SOC 1 focuses on financial statements and reports.
SOC 2 focuses on customer data security, confidentiality, processing, privacy and availability.
SOC 3 focuses on SOC 2 results tailored for a general audience.
As cyber threats escalate in frequency and sophistication, securing customer data is not just a regulatory requirement, it is a cornerstone of your business integrity. Data breaches are costly, financially and in terms of customer trust and brand reputation. AICPA's SOC frameworks – SOC 1 for financial reporting, SOC 2 for data security, and SOC 3 for general disclosure – offer comprehensive guidelines for safeguarding data.
Whether through SOC 2's rigorous protection standards for cloud-stored customer data or SOC 1’s focus on financial controls, we help you align with these critical benchmarks to significantly enhance your cybersecurity.
SOC 1 focuses on financial statements and reports.
SOC 2 focuses on customer data security, confidentiality, processing, privacy and availability.
SOC 3 focuses on SOC 2 results tailored for a general audience.
SOC 1 is for organizations, such as collection agencies, payroll providers and payment processing companies, providing any services impacting a client’s financial statements and reports.
SOC 2 is for organizations, such as software as a service (SaaS) companies, cloud storage services and data hosting/processing providers, that store, process or transmit customer data.
SOC 3 is for organizations requiring SOC 2 compliance for marketing to the public.
Some organizations need SOC 1 and 2 reports because of their services and customers. Some customers might request SOC 1, while others desire SOC 2. There are overlaps between SOC 1 and 2 that can streamline preparedness and testing.
SOC 1 and 2 have two types of reports:
Choosing which type depends on the organization’s goals, cost and time constraints. Type I is usually faster, but Type II provides greater assurance to stakeholders.
SOC 3 reports are succinct, high-level versions of SOC 2 Type II reports for public use.
SOC 1 reports are for organizations whose internal controls could impact a customer’s financial statements or reports.
SOC 2 reports help organizations show their cloud and data center security controls, based on the Trust Services Criteria (TSC). They are private and usually only shared with customers and prospects under nondisclosure agreements (NDAs). SOC 2 is the most referenced report.
SOC 3 reports are always Type II but omit detailed descriptions of the auditor’s control tests, test procedures, results, opinions, management assertions and system descriptions. SOC 3 reports can be made public, often via the organization’s website.
While some frameworks, such as ISO/IEC 27001, have rigid requirements, SOC 2 is more flexible, with reports unique to each organization. Each organization designs its controls to comply with the Trust Services Criteria (TSC).
An independent auditor evaluates whether the organization’s controls fulfill SOC 2 requirements. The auditor writes a report for the organization, regardless of whether it passed.
1. Select report type: decide whether you want a Type I or II report.
2. Define the scope: choose between company level or a specific service, the period covered (the recommendation is at least six months) and any optional Trust Services Criteria (TSC).
3. Gap analysis: this identifies any system shortfalls so you can create a remediation plan to improve them before the formal SOC 2 audit.
4. The readiness assessment: the auditor will answer any questions before conducting a readiness assessment and performing their gap analysis, providing recommendations and explaining your chosen TSC requirements. You receive an initial report detailing the controls in your final report, their relevance to your TSC and any gaps.
5. Select an auditor: pick a Certified Public Accountant (CPA) to perform your SOC 2 audit and report.
6-7. The formal audit and report: your auditor spends the required time, from a few weeks to a few months, working with you before writing the report. These steps include a security questionnaire, evidence gathering, evaluation, follow-up and the completed report.