SOC Reports

• SOC (System and Organizational Controls) reports are independent attestation reports against a set of predefined criteria.
  • They are reports, not certifications, so organizations technically receive a “SOC 2 report” rather than achieve “SOC 2 compliance” (even though the shorthand is common).
• SOC reports are not security frameworks (like the NIST CSF); they simply map an organizations controls to the AICPA's criteria and evaluate how effectively they are designed and operating.

Different kinds of SOC reports

• Type 1 and Type 2 reports
  • Type 1 reports are evaluation from a point in time (e.g., April 20th)
  • Type 2 reports examine how an organization maintains controls over a time period.
• SOC 1 (Type 1/Type 2)
  • Financial audits; this is more generic and generally has to do with financial processing.
  • Organizations that handle financial data typically need a SOC 1 report.
• SOC 2 (Type 1/Type 2)
  • Security report; expands on the SOC 1 control to include security
• SOC 3 (Type 2)
  • Redacted SOC 2 Type 2 report for public release
  • In practice, may be used for marketing, at conferences, etc.
• SOC 2+
  • Expands the subject matter of the SOC 2 report to include other common frameworks and criteria.

Resources

Official

• AICPA & CIMA - Compare SOC 2®, SOC for Supply Chain, and SOC for Cybersecurity
  • You need to create an account to download resources from the AICPA main site.

Supplemental

• SOC 1 vs SOC 2 vs SOC 3: What's the Difference? - Secureframe
• SOC 2 + Additional Subject Matter (SOC2 Plus) » SOC Reporting Guide - SOC 1 | SOC 2