CC — Common Criteria (Governance & Risk Management)
CC1 — Governance Structure
Board of directors, management oversight, organizational structure defined
Evidence: Org chart, board minutes
C — Criteria for Security, Availability, Processing Integrity
C1.1 — Access Control Policy
Documented policy for granting, monitoring, revoking access rights
Evidence: Access policy document, access matrix
C2.2 — Encryption in Transit & At Rest
TLS 1.2+, encrypted database fields, encrypted backups
Evidence: SSL cert, encryption policy, backup config
A.5 — Organization of Information Security
A.5.1 — Roles and Responsibilities
Define information security roles (CISO, security team, responsibilities)
Evidence: RACI matrix, role descriptions
A.12 — Operations Security
A.12.3 — Segregation of Duties
Separate development, testing, production environments; no user can deploy own code
Evidence: Change management process, environment configs
Article 32 — Security of Processing
Data Protection by Design
Privacy embedded in system design, privacy controls by default, DPIA for high-risk
Evidence: DPIA reports, design documentation
Add custom controls specific to your organization.