GCGood Companyยท Trust Centre
All systems operational

Good Company
Trust Centre

Good company is good so you also should feel good then everybody feels good that is a good thing happen only for good people during good times

Certifications

Independently audited

Click any certification to see scope, auditor and how to access the underlying report.

SOC2 POWERED BY SWISE

SOC2

Issued by Amaru

Good Certificate

AuditorAmaruScopeWebapp
Attachments

Controls

CC1 CONTROL ENVIRONMENT

  • โœ“CC1.1 COSO Principle 1 (Integrity and Ethical Values)
  • โœ“CC1.2 COSO Principle 2 (Board Oversight and Independence)
  • โœ“CC1.4 COSO Principle 4 (Attracting, Developing, and Retaining Competent Individuals)
  • โœ“CC1.3 COSO Principle 3 (Organizational Structure and Responsibilities)
  • โœ“CC1.5 COSO Principle 5 (Accountability for Internal Control Responsibilities)
View 2 more CC1 CONTROL ENVIRONMENT controls

CC1 CONTROL ENVIRONMENT

  • โœ“CC1.2 COSO Principle 2 (Board Oversight and Independence)
  • โœ“CC1.3 COSO Principle 3 (Organizational Structure and Responsibilities)
  • โœ“CC1.1 COSO Principle 1 (Integrity and Ethical Values)
  • โœ“CC1.4 COSO Principle 4 (Attracting, Developing, and Retaining Competent Individuals)
  • โœ“CC1.5 COSO Principle 5 (Accountability for Internal Control Responsibilities)
View 2 more CC1 CONTROL ENVIRONMENT controls

6 Planning (Mandatory Clause)

  • โœ“6.1.2 Information security risk assessment: Actions to address risks and opportunities
  • โœ“6.2 Information security objectives and planning to achieve them
  • โœ“6.1.1 General - Actions to address risks and opportunities
  • โœ“6.1.3 Information security risk treatment: Actions to address risks and opportunities
  • โœ“6.3 Planning of changes
View 2 more 6 Planning (Mandatory Clause) controls

CC1 CONTROL ENVIRONMENT

  • โœ“CC1.5 COSO Principle 5 (Accountability for Internal Control Responsibilities)
  • โœ“CC1.1 COSO Principle 1 (Integrity and Ethical Values)
  • โœ“CC1.3 COSO Principle 3 (Organizational Structure and Responsibilities)
  • โœ“CC1.2 COSO Principle 2 (Board Oversight and Independence)
  • โœ“CC1.4 COSO Principle 4 (Attracting, Developing, and Retaining Competent Individuals)
View 2 more CC1 CONTROL ENVIRONMENT controls

Organizational Context (GV.OC)

  • โœ“Legal and Regulatory Cybersecurity Management
  • โœ“Communication of Stakeholder Expectations
  • โœ“Aligned Cybersecurity with Mission
  • โœ“Organizational Dependency Understanding
  • โœ“Stakeholder-Centric Cybersecurity Approach
View 2 more Organizational Context (GV.OC) controls

Organizational Context (GV.OC)

  • โœ“Communication of Stakeholder Expectations
  • โœ“Aligned Cybersecurity with Mission
  • โœ“Stakeholder-Centric Cybersecurity Approach
  • โœ“Organizational Dependency Understanding
  • โœ“Legal and Regulatory Cybersecurity Management
View 2 more Organizational Context (GV.OC) controls

4 Context of the organization (Mandatory Clause)

  • โœ“4.3 Determining the scope of the information security management system
  • โœ“4.4 Information security management system
  • โœ“4.2 Understanding the needs and expectations of interested parties
  • โœ“4.1 Understanding the organization and its context
View 1 more 4 Context of the organization (Mandatory Clause) controls

CC2 COMMUNICATION AND INFORMATION

  • โœ“CC2.3 COSO Principle 15 (External Communication)
  • โœ“CC2.1 COSO Principle 13 (Relevant and Quality Information)
  • โœ“CC2.2 COSO Principle 14 (Internal Communication of Information)

4 Context of the organization (Mandatory Clause)

  • โœ“4.2 Understanding the needs and expectations of interested parties
  • โœ“4.3 Determining the scope of the information security management system
  • โœ“4.1 Understanding the organization and its context
  • โœ“4.4 Information security management system
View 1 more 4 Context of the organization (Mandatory Clause) controls

Risk Management Strategy (GV.RM)

  • โœ“Aligning Organizational Cybersecurity Objectives
  • โœ“Communicating Risk Appetite and Tolerance
  • โœ“Integrating Cybersecurity into Risk Processes
  • โœ“Strategic Cybersecurity Response
  • โœ“Communication for Cybersecurity Risks
  • โœ“Standardize Cybersecurity Risk Prioritization
  • โœ“Strategic Opportunities in Cybersecurity Discussions
View 4 more Risk Management Strategy (GV.RM) controls

CC2 COMMUNICATION AND INFORMATION

  • โœ“CC2.3 COSO Principle 15 (External Communication)
  • โœ“CC2.2 COSO Principle 14 (Internal Communication of Information)
  • โœ“CC2.1 COSO Principle 13 (Relevant and Quality Information)

5 Leadership (Mandatory Clause)

  • โœ“5.3 Organizational roles, responsibilities and authorities
  • โœ“5.1 Leadership and commitment
  • โœ“5.2 Policy

CC2 COMMUNICATION AND INFORMATION

  • โœ“CC2.2 COSO Principle 14 (Internal Communication of Information)
  • โœ“CC2.3 COSO Principle 15 (External Communication)
  • โœ“CC2.1 COSO Principle 13 (Relevant and Quality Information)

Risk Management Strategy (GV.RM)

  • โœ“Strategic Opportunities in Cybersecurity Discussions
  • โœ“Standardize Cybersecurity Risk Prioritization
  • โœ“Integrating Cybersecurity into Risk Processes
  • โœ“Aligning Organizational Cybersecurity Objectives
  • โœ“Communicating Risk Appetite and Tolerance
  • โœ“Strategic Cybersecurity Response
  • โœ“Communication for Cybersecurity Risks
View 4 more Risk Management Strategy (GV.RM) controls

Identity Management, Authentication, and Access Control (PR.AA)

  • โœ“Proofing and Binding Identities to Credentials
  • โœ“Management of Physical Asset Access
  • โœ“User, Service, and Hardware Identities
  • โœ“Identity Assertions Verification
  • โœ“Management of Access Permissions
  • โœ“Authentication of Users, Services, and Hardware
View 3 more Identity Management, Authentication, and Access Control (PR.AA) controls

C1 Additional Criteria for Confidentiality

  • โœ“C1.1 Confidentiality of Information
  • โœ“C1.2 Disposal of Confidential Information

C1 Additional Criteria for Confidentiality

  • โœ“C1.1 Confidentiality of Information
  • โœ“C1.2 Disposal of Confidential Information

C1 Additional Criteria for Confidentiality

  • โœ“C1.1 Confidentiality of Information
  • โœ“C1.2 Disposal of Confidential Information

5 Leadership (Mandatory Clause)

  • โœ“5.1 Leadership and commitment
  • โœ“5.2 Policy
  • โœ“5.3 Organizational roles, responsibilities and authorities

6 Planning (Mandatory Clause)

  • โœ“6.1.3 Information security risk treatment: Actions to address risks and opportunities
  • โœ“6.2 Information security objectives and planning to achieve them
  • โœ“6.1.1 General - Actions to address risks and opportunities
  • โœ“6.1.2 Information security risk assessment: Actions to address risks and opportunities
  • โœ“6.3 Planning of changes
View 2 more 6 Planning (Mandatory Clause) controls

Data Security (PR.DS)

  • โœ“Protection of Data-in-Transit
  • โœ“Protection of Data-at-Rest
  • โœ“Protection of Data-in-Use
  • โœ“Management and Testing of Data Backups
View 1 more Data Security (PR.DS) controls

Roles, Responsibilities, and Authorities (GV.RR)

  • โœ“Ethical Cybersecurity Leadership
  • โœ“Resources Aligned with Cybersecurity Strategy
  • โœ“Enforcement of Cybersecurity Responsibilities
  • โœ“Integration of Cybersecurity into HR Practices
View 1 more Roles, Responsibilities, and Authorities (GV.RR) controls

7 Support (Mandatory Clause)

  • โœ“7.5.1 General - Documented information
  • โœ“7.3 Awareness
  • โœ“7.5.3 Control of documented information - Documented information
  • โœ“7.1 Resources
  • โœ“7.2 Competence
  • โœ“7.4 Communication
  • โœ“7.5.2 Creating and updating - Documented information
View 4 more 7 Support (Mandatory Clause) controls

Roles, Responsibilities, and Authorities (GV.RR)

  • โœ“Ethical Cybersecurity Leadership
  • โœ“Enforcement of Cybersecurity Responsibilities
  • โœ“Resources Aligned with Cybersecurity Strategy
  • โœ“Integration of Cybersecurity into HR Practices
View 1 more Roles, Responsibilities, and Authorities (GV.RR) controls

CC3 RISK ASSESSMENT

  • โœ“CC3.2 COSO Principle 7 (Risk Identification and Assessment)
  • โœ“CC3.1 COSO Principle 6 (Clearly Defined Objectives)
  • โœ“CC3.3 COSO Principle 8 (Fraud Risk Assessment)
  • โœ“CC3.4 COSO Principle 9 (Identification of Changes Impacting Internal Control)
View 1 more CC3 RISK ASSESSMENT controls

CC6 LOGICAL AND PHYSICAL ACCESS CONTROLS

  • โœ“CC6.3 Access Authorization and Modification
  • โœ“CC6.4 Physical Access Restriction
  • โœ“CC6.2 User Registration and Deprovisioning
  • โœ“CC6.1 Logical Access Security
  • โœ“CC6.6 Logical Access Security Measures
  • โœ“CC6.5 Decommissioning of Physical Assets
  • โœ“CC6.7 Information Transmission, Movement, and Removal
  • โœ“CC6.8 Malicious Software Prevention and Detection
View 5 more CC6 LOGICAL AND PHYSICAL ACCESS CONTROLS controls

7 Support (Mandatory Clause)

  • โœ“7.1 Resources
  • โœ“7.5.1 General - Documented information
  • โœ“7.2 Competence
  • โœ“7.4 Communication
  • โœ“7.3 Awareness
  • โœ“7.5.2 Creating and updating - Documented information
  • โœ“7.5.3 Control of documented information - Documented information
View 4 more 7 Support (Mandatory Clause) controls

P4 Privacy Criteria Related to Use, Retention, and Disposal

  • โœ“P4.1 Purpose-Bound Personal Information Usage
  • โœ“P4.2 Privacy-Aligned Personal Information Retention
  • โœ“P4.3 Privacy-Compliant Personal Information Disposal

P4 Privacy Criteria Related to Use, Retention, and Disposal

  • โœ“P4.1 Purpose-Bound Personal Information Usage
  • โœ“P4.2 Privacy-Aligned Personal Information Retention
  • โœ“P4.3 Privacy-Compliant Personal Information Disposal

CC3 RISK ASSESSMENT

  • โœ“CC3.2 COSO Principle 7 (Risk Identification and Assessment)
  • โœ“CC3.1 COSO Principle 6 (Clearly Defined Objectives)
  • โœ“CC3.3 COSO Principle 8 (Fraud Risk Assessment)
  • โœ“CC3.4 COSO Principle 9 (Identification of Changes Impacting Internal Control)
View 1 more CC3 RISK ASSESSMENT controls

9 Performance evaluation (Mandatory Clause)

  • โœ“9.2.2 Internal audit programme - Internal audit
  • โœ“9.3.3 Management review results - Management review
  • โœ“9.3.2 Management review inputs - Management review
  • โœ“9.3.1 General - Management review
  • โœ“9.1 Monitoring, measurement, analysis and evaluation
  • โœ“9.2.1 General -Internal audit
View 3 more 9 Performance evaluation (Mandatory Clause) controls

Policy (GV.PO)

  • โœ“Cybersecurity Risk Management Policy
  • โœ“Enforcement of Cybersecurity Risk Policy

9 Performance evaluation (Mandatory Clause)

  • โœ“9.3.3 Management review results - Management review
  • โœ“9.1 Monitoring, measurement, analysis and evaluation
  • โœ“9.3.1 General - Management review
  • โœ“9.2.1 General -Internal audit
  • โœ“9.2.2 Internal audit programme - Internal audit
  • โœ“9.3.2 Management review inputs - Management review
View 3 more 9 Performance evaluation (Mandatory Clause) controls

CC3 RISK ASSESSMENT

  • โœ“CC3.1 COSO Principle 6 (Clearly Defined Objectives)
  • โœ“CC3.2 COSO Principle 7 (Risk Identification and Assessment)
  • โœ“CC3.4 COSO Principle 9 (Identification of Changes Impacting Internal Control)
  • โœ“CC3.3 COSO Principle 8 (Fraud Risk Assessment)
View 1 more CC3 RISK ASSESSMENT controls

Incident Response Reporting and Communication (RS.CO)

  • โœ“Incident Notification to Stakeholders
  • โœ“Sharing Information with Stakeholders

Incident Analysis (RS.AN)

  • โœ“Integrity of Investigation Records
  • โœ“Incident Analysis & Root Cause Establishment
  • โœ“Estimation of Incident Magnitude
  • โœ“Preservation of Incident Data
View 1 more Incident Analysis (RS.AN) controls

6 People Controls (Sec Control)

  • โœ“6.1 Screening (Sec Control)
  • โœ“6.6 Confidentiality or non-disclosure agreements (Sec Control)
  • โœ“6.5 Responsibilities after termination or change of employment (Sec Control)
  • โœ“6.8 Information security event reporting (Sec Control)
  • โœ“6.4 Disciplinary process (Sec Control)
  • โœ“6.2 Terms and conditions of employment (Sec Control)
  • โœ“6.3 Information security awareness, education and training (Sec Control)
  • โœ“6.7 Remote working (Sec Control)
View 5 more 6 People Controls (Sec Control) controls

CC4 MONITORING ACTIVITIES

  • โœ“CC4.1 COSO Principle 16 (Evaluating Internal Control)
  • โœ“CC4.2 COSO Principle 17 (Communicating Internal Control Deficiencies)

Risk Assessment (ID.RA)

  • โœ“Identification of Vulnerabilities
  • โœ“Prioritizing and Planning Risk Responses
  • โœ“Assessment of Threat Impacts and Likelihoods
  • โœ“Management of Changes and Exceptions
  • โœ“Receipt of Cyber Threat Intelligence
  • โœ“Identification of Internal and External Threats
  • โœ“Inherent Risk and Prioritizing Responses
  • โœ“Vulnerability Disclosure Response Processes
  • โœ“Hardware and Software Integrity
  • โœ“Assessment of Critical Suppliers
View 7 more Risk Assessment (ID.RA) controls

5 Organizational Controls (Sec Control)

  • โœ“5.26 Response to information security incidents (Sec Control)
  • โœ“5.29 Information security during disruption (Sec Control)
  • โœ“5.2 Information security roles and responsibilities (Sec Control)
  • โœ“5.8 Information security in project management (Sec Control)
  • โœ“5.3 Segregation of duties (Sec Control)
  • โœ“5.19 Information security in supplier relationships (Sec Control)
  • โœ“5.1 Policies for information security - (Sec Control)
  • โœ“5.33 Protection of records (Sec Control)
  • โœ“5.10 Acceptable use of information and other associated assets (Sec Control)
  • โœ“5.35 Independent review of information security (Sec Control)
  • โœ“5.21 Managing information security in the ICT supply chain (Sec Control)
  • โœ“5.22 Monitoring, review and change management of supplier services (Sec Control)
  • โœ“5.37 Documented operating procedures (Sec Control)
  • โœ“5.36 Compliance with policies, rules and standards for information security (Sec Control)
  • โœ“5.14 Information transfer (Sec Control)
  • โœ“5.23 Information security for use of cloud services (Sec Control)
  • โœ“5.5 Contact with authorities (Sec Control)
  • โœ“5.4 Management responsibilities (Sec Control)
  • โœ“5.6 Contact with special interest groups (Sec Control)
  • โœ“5.7 Threat intelligence (Sec Control)
  • โœ“5.9 Inventory of information and other associated assets (Sec Control)
  • โœ“5.13 Labelling of information (Sec Control)
  • โœ“5.11 Return of assets (Sec Control)
  • โœ“5.12 Classification of information (Sec Control)
  • โœ“5.17 Authentication information (Sec Control)
  • โœ“5.15 Access control (Sec Control)
  • โœ“5.16 Identity management (Sec Control)
  • โœ“5.18 Access rights (Sec Control)
  • โœ“5.20 Addressing information security within supplier agreements (Sec Control)
  • โœ“5.27 Learning from information security incidents (Sec Control)
  • โœ“5.24 Information security incident management planning and preparation (Sec Control)
  • โœ“5.25 Assessment and decision on information security events (Sec Control)
  • โœ“5.28 Collection of evidence (Sec Control)
  • โœ“5.30 ICT readiness for business continuity (Sec Control)
  • โœ“5.31 Legal, statutory, regulatory and contractual requirements (Sec Control)
  • โœ“5.32 Intellectual property rights (Sec Control)
  • โœ“5.34 Privacy and protection of personal identifiable information (PII) (Sec Control)
View 34 more 5 Organizational Controls (Sec Control) controls

CC4 MONITORING ACTIVITIES

  • โœ“CC4.2 COSO Principle 17 (Communicating Internal Control Deficiencies)
  • โœ“CC4.1 COSO Principle 16 (Evaluating Internal Control)

CC4 MONITORING ACTIVITIES

  • โœ“CC4.2 COSO Principle 17 (Communicating Internal Control Deficiencies)
  • โœ“CC4.1 COSO Principle 16 (Evaluating Internal Control)

Oversight (GV.OV)

  • โœ“Reviewing Cybersecurity Risk Strategy
  • โœ“Cybersecurity Strategy for Organization Needs
  • โœ“Evaluating Cybersecurity Risk Performance

CC5 CONTROL ACTIVITIES

  • โœ“CC5.2 COSO Principle 11 (Technology-based Control Activities)
  • โœ“CC5.1 COSO Principle 10 (Control Activities for Risk Mitigation)
  • โœ“CC5.3 COSO Principle 12 (Policies and Procedures for Control Activities)

Policy (GV.PO)

  • โœ“Cybersecurity Risk Management Policy
  • โœ“Enforcement of Cybersecurity Risk Policy

5 Organizational Controls (Sec Control)

  • โœ“5.2 Information security roles and responsibilities (Sec Control)
  • โœ“5.35 Independent review of information security (Sec Control)
  • โœ“5.14 Information transfer (Sec Control)
  • โœ“5.23 Information security for use of cloud services (Sec Control)
  • โœ“5.21 Managing information security in the ICT supply chain (Sec Control)
  • โœ“5.26 Response to information security incidents (Sec Control)
  • โœ“5.36 Compliance with policies, rules and standards for information security (Sec Control)
  • โœ“5.19 Information security in supplier relationships (Sec Control)
  • โœ“5.22 Monitoring, review and change management of supplier services (Sec Control)
  • โœ“5.10 Acceptable use of information and other associated assets (Sec Control)
  • โœ“5.29 Information security during disruption (Sec Control)
  • โœ“5.33 Protection of records (Sec Control)
  • โœ“5.37 Documented operating procedures (Sec Control)
  • โœ“5.1 Policies for information security - (Sec Control)
  • โœ“5.3 Segregation of duties (Sec Control)
  • โœ“5.8 Information security in project management (Sec Control)
  • โœ“5.5 Contact with authorities (Sec Control)
  • โœ“5.4 Management responsibilities (Sec Control)
  • โœ“5.6 Contact with special interest groups (Sec Control)
  • โœ“5.7 Threat intelligence (Sec Control)
  • โœ“5.9 Inventory of information and other associated assets (Sec Control)
  • โœ“5.13 Labelling of information (Sec Control)
  • โœ“5.11 Return of assets (Sec Control)
  • โœ“5.12 Classification of information (Sec Control)
  • โœ“5.17 Authentication information (Sec Control)
  • โœ“5.15 Access control (Sec Control)
  • โœ“5.16 Identity management (Sec Control)
  • โœ“5.18 Access rights (Sec Control)
  • โœ“5.20 Addressing information security within supplier agreements (Sec Control)
  • โœ“5.27 Learning from information security incidents (Sec Control)
  • โœ“5.24 Information security incident management planning and preparation (Sec Control)
  • โœ“5.25 Assessment and decision on information security events (Sec Control)
  • โœ“5.28 Collection of evidence (Sec Control)
  • โœ“5.30 ICT readiness for business continuity (Sec Control)
  • โœ“5.31 Legal, statutory, regulatory and contractual requirements (Sec Control)
  • โœ“5.32 Intellectual property rights (Sec Control)
  • โœ“5.34 Privacy and protection of personal identifiable information (PII) (Sec Control)
View 34 more 5 Organizational Controls (Sec Control) controls

6 People Controls (Sec Control)

  • โœ“6.5 Responsibilities after termination or change of employment (Sec Control)
  • โœ“6.8 Information security event reporting (Sec Control)
  • โœ“6.6 Confidentiality or non-disclosure agreements (Sec Control)
  • โœ“6.1 Screening (Sec Control)
  • โœ“6.4 Disciplinary process (Sec Control)
  • โœ“6.2 Terms and conditions of employment (Sec Control)
  • โœ“6.3 Information security awareness, education and training (Sec Control)
  • โœ“6.7 Remote working (Sec Control)
View 5 more 6 People Controls (Sec Control) controls

CC6 LOGICAL AND PHYSICAL ACCESS CONTROLS

  • โœ“CC6.2 User Registration and Deprovisioning
  • โœ“CC6.4 Physical Access Restriction
  • โœ“CC6.3 Access Authorization and Modification
  • โœ“CC6.6 Logical Access Security Measures
  • โœ“CC6.1 Logical Access Security
  • โœ“CC6.5 Decommissioning of Physical Assets
  • โœ“CC6.7 Information Transmission, Movement, and Removal
  • โœ“CC6.8 Malicious Software Prevention and Detection
View 5 more CC6 LOGICAL AND PHYSICAL ACCESS CONTROLS controls

CC6 LOGICAL AND PHYSICAL ACCESS CONTROLS

  • โœ“CC6.4 Physical Access Restriction
  • โœ“CC6.2 User Registration and Deprovisioning
  • โœ“CC6.1 Logical Access Security
  • โœ“CC6.3 Access Authorization and Modification
  • โœ“CC6.6 Logical Access Security Measures
  • โœ“CC6.5 Decommissioning of Physical Assets
  • โœ“CC6.7 Information Transmission, Movement, and Removal
  • โœ“CC6.8 Malicious Software Prevention and Detection
View 5 more CC6 LOGICAL AND PHYSICAL ACCESS CONTROLS controls

CC7 SYSTEM OPERATIONS

  • โœ“CC7.2 Anomaly Detection and Analysis
  • โœ“CC7.4 Incident Response
  • โœ“CC7.1 Configuration and Vulnerability Monitoring
  • โœ“CC7.3 Security Incident Evaluation
  • โœ“CC7.5 Incident Recovery
View 2 more CC7 SYSTEM OPERATIONS controls

CC7 SYSTEM OPERATIONS

  • โœ“CC7.2 Anomaly Detection and Analysis
  • โœ“CC7.4 Incident Response
  • โœ“CC7.1 Configuration and Vulnerability Monitoring
  • โœ“CC7.3 Security Incident Evaluation
  • โœ“CC7.5 Incident Recovery
View 2 more CC7 SYSTEM OPERATIONS controls

CC7 SYSTEM OPERATIONS

  • โœ“CC7.2 Anomaly Detection and Analysis
  • โœ“CC7.4 Incident Response
  • โœ“CC7.1 Configuration and Vulnerability Monitoring
  • โœ“CC7.3 Security Incident Evaluation
  • โœ“CC7.5 Incident Recovery
View 2 more CC7 SYSTEM OPERATIONS controls

8 Operation (Mandatory Clause)

  • โœ“8.1 Operational planning and control
  • โœ“8.3 Information security risk treatment
  • โœ“8.2 Information security risk assessment

Asset Management (ID.AM)

  • โœ“Lifecycle Management of Systems and Assets
  • โœ“Data and Metadata Inventory Management
  • โœ“Organizational Software, Services, and Systems Management
  • โœ“Supplier Services Inventory Management
  • โœ“Network Communication and Data Flow Maintenance
  • โœ“Organizational Hardware Inventory Management
  • โœ“Asset Prioritization
View 4 more Asset Management (ID.AM) controls

8 Operation (Mandatory Clause)

  • โœ“8.1 Operational planning and control
  • โœ“8.2 Information security risk assessment
  • โœ“8.3 Information security risk treatment

Identity Management, Authentication, and Access Control (PR.AA)

  • โœ“Proofing and Binding Identities to Credentials
  • โœ“User, Service, and Hardware Identities
  • โœ“Identity Assertions Verification
  • โœ“Management of Access Permissions
  • โœ“Authentication of Users, Services, and Hardware
  • โœ“Management of Physical Asset Access
View 3 more Identity Management, Authentication, and Access Control (PR.AA) controls

8 Technological controls (Sec Control)

  • โœ“8.27 Secure system architecture and engineering principles (Sec Control)
  • โœ“8.24 Use of cryptography (Sec Control)
  • โœ“8.33 Test information (Sec Control)
  • โœ“8.3 Information access restriction (Sec Control)
  • โœ“8.17 Clock synchronization (Sec Control)
  • โœ“8.14 Redundancy of information processing facilities (Sec Control)
  • โœ“8.32 Change management (Sec Control)
  • โœ“8.29 Security testing in development and acceptance (Sec Control)
  • โœ“8.34 Protection of information systems during audit testing (Sec Control)
  • โœ“8.16 Monitoring activities (Sec Control)
  • โœ“8.1 User end point devices (Sec Control)
  • โœ“8.6 Capacity management (Sec Control)
  • โœ“8.15 Logging (Sec Control)
  • โœ“8.23 Web filtering (Sec Control)
  • โœ“8.19 Installation of software on operational systems (Sec Control)
  • โœ“8.22 Segregation of networks (Sec Control)
  • โœ“8.18 Use of privileged utility programs (Sec Control)
  • โœ“8.2 Privileged access rights (Sec Control)
  • โœ“8.11 Data masking (Sec Control)
  • โœ“8.4 Access to source code (Sec Control)
  • โœ“8.9 Configuration management (Sec Control)
  • โœ“8.30 Outsourced development (Sec Control)
  • โœ“8.31 Separation of development, test and production environments (Sec Control)
  • โœ“8.7 Protection against malware (Sec Control)
  • โœ“8.5 Secure authentication (Sec Control)
  • โœ“8.10 Information deletion (Sec Control)
  • โœ“8.28 Secure coding (Sec Control)
  • โœ“8.13 Information backup (Sec Control)
  • โœ“8.8 Management of technical vulnerabilities (Sec Control)
  • โœ“8.20 Networks security (Sec Control)
  • โœ“8.25 Secure development life cycle (Sec Control)
  • โœ“8.26 Application security requirements (Sec Control)
  • โœ“8.21 Security of network services (Sec Control)
  • โœ“8.12 Data leakage prevention (Sec Control)
View 31 more 8 Technological controls (Sec Control) controls

Risk Assessment (ID.RA)

  • โœ“Assessment of Threat Impacts and Likelihoods
  • โœ“Management of Changes and Exceptions
  • โœ“Identification of Internal and External Threats
  • โœ“Inherent Risk and Prioritizing Responses
  • โœ“Receipt of Cyber Threat Intelligence
  • โœ“Identification of Vulnerabilities
  • โœ“Prioritizing and Planning Risk Responses
  • โœ“Vulnerability Disclosure Response Processes
  • โœ“Hardware and Software Integrity
  • โœ“Assessment of Critical Suppliers
View 7 more Risk Assessment (ID.RA) controls

Data Security (PR.DS)

  • โœ“Protection of Data-in-Transit
  • โœ“Protection of Data-at-Rest
  • โœ“Protection of Data-in-Use
  • โœ“Management and Testing of Data Backups
View 1 more Data Security (PR.DS) controls

A1 Additional Criteria for Availability

  • โœ“A1.3 Disaster Recovery Testing
  • โœ“A1.1 Capacity Management
  • โœ“A1.2 Environmental and Operational Resilience

CC5 CONTROL ACTIVITIES

  • โœ“CC5.1 COSO Principle 10 (Control Activities for Risk Mitigation)
  • โœ“CC5.2 COSO Principle 11 (Technology-based Control Activities)
  • โœ“CC5.3 COSO Principle 12 (Policies and Procedures for Control Activities)

CC5 CONTROL ACTIVITIES

  • โœ“CC5.1 COSO Principle 10 (Control Activities for Risk Mitigation)
  • โœ“CC5.2 COSO Principle 11 (Technology-based Control Activities)
  • โœ“CC5.3 COSO Principle 12 (Policies and Procedures for Control Activities)

8 Technological controls (Sec Control)

  • โœ“8.6 Capacity management (Sec Control)
  • โœ“8.27 Secure system architecture and engineering principles (Sec Control)
  • โœ“8.32 Change management (Sec Control)
  • โœ“8.16 Monitoring activities (Sec Control)
  • โœ“8.17 Clock synchronization (Sec Control)
  • โœ“8.3 Information access restriction (Sec Control)
  • โœ“8.29 Security testing in development and acceptance (Sec Control)
  • โœ“8.34 Protection of information systems during audit testing (Sec Control)
  • โœ“8.4 Access to source code (Sec Control)
  • โœ“8.11 Data masking (Sec Control)
  • โœ“8.33 Test information (Sec Control)
  • โœ“8.14 Redundancy of information processing facilities (Sec Control)
  • โœ“8.23 Web filtering (Sec Control)
  • โœ“8.19 Installation of software on operational systems (Sec Control)
  • โœ“8.22 Segregation of networks (Sec Control)
  • โœ“8.24 Use of cryptography (Sec Control)
  • โœ“8.2 Privileged access rights (Sec Control)
  • โœ“8.9 Configuration management (Sec Control)
  • โœ“8.30 Outsourced development (Sec Control)
  • โœ“8.31 Separation of development, test and production environments (Sec Control)
  • โœ“8.1 User end point devices (Sec Control)
  • โœ“8.7 Protection against malware (Sec Control)
  • โœ“8.18 Use of privileged utility programs (Sec Control)
  • โœ“8.15 Logging (Sec Control)
  • โœ“8.28 Secure coding (Sec Control)
  • โœ“8.5 Secure authentication (Sec Control)
  • โœ“8.10 Information deletion (Sec Control)
  • โœ“8.8 Management of technical vulnerabilities (Sec Control)
  • โœ“8.13 Information backup (Sec Control)
  • โœ“8.20 Networks security (Sec Control)
  • โœ“8.25 Secure development life cycle (Sec Control)
  • โœ“8.26 Application security requirements (Sec Control)
  • โœ“8.21 Security of network services (Sec Control)
  • โœ“8.12 Data leakage prevention (Sec Control)
View 31 more 8 Technological controls (Sec Control) controls

P4 Privacy Criteria Related to Use, Retention, and Disposal

  • โœ“P4.1 Purpose-Bound Personal Information Usage
  • โœ“P4.2 Privacy-Aligned Personal Information Retention
  • โœ“P4.3 Privacy-Compliant Personal Information Disposal

Incident Analysis (RS.AN)

  • โœ“Integrity of Investigation Records
  • โœ“Incident Analysis & Root Cause Establishment
  • โœ“Estimation of Incident Magnitude
  • โœ“Preservation of Incident Data
View 1 more Incident Analysis (RS.AN) controls

Oversight (GV.OV)

  • โœ“Reviewing Cybersecurity Risk Strategy
  • โœ“Cybersecurity Strategy for Organization Needs
  • โœ“Evaluating Cybersecurity Risk Performance

A1 Additional Criteria for Availability

  • โœ“A1.1 Capacity Management
  • โœ“A1.3 Disaster Recovery Testing
  • โœ“A1.2 Environmental and Operational Resilience

7 Physical Controls (Sec Control)

  • โœ“7.12 Cabling security (Sec Control)
  • โœ“7.10 Storage media (Sec Control)
  • โœ“7.8 Equipment siting and protection (Sec Control)
  • โœ“7.3 Securing offices, rooms and facilities (Sec Control)
  • โœ“7.5 Protecting against physical and environmental threats (Sec Control)
  • โœ“7.7 Clear desk and clear screen (Sec Control)
  • โœ“7.2 Physical entry (Sec Control)
  • โœ“7.4 Physical security monitoring (Sec Control)
  • โœ“7.11 Supporting utilities (Sec Control)
  • โœ“7.1 Physical security perimeters (Sec Control)
  • โœ“7.13 Equipment maintenance (Sec Control)
  • โœ“7.9 Security of assets off-premises (Sec Control)
  • โœ“7.6 Working in secure areas (Sec Control)
  • โœ“7.14 Secure disposal or re-use of equipment (Sec Control)
View 11 more 7 Physical Controls (Sec Control) controls

7 Physical Controls (Sec Control)

  • โœ“7.11 Supporting utilities (Sec Control)
  • โœ“7.10 Storage media (Sec Control)
  • โœ“7.3 Securing offices, rooms and facilities (Sec Control)
  • โœ“7.7 Clear desk and clear screen (Sec Control)
  • โœ“7.12 Cabling security (Sec Control)
  • โœ“7.4 Physical security monitoring (Sec Control)
  • โœ“7.5 Protecting against physical and environmental threats (Sec Control)
  • โœ“7.8 Equipment siting and protection (Sec Control)
  • โœ“7.1 Physical security perimeters (Sec Control)
  • โœ“7.2 Physical entry (Sec Control)
  • โœ“7.13 Equipment maintenance (Sec Control)
  • โœ“7.9 Security of assets off-premises (Sec Control)
  • โœ“7.6 Working in secure areas (Sec Control)
  • โœ“7.14 Secure disposal or re-use of equipment (Sec Control)
View 11 more 7 Physical Controls (Sec Control) controls

A1 Additional Criteria for Availability

  • โœ“A1.1 Capacity Management
  • โœ“A1.3 Disaster Recovery Testing
  • โœ“A1.2 Environmental and Operational Resilience

CC9 RISK MITIGATION

  • โœ“CC9.1 Business Continuity and Resilience
  • โœ“CC9.2 Vendor and Partner Risk Management

10 Improvement (Mandatory Clause)

  • โœ“10.2 Nonconformity and corrective action
  • โœ“10.1 Continual improvement

Incident Recovery Communication (RC.CO)

  • โœ“Communication of Recovery Progress
  • โœ“Public Updates on Incident Recovery

Incident Recovery Communication (RC.CO)

  • โœ“Public Updates on Incident Recovery
  • โœ“Communication of Recovery Progress

CC9 RISK MITIGATION

  • โœ“CC9.1 Business Continuity and Resilience
  • โœ“CC9.2 Vendor and Partner Risk Management

10 Improvement (Mandatory Clause)

  • โœ“10.2 Nonconformity and corrective action
  • โœ“10.1 Continual improvement

CC9 RISK MITIGATION

  • โœ“CC9.1 Business Continuity and Resilience
  • โœ“CC9.2 Vendor and Partner Risk Management

P2 Privacy Criteria Related to Choice and Consent

  • โœ“P2.1 Privacy Choices and Consent:

Asset Management (ID.AM)

  • โœ“Organizational Software, Services, and Systems Management
  • โœ“Network Communication and Data Flow Maintenance
  • โœ“Data and Metadata Inventory Management
  • โœ“Lifecycle Management of Systems and Assets
  • โœ“Organizational Hardware Inventory Management
  • โœ“Supplier Services Inventory Management
  • โœ“Asset Prioritization
View 4 more Asset Management (ID.AM) controls

P2 Privacy Criteria Related to Choice and Consent

  • โœ“P2.1 Privacy Choices and Consent:

Continuous Monitoring (DE.CM)

  • โœ“Physical Environment Monitoring
  • โœ“External Service Provider Monitoring
  • โœ“Computing Hardware and Software Monitoring
  • โœ“Personnel and Technology Event Monitoring
  • โœ“Network Event Monitoring
View 2 more Continuous Monitoring (DE.CM) controls

P2 Privacy Criteria Related to Choice and Consent

  • โœ“P2.1 Privacy Choices and Consent:

P1 Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy

  • โœ“P1.1 Privacy Notice

Cybersecurity Supply Chain Risk Management (GV.SC)

  • โœ“Post-Agreement Cybersecurity Risk Management
  • โœ“Supplier Prioritization
  • โœ“Risk Planning for Third-Party Relationships
  • โœ“Coordination of Cybersecurity Roles
  • โœ“Cybersecurity Supply Chain Risk Management
  • โœ“Integration of Supply Chain Risk Management
  • โœ“Cybersecurity Risk Requirements in Supply Chain
  • โœ“Supplier Risk Assessment and Response
  • โœ“Inclusion of Third Parties in Incident Planning
  • โœ“Supply Chain Security Practices
View 7 more Cybersecurity Supply Chain Risk Management (GV.SC) controls

P1 Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy

  • โœ“P1.1 Privacy Notice

P1 Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy

  • โœ“P1.1 Privacy Notice

Incident Response Reporting and Communication (RS.CO)

  • โœ“Sharing Information with Stakeholders
  • โœ“Incident Notification to Stakeholders

P5 Privacy Criteria Related to Access

  • โœ“P5.1 Managed Data Subject Access to Personal Information
  • โœ“P5.2 Managed Data Subject Access to Personal Information

Continuous Monitoring (DE.CM)

  • โœ“Physical Environment Monitoring
  • โœ“Personnel and Technology Event Monitoring
  • โœ“External Service Provider Monitoring
  • โœ“Network Event Monitoring
  • โœ“Computing Hardware and Software Monitoring
View 2 more Continuous Monitoring (DE.CM) controls

P5 Privacy Criteria Related to Access

  • โœ“P5.1 Managed Data Subject Access to Personal Information
  • โœ“P5.2 Managed Data Subject Access to Personal Information

P5 Privacy Criteria Related to Access

  • โœ“P5.1 Managed Data Subject Access to Personal Information
  • โœ“P5.2 Managed Data Subject Access to Personal Information

Cybersecurity Supply Chain Risk Management (GV.SC)

  • โœ“Inclusion of Third Parties in Incident Planning
  • โœ“Coordination of Cybersecurity Roles
  • โœ“Supplier Prioritization
  • โœ“Cybersecurity Supply Chain Risk Management
  • โœ“Risk Planning for Third-Party Relationships
  • โœ“Cybersecurity Risk Requirements in Supply Chain
  • โœ“Supplier Risk Assessment and Response
  • โœ“Post-Agreement Cybersecurity Risk Management
  • โœ“Integration of Supply Chain Risk Management
  • โœ“Supply Chain Security Practices
View 7 more Cybersecurity Supply Chain Risk Management (GV.SC) controls

CC8 CHANGE MANAGEMENT

  • โœ“CC8.1 Managing Changes

CC8 CHANGE MANAGEMENT

  • โœ“CC8.1 Managing Changes

CC8 CHANGE MANAGEMENT

  • โœ“CC8.1 Managing Changes

Incident Recovery Plan Execution (RC.RP)

  • โœ“Recovery Actions Selection and Prioritization
  • โœ“Post-Incident Operational Norms
  • โœ“Incident Response Recovery Plan Execution
  • โœ“Incident Recovery Documentation
  • โœ“Verification of Restoration Asset Integrity
  • โœ“Verification and Restoration of Assets
View 3 more Incident Recovery Plan Execution (RC.RP) controls

Incident Recovery Plan Execution (RC.RP)

  • โœ“Recovery Actions Selection and Prioritization
  • โœ“Incident Response Recovery Plan Execution
  • โœ“Incident Recovery Documentation
  • โœ“Verification of Restoration Asset Integrity
  • โœ“Post-Incident Operational Norms
  • โœ“Verification and Restoration of Assets
View 3 more Incident Recovery Plan Execution (RC.RP) controls

Incident Management (RS.MA)

  • โœ“Incident Categorization and Prioritization
  • โœ“Incident Escalation
  • โœ“Incident Report Validation
  • โœ“Incident Recovery Criteria Application
  • โœ“Incident Response Coordination
View 2 more Incident Management (RS.MA) controls

PI1 Additonal Criteria for Processing Integrity

  • โœ“PI1.5 Information Storage and Retention Controls
  • โœ“PI1.4 System Output Controls
  • โœ“PI1.1 Information Quality and Communication
  • โœ“PI1.3 System Processing Controls
  • โœ“PI1.2 System Input Controls
View 2 more PI1 Additonal Criteria for Processing Integrity controls

PI1 Additonal Criteria for Processing Integrity

  • โœ“PI1.4 System Output Controls
  • โœ“PI1.1 Information Quality and Communication
  • โœ“PI1.5 Information Storage and Retention Controls
  • โœ“PI1.2 System Input Controls
  • โœ“PI1.3 System Processing Controls
View 2 more PI1 Additonal Criteria for Processing Integrity controls

PI1 Additonal Criteria for Processing Integrity

  • โœ“PI1.4 System Output Controls
  • โœ“PI1.1 Information Quality and Communication
  • โœ“PI1.5 Information Storage and Retention Controls
  • โœ“PI1.2 System Input Controls
  • โœ“PI1.3 System Processing Controls
View 2 more PI1 Additonal Criteria for Processing Integrity controls

Incident Management (RS.MA)

  • โœ“Incident Categorization and Prioritization
  • โœ“Incident Escalation
  • โœ“Incident Report Validation
  • โœ“Incident Recovery Criteria Application
  • โœ“Incident Response Coordination
View 2 more Incident Management (RS.MA) controls

Incident Mitigation (RS.MI)

  • โœ“Incident Containment
  • โœ“Incident Eradication

P3 Privacy Criteria Related to Collection

  • โœ“P3.1 Aligned Personal Information Collection
  • โœ“P3.2 Transparent Consent Management for Personal Information

Incident Mitigation (RS.MI)

  • โœ“Incident Eradication
  • โœ“Incident Containment

P3 Privacy Criteria Related to Collection

  • โœ“P3.1 Aligned Personal Information Collection
  • โœ“P3.2 Transparent Consent Management for Personal Information

P3 Privacy Criteria Related to Collection

  • โœ“P3.1 Aligned Personal Information Collection
  • โœ“P3.2 Transparent Consent Management for Personal Information

Improvement (ID.IM)

  • โœ“Operational Processes
  • โœ“Incident Response and Cybersecurity Plans
  • โœ“Identifying Improvements from Evaluations
  • โœ“Security Tests and Exercises
View 1 more Improvement (ID.IM) controls

Improvement (ID.IM)

  • โœ“Incident Response and Cybersecurity Plans
  • โœ“Operational Processes
  • โœ“Identifying Improvements from Evaluations
  • โœ“Security Tests and Exercises
View 1 more Improvement (ID.IM) controls

Awareness and Training (PR.AT)

  • โœ“Providing Awareness and Training for Specialized Roles
  • โœ“Providing Awareness and Training for General Tasks

Awareness and Training (PR.AT)

  • โœ“Providing Awareness and Training for Specialized Roles
  • โœ“Providing Awareness and Training for General Tasks

Platform Security (PR.PS)

  • โœ“Generation and Availability of Log Records
  • โœ“Maintenance of Software
  • โœ“Unauthorized Software Prevention
  • โœ“Configuration Management Practices
  • โœ“Maintenance of Hardware
  • โœ“Secure Software Development Integration
View 3 more Platform Security (PR.PS) controls

Platform Security (PR.PS)

  • โœ“Generation and Availability of Log Records
  • โœ“Unauthorized Software Prevention
  • โœ“Maintenance of Software
  • โœ“Configuration Management Practices
  • โœ“Maintenance of Hardware
  • โœ“Secure Software Development Integration
View 3 more Platform Security (PR.PS) controls

Technology Infrastructure Resilience (PR.IR)

  • โœ“Network and Environment Protection
  • โœ“Resource Capacity Maintenance
  • โœ“Technology Asset Protection
  • โœ“Resilience Mechanism Implementation
View 1 more Technology Infrastructure Resilience (PR.IR) controls

Technology Infrastructure Resilience (PR.IR)

  • โœ“Network and Environment Protection
  • โœ“Resource Capacity Maintenance
  • โœ“Technology Asset Protection
  • โœ“Resilience Mechanism Implementation
View 1 more Technology Infrastructure Resilience (PR.IR) controls

Adverse Event Analysis (DE.AE)

  • โœ“Adverse Event Information Provision
  • โœ“Cyber Threat Integration
  • โœ“Incident Declaration
  • โœ“Information Correlation
  • โœ“Impact and Scope Understanding
  • โœ“Potential Adverse Event Analysis
View 3 more Adverse Event Analysis (DE.AE) controls

Adverse Event Analysis (DE.AE)

  • โœ“Potential Adverse Event Analysis
  • โœ“Cyber Threat Integration
  • โœ“Adverse Event Information Provision
  • โœ“Impact and Scope Understanding
  • โœ“Information Correlation
  • โœ“Incident Declaration
View 3 more Adverse Event Analysis (DE.AE) controls
Compliance scope

Which products are covered?

Here you'll find which certifications apply to each Good Company product. Cells marked N/A are out of scope; In progress means an audit is currently underway.
ProductSOC 2
APIโœ“
Webappโœ“
Resources

Documents & reports

Public documents are downloadable directly. Sensitive reports are released via an access request โ€” usually approved within one business day.

๐Ÿ“„
Compliance
Screenshot 2026-01-16 at 3.31.png
47.0 KB ๐Ÿ”’ Request only
๐Ÿ“„
Compliance
Screenshot 2026-03-04 at 1.31.png
3.9 KB ๐ŸŒ Public

Request access