Trust Services Criteria Mapping
Document ID: SOC-002
Document owner: Jan Marc Castlunger (ISO)
Classification: Confidential
Version: 1.0
Last updated: March 2026
Next review: June 2026
Common Criteria (Security) — CC
CC1: Control Environment
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| CC1.1 |
Entity demonstrates commitment to integrity and ethical values |
✅ Met |
Information Security Policy; Code of conduct in employment contracts |
Signed policy; employment contracts |
| CC1.2 |
Board/management oversight of security |
✅ Met |
Jan Marc Castlunger (ISO) oversees ISMS; annual Management Review |
Management review minutes |
| CC1.3 |
Management establishes authority and responsibility |
✅ Met |
Roles defined in Security Policy Section 1.5 |
RACI in policy document |
| CC1.4 |
Entity demonstrates commitment to competence |
✅ Met |
HR Security Procedure; annual training |
Training completion records |
| CC1.5 |
Entity holds individuals accountable |
✅ Met |
Disciplinary process in HR procedure; quarterly reviews |
Employment contracts; review records |
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| CC2.1 |
Entity uses relevant, quality information |
✅ Met |
Azure Monitor dashboards; security metrics in management review |
Dashboard screenshots; review minutes |
| CC2.2 |
Entity communicates internally |
✅ Met |
Security policies accessible via ISMS portal; training programme |
Portal access logs; training records |
| CC2.3 |
Entity communicates externally |
✅ Met |
API status page; customer breach notification process |
Status page URL; IRP notification matrix |
CC3: Risk Assessment
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| CC3.1 |
Entity specifies objectives |
✅ Met |
Security objectives in Security Policy Section 1.2 |
Approved policy |
| CC3.2 |
Entity identifies and analyses risk |
✅ Met |
Risk Register with 3x3 methodology |
Risk register; risk assessment records |
| CC3.3 |
Entity considers fraud risk |
✅ Met |
API abuse monitoring; credential compromise scenarios in risk register |
R01, R07 in risk register |
| CC3.4 |
Entity identifies significant changes |
✅ Met |
Change Management Policy; annual scope review |
Change log; management review minutes |
CC4: Monitoring Activities
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| CC4.1 |
Entity selects and develops monitoring activities |
✅ Met |
Internal Audit Procedure; Azure Security Center |
Audit schedule; alert configurations |
| CC4.2 |
Entity evaluates and communicates deficiencies |
✅ Met |
Corrective Action Procedure; audit reporting |
CA log; audit reports |
CC5: Control Activities
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| CC5.1 |
Entity selects control activities to mitigate risk |
✅ Met |
Statement of Applicability; risk treatment |
SoA; risk register |
| CC5.2 |
Entity deploys technology controls |
✅ Met |
Azure RBAC, MFA, encryption, SAST, monitoring |
System configurations |
| CC5.3 |
Entity deploys through policies and procedures |
✅ Met |
Full policy and procedure suite documented |
ISMS documentation |
CC6: Logical and Physical Access Controls
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| CC6.1 |
Entity implements logical access controls |
✅ Met |
Access Control Policy; RBAC; MFA |
Azure AD configs; access review records |
| CC6.2 |
Entity registers and authorises new users |
✅ Met |
Joiner process in HR Security and Access Control |
Access request records |
| CC6.3 |
Entity removes access promptly |
✅ Met |
Leaver checklist — 24h revocation |
Offboarding records; access logs |
| CC6.4 |
Entity restricts physical access |
⚠️ Partial |
Cloud-only; no physical facility. Device encryption enforced |
Encryption verification; asset register |
| CC6.5 |
Entity protects against external threats |
✅ Met |
Azure NSGs, private endpoints, DDoS protection |
Network configuration; Azure Security Center |
| CC6.6 |
Entity manages network security |
✅ Met |
Azure VNet, NSGs, no public admin access |
Network topology; firewall rules |
| CC6.7 |
Entity restricts data transmission |
✅ Met |
TLS 1.3; Cryptography Policy |
TLS configuration; cert records |
| CC6.8 |
Entity prevents malicious software |
✅ Met |
Azure Defender; GitHub Advanced Security; SAST |
Defender reports; scan results |
CC7: System Operations
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| CC7.1 |
Entity detects vulnerabilities |
✅ Met |
Automated vulnerability scanning; monthly patching |
Scan reports; patch records |
| CC7.2 |
Entity monitors system components |
🔄 Partially Met |
Azure Monitor; AKS + Caddy 30-day rolling logs; extension to 90+ days planned Q2 2026 |
Dashboard configs; log samples; gap action R12 |
| CC7.3 |
Entity evaluates security events |
✅ Met |
Incident Response Plan |
IRP document; alert rules |
| CC7.4 |
Entity responds to security incidents |
✅ Met |
IRP escalation matrix; playbooks for key scenarios |
IRP; incident records |
| CC7.5 |
Entity recovers from incidents |
✅ Met |
IRP Step 5; Business Continuity Plan |
BCP; backup test records |
CC8: Change Management
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| CC8.1 |
Entity manages changes to infrastructure/software |
✅ Met |
Change Management Policy; GitHub PR process |
PR history; change log |
CC9: Risk Mitigation
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| CC9.1 |
Entity identifies and assesses risk from business partners |
✅ Met |
Supplier Register with risk assessment |
Supplier register; DPAs |
| CC9.2 |
Entity assesses vendor risk |
✅ Met |
Annual supplier review; certification verification |
Review records |
Availability (A)
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| A1.1 |
Entity maintains availability commitments |
🔄 In Progress |
Azure auto-scaling; capacity management. Formal SLA documentation needed |
Azure configs; SLA drafts |
| A1.2 |
Entity protects against environmental threats |
✅ Met |
Business Continuity Plan; Azure geo-redundancy |
BCP; Azure region config |
| A1.3 |
Entity tests recovery procedures |
✅ Met |
Semi-annual backup restore tests scheduled |
Test schedule; test results (pending first test) |
Processing Integrity (PI)
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| PI1.1 |
Entity achieves processing objectives |
🔄 In Progress |
OCR validation logic; API response validation. Formal accuracy monitoring planned |
Test results; validation logs |
| PI1.2 |
Entity implements quality assurance |
✅ Met |
CI/CD with automated tests; code review required |
Test suite; PR review records |
| PI1.3 |
Entity detects processing errors |
🔄 In Progress |
Azure Monitor alerts for API errors. Formal error tracking dashboard planned |
Alert configs |
| PI1.4 |
Entity provides outputs completely and accurately |
✅ Met |
API contract testing; response schema validation |
Test results |
| PI1.5 |
Entity stores data completely and accurately |
✅ Met |
No persistent customer data storage; transient processing only |
Architecture documentation |
Confidentiality (C)
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| C1.1 |
Entity identifies confidential information |
✅ Met |
Data Classification Policy; Asset Register |
Classification scheme; asset register |
| C1.2 |
Entity disposes of confidential information |
✅ Met |
ID images not persisted; GDPR deletion procedures; crypto erasure |
Architecture docs; deletion procedures |
Privacy (P)
| Ref |
Criteria |
Status |
CTW Control |
Evidence |
| P1.1 |
Entity provides notice about privacy practices |
✅ Met |
Privacy policy on quick-id.com; DPAs with customers |
Privacy policy URL; DPA copies |
| P2.1 |
Entity communicates privacy choices |
✅ Met |
Data processing agreements define scope |
DPAs |
| P3.1 |
Entity collects data for identified purposes |
✅ Met |
Data minimisation; only processes what API customer sends |
API documentation; data flow |
| P4.1 |
Entity limits use of personal data |
✅ Met |
ID images processed transiently; not used for secondary purposes |
Architecture documentation |
| P4.3 |
Entity retains data only as necessary |
✅ Met |
No persistent storage of ID images; transient processing |
Architecture docs |
| P5.1 |
Entity grants access to data subjects |
✅ Met |
GDPR data subject access request procedure via DPO |
DSAR procedure |
| P6.1 |
Entity discloses data only as authorised |
✅ Met |
Data returned only to requesting API customer |
API architecture; access controls |
| P7.1 |
Entity maintains data quality |
✅ Met |
OCR validation; no data modification |
Validation logic; test results |
| P8.1 |
Entity provides complaint mechanism |
✅ Met |
DPO contact available; privacy@quick-id.com |
Privacy policy; DPO details |
Summary
| Category |
Total Criteria |
Met |
In Progress |
| Security (CC) |
33 |
32 |
1 |
| Availability (A) |
3 |
2 |
1 |
| Processing Integrity (PI) |
5 |
3 |
2 |
| Confidentiality (C) |
2 |
2 |
0 |
| Privacy (P) |
9 |
9 |
0 |
| Total |
52 |
48 |
4 |