With all this talk about SOC 2, you might be wondering about the other SOC reports.
The AICPA has defined three different types of SOC reports. All three reports are important but serve separate purposes around security. In this section, we’ll decipher the difference between SOC 1, SOC 2 (and the difference between SOC 2 Type 1 and SOC 2 Type 2), and SOC 3 reports.
What is a SOC 1 vs. SOC 2?
A SOC 1 (Service Organization Control 1) report is more financially focused than SOC 2, and involves service organization controls relevant to the company’s customer financial information.
A SOC 2 helps service organizations demonstrate their cloud and data security controls. The SOC 2 includes the five areas called the Trust Services Criteria as mentioned previously in this guide.
SOC 2 Type 1 vs. SOC 2 Type 2
The AICPA has identified two types of SOC 2 attestation reports, a SOC 2 Type 1 and SOC 2 Type 2. While both are very important frameworks, they service different purposes.
What is SOC 2 Type 1?
A SOC 2 Type 1 report centers around a ‘point in time’. It focuses on the description of the systems, controls, and the ability of these controls to obtain their objectives at a certain point in time, e.g. June 23rd, 2019. SOC 2 Type 1 does not show tests of controls or reports. It simply ensures that you have controls and processes in place.
A SOC 2 Type 1 report starts with the preparation required to build all the evidence you need. This can be done internally or with the assistance of professional services experts who will guide your company through the process and what is needed. When you believe you have all the processes in place you would then engage an auditor to conduct the audit. SOC 2 Type 1 might take 2-3 months to prepare, complete the audit and then fix any issues that were raised by the auditor.
The audit will go more smoothly if you gather all the information on the controls and processes in one place and show which employee owns each process and that they have been signed off. This will save your company time with the auditor.
What is a SOC 2 Type 2?
The more insightful report is the SOC 2 Type 2. Because this is a more rigorous report it is the most commonly requested. SOC 2 Type 2 generally applies to 12 months of history. What you will demonstrate in a SOC 2 Type 2 is not only that the controls and processes are in place, (done in a SOC 2 Type 1), but that you can test these controls and procedures and show their results. This process makes a SOC 2 Type 2 a much more intense check for organizations to perform than a SOC 2 Type 1. Approximately 3 to 6 months after completion of the audit you are required to go through the SOC 2 Type 2 again because compliance requires an ongoing demonstration of security and procedures. This will continue to be an annual process to maintain your SOC 2 Type 2 certification.
What is a SOC 3?
A SOC 3 report requires a similar level of effort to the SOC 2 report because the same controls are reviewed. Organizations typically generate a SOC 2 and then pay for an extra SOC 3 report to be written by the auditor. The SOC 3 is used as a more public report, whereas the SOC 2 would have a limited distribution internally and to partners, as it might include confidential material. A SOC 2 report would require a Non-Disclosure Agreement before it was shared with a third party. Typically a SOC 3 report is not done as an independent document.