IT general controls typically included, but not limited to, if applicable, in a SOC 1:
• Control Environment & Risk Assessment – controls around organization structure; policies and acknowledgements; employee background checks; management meetings/risk assessment
• Physical Access – controls around physical access (understanding if servers are onsite or if third-party data centers are used)
• Logical Access & Security – controls around logical access granted, modified, and removed, as well as privileged; passwords; websites; infrastructure (firewalls, SFTP, VPN, AV)
• System Monitoring – controls around monitoring software and subservice organization monitoring, if applicable
• System Change Management – controls around process for internally-developed software (authorization, testing, approval, segregation of duties, source code); patching; infrastructure changes
• Backup and Recovery – controls around the backup process (configurations, alerts, logs)