and export the findings summary.
Common Audit Findings
- Lack of documented annual review
- This occurs when controls operate but no formal management review is recorded. Prevent it by scheduling a calendar-based annual review and retaining a signed, dated approval.
- Excessive privileged access
- Overly broad roles are often granted for convenience and not revisited. Prevent this by enforcing role reviews during the annual access assessment and removing unused permissions.
- Incomplete change evidence
- Changes may be approved verbally or outside the ticketing system. Require all infrastructure changes to reference an approved ticket or pull request before deployment.
- Missing configuration baselines
- Teams rely on default cloud settings without documented standards. Prevent this by maintaining written baseline configurations and reviewing them annually.