SOC 2 CC6.2: User Registration and Authorization
CC6.2 requires your organization to formally register and authorize all users—internal and external—before they gain any system access. This foundational control prevents unauthorized access and ensures accountability across your entire user base. For SMBs managing rapid growth, automating user registration workflows is critical to maintaining compliance without manual overhead.
What this means
Before issuing credentials or granting system access, you must establish a formal process to register new users and verify their authorization. This applies to both employees and external parties (contractors, vendors, customers) whose access you control. The control ensures that only approved individuals can access your systems and that each access request is documented and authorized by appropriate stakeholders.
How to comply
- 1.Define a formal user registration process that captures required identity and role information before any system access is granted
- 2.Establish authorization workflows requiring approval from appropriate managers or system owners before credentials are issued
- 3.Maintain a centralized registry of all registered users and their authorization status
- 4.Document the authorization basis for each user (employment contract, vendor agreement, project assignment)
- 5.Implement a segregation of duties so that registration, authorization, and provisioning activities are not performed by the same individual
- 6.Require periodic review and reauthorization of active user accounts to ensure access remains appropriate
- 7.Communicate authorization decisions to relevant parties and maintain records of approvals
Evidence auditors look for
- User registration forms signed by authorized approvers
- Authorization matrix or access request approval logs
- Onboarding checklists documenting registration and authorization steps
- Email or ticketing system records showing approval workflow completion
- User access review reports with manager sign-off
- Vendor or contractor agreements that specify authorized system access
- Screenshots of user provisioning system showing registration timestamps and approvers
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates user registration workflows and maintains a centralized authorization matrix, automatically routing approval requests to the right stakeholders and creating the audit trail SOC 2 auditors expect—eliminating spreadsheets and manual tracking.
See how GRCWatch handles this control automatically
Start free trial