GRCWatch
Sign inStart free trial

SOC 2 CC2.1: Obtaining and Using Quality Information

CC2.1 requires your organization to obtain, generate, and actively use relevant, quality information to support your internal control system. Without accurate, timely information flowing through your operations, even well-designed controls fail. This control ensures your team has the right data to make informed decisions and maintain compliance.

What this means

CC2.1 establishes that effective internal controls depend on quality information. This means identifying what information your organization needs, ensuring it's accurate and timely, and making it accessible to the right people. Quality information includes financial data, operational metrics, compliance records, and system logs that support decision-making and control execution. The control recognizes that information is a foundational asset—without it, controls become ineffective.

How to comply

  1. 1.Identify all information requirements necessary for your internal controls to function effectively across finance, operations, compliance, and security
  2. 2.Establish data quality standards defining accuracy, completeness, timeliness, and relevance for each information category
  3. 3.Implement systems and processes to capture, generate, and maintain information according to your quality standards
  4. 4.Define ownership and accountability for data quality at each stage of collection and processing
  5. 5.Create mechanisms to distribute quality information to appropriate personnel who need it for control execution
  6. 6.Monitor information quality continuously and address deficiencies or gaps immediately
  7. 7.Document your information quality policies, standards, and responsibilities in your control procedures

Evidence auditors look for

  • Documented information requirements matrix mapping controls to needed data sources
  • Data quality standards and metrics specific to your organization's critical information systems
  • System logs, access controls, and audit trails demonstrating information accuracy and completeness
  • Evidence of timely reporting and distribution of quality information to control owners
  • Data validation and reconciliation reports showing ongoing quality monitoring
  • Training records for personnel on information quality expectations and procedures
  • Incident logs documenting identification and remediation of information quality failures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically captures and validates control-relevant information from your existing systems, maintaining an auditable quality record that satisfies CC2.1 requirements without manual data collection.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CC2.2 — Information ProcessingCC6.1 — Logical and Physical Access ControlsCC7.2 — System MonitoringCC9.1 — Change Management