SOC 1 vs SOC 2 vs SOC 3 - What’s The Difference?
Information security has become an integral component of building a software business, especially for companies that rely on third-party vendors such as Amazon Web Services, Google Cloud, and Microsoft Azure to store sensitive customer information. The mismanagement of a company’s data may render it vulnerable to attacks and can permanently damage its public image.
System and organization controls, better known as SOC 1, SOC 2, and SOC 3 was developed by the American Institute of CPAs (AICPA) to address as a system-level of controls for companies to guide service organizations. A CPA firm uses the SOC framework to audit various internal controls and generates a SOC report on the design and effectiveness of those internal controls.
SOC 1 vs SOC 2 vs SOC 3 - What are the different types of SOC reports?
There are three different types of SOC reports and understanding the different between SOC 1 vs SOC 2 vs SOC 3 is important when considering which compliance you need for your business.
- SOC 1 — Internal Control over Financial Reporting (ICFR)
- SOC 2 — Trust Services Criteria
- SOC 3 — Trust Services Criteria for General Use Report
The SOC report that is most relevant to a company depends on the information being hosted/processed by the firm for its customers. A SOC 1 report has a financial focus. For example, if you are providing payroll processing services, SOC 1 may be required to do business. A SOC 2 report is typically requested when you are hosting/processing any other type of information for a client. SOC 3 reports are less formal in appearance than SOC 2 reports and are better suited as public marketing material for a website or white paper. There is no one-size-fits-all when it comes to SOC, since SOC controls and reports are usually unique to different service organizations.
Depending on the type of information being hosted and processed, you may be asked for both a SOC 1 report and SOC 2 report.
What is the difference between Type I and Type II?
Both SOC 1 and SOC 2 have two levels of reports specified by the Statement on Standards for Attestation Engagements (SSAE) no. 18:
- Type I — describes a service organization's systems and whether the suitability and design of specified controls meet the relevant trust criteria.
- Type II — includes the above and also measures the operational effectiveness of the specified controls.
Why do customers always ask for a SOC 2?
The most commonly referenced report is the SOC 2. SaaS vendors, especially those in the enterprise and mid-market space, will commonly be asked by their customer’s legal, security, and procurement departments to provide a copy of the company’s SOC 2 report.
SOC 2 is not motivated by compliance with regulations, unlike many other frameworks such as HIPAA, GDPR, and CCPA. Instead, it is used by organizations that want to prove to their clients, and others to whom they are accountable, that they put into place internal controls to protect customer data properly.
Do I want a SOC 2 Type I or Type II?
SOC 2 Types I and II are very similar and easy to confuse. The most obvious difference is the time period covered by the reports. Type I describes the suitability and design of controls at a particular point in time. Type II extends over an extended period of time, typically 3 to 12 months, and can measure how effective the controls are. This means Type II takes more time and resources, but these reasons are also why it is more valuable to your customers. Enterprise, mid-market, and other firms involved with sensitive data, such as insurance firms, often prefer to work with companies that have a SOC 2 Type II report.
For most companies, you’ll want to complete the SOC 2 Type I report first. This is because a Type I report can be completed within weeks as opposed to several months or year (or more) that a SOC 2 Type II may take.
What are the SOC 2 Trusted Services Criteria?
For SOC 2, there are five Trusted Services Criteria that can be evaluated. Out of the five, only Security is required in order to be issued a SOC 2 report.
- Security — Information and systems are protected against unauthorized access and unauthorized disclosure, including potentially compromising damage to systems. Information (or data) should be protected during its collection or creation, use, processing, transmission, and storage.
- Availability — Data and systems are available for operation and use. Systems include controls to support accessibility for operation, monitoring, and maintenance.
- Confidentiality —The organization should protect information designated as confidential (i.e. any sensitive information).
- Processing Integrity — System processing (particularly of customer data) is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Privacy — Personal information is collected, used, retained, disclosed, and disposed of in accordance with relevant regulations and policies.
Will I need both a SOC 1 and SOC 2 Report?
There are a number of organizations that may need both a SOC 1 and SOC 2 report. This will depend on the breadth of services provided by the organization and its customers. You may have customers requesting a SOC 1 in some instances and in other instances you may have customers requesting a SOC 2. Again, this depends on the nature of the services and the intended use by your customers. There is overlap across both, which can streamline readiness and testing.