GRCWatch
Sign inStart free trial

SOC 2 Control C1.1: Confidential Information Identification and Maintenance

SOC 2 C1.1 requires your organization to systematically identify and protect confidential information aligned with your business objectives. Without clear classification and handling procedures, sensitive data risks exposure during operations. This control forms the foundation of your confidentiality safeguards.

What this means

C1.1 mandates that your organization establishes and executes processes to identify what information qualifies as confidential based on your specific objectives and risk profile. You must then maintain this information through documented policies, secure storage, access restrictions, and lifecycle management. The control recognizes that confidentiality requirements vary by organization and data type—what's confidential for a fintech differs from a SaaS platform—so your classification scheme must reflect your actual business needs.

How to comply

  1. 1.Define confidentiality objectives tied to your business strategy and regulatory environment
  2. 2.Create a data classification framework (e.g., public, internal, confidential, restricted) with clear criteria
  3. 3.Document and communicate which information assets fall into each classification level
  4. 4.Implement technical and administrative controls to restrict access based on classification
  5. 5.Establish data handling procedures for creation, storage, transmission, and disposal of confidential information
  6. 6.Conduct regular inventories to identify unclassified or reclassified information
  7. 7.Train employees on confidentiality requirements and their role in protecting classified data
  8. 8.Monitor and audit access to confidential information to detect unauthorized viewing or removal

Evidence auditors look for

  • Data classification policy document with defined categories and criteria
  • Inventory of confidential information assets by department or system
  • Access control matrices showing which roles can view specific data classifications
  • Confidentiality training records and completion certificates
  • Data handling procedures for email, cloud storage, and file systems
  • Logs showing access to confidential information with timestamps and user details
  • Incident records documenting confidentiality breaches and response actions
  • Data retention and secure disposal procedures with execution records

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates confidential data discovery and classification by scanning your systems to identify sensitive information patterns, then maintains continuous monitoring to flag reclassifications and access anomalies—eliminating manual inventory work and reducing compliance risk.

See how GRCWatch handles this control automatically

Start free trial

Related controls

C1.2 — Confidentiality AgreementsC1.3 — Access RestrictionsC1.4 — Removal of Confidential InformationC2.1 — Availability MonitoringP2.1 — Privacy Notice