Incident ResponseJan Kahmen5 min read

What Is the Difference Between SOC 1 and SOC 2?

SOC 1 and SOC 2 are both standards of auditing for systems and organizations. SOC 1 describes the audit performed to assess the performance of internal controls that affect an organization's financial reporting.

What Is the Difference Between SOC 1 and SOC 2?

SOC 1

SOC 1 (Service Organization Control 1) is a report that evaluates the effective implementation of an organization's internal controls as they relate to financial reporting. The report is typically prepared by an external auditor and covers all or part of the organization's processes.

  • SOC 1 addresses internal controls over financial statements and reports.
  • It applies to organizations that provide services which may affect a client's financial reports -- for example, companies that process payment transactions.

SOC 2

SOC 2 (Service Organization Control 2) is a report that evaluates the effective implementation of an organization's internal controls as they relate to data security, availability, confidentiality, processing integrity, and privacy. Like SOC 1, the report is typically prepared by an external auditor and covers all or part of the organization's processes.

  • SOC 2 addresses internal controls for security, confidentiality, processing integrity, privacy, and availability of customer data.
  • It applies to organizations that store, process, or transmit customer data of any kind -- for example, SaaS companies, data hosting or processing providers, and cloud storage services.

SOC Report Types: Type I and Type II

A Type I report may be the ideal choice for your organization in certain situations. For example, if you have not had formal systems in place for long, this report type offers an effective way to demonstrate compliance without waiting months for a Type II report. If you are on a tight schedule but still need a more thorough Type II report, one that covers a three-month audit period may be the optimal solution.

What Is the SOC 2 Common Criteria List?

Organizations can choose which SOC 2 Trust Services criteria to include in the scope of their audit; however, every SOC 2 report must include the security criteria. These criteria are evaluated against the Common Criteria.

  • CC1 -- Control Environment: Does the organization value integrity and security?
  • CC2 -- Communication and Information: Are policies and procedures in place to ensure security? Are they communicated effectively to both internal and external partners?
  • CC3 -- Risk Assessment: Does the organization analyze risks and monitor how changes affect those risks?
  • CC4 -- Monitoring of Controls: Does the organization monitor, evaluate, and communicate the effectiveness of its controls?
  • CC5 -- Control Activities: Are the right controls, processes, and technologies in place to mitigate risks?
  • CC6 -- Logical and Physical Access Controls: Does the organization encrypt data? Are controls in place over who can access data, and is physical access to servers restricted?
  • CC7 -- System Operations: Are systems monitored to ensure proper functioning? Are incident response and disaster recovery plans in place?
  • CC8 -- Change Management: Are significant changes to systems properly tested and approved in advance?
  • CC9 -- Risk Mitigation: Does the organization mitigate risk through appropriate business processes and vendor management?

What Are the Five AICPA Trust Services Criteria?

The AICPA Trust Services Criteria define five criteria for evaluating an organization's security controls for SOC 2 compliance: security, availability, processing integrity, confidentiality, and privacy.

  1. Security -- Controls to protect against unauthorized access, both physical and logical.
  2. Availability -- The system is available for operation and use as committed or agreed.
  3. Processing Integrity -- System processing is complete, valid, accurate, timely, and authorized.
  4. Confidentiality -- Information designated as confidential is protected as committed or agreed.
  5. Privacy -- Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice.

Conclusion

SOC 1 covers internal controls for financial reporting, while SOC 2 covers internal controls for data security, availability, confidentiality, processing integrity, and privacy. The AICPA Trust Services Criteria define five criteria for evaluating an organization's security controls for SOC 2 compliance: security, availability, processing integrity, confidentiality, and privacy. To meet these criteria, an auditor must perform a formal audit with due professional care.

Our Services

ISMS Consulting