I suppose it depends on how detailed you want to be with it. When you look at an actual SOC 2 report, you will simply see a mapping of the Criteria (the CC6.8) to the one to many controls that satisfy the criteria. If you’re running your program internally and relying on your auditors or some other function to complete the mapping, then that should be absolutely fine to do.
When you look at what the auditor has to do though, the Points of Focus that I mentioned turn into their checklist to help them figure out what controls need to be there. For CC6.8 that you listed, there are 5 things that they are supposed to consider/look at to determine whether you “pass” CC6.8. Thus, in their work papers they will link Criteria -> Point of Focus -> Control, thus, if you want, you could do the associations that way yourself. I’m probably over complicating this for you - below are the Points of Focus for 6.8. I’ve also uploaded a file that you can easily make into a Compliance Package here if you want to work with it.
- Restricts Application and Software Installation—The ability to install applications and software is restricted to authorized individuals.
- Detects Unauthorized Changes to Software and Configuration Parameters—Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software.
- Uses a Defined Change Control Process—A management-defined change control process is used for the implementation of software.
- Uses Antivirus and Anti-Malware Software—Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware.
- Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software—Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network.