SOC 1 and SOC 2 are both compliance standards in which a licensed CPA evaluates and attests to a service company’s security controls. But where SOC 2 broadly covers service companies that handle sensitive customer data, SOC 1 focuses more specifically on financial reporting.
Some companies might benefit from becoming compliant to both standards. A business that provides payroll services via cloud software, for instance, would have reason to consider both SOC 1 and SOC 2.
SOC 1
SOC 1 reports focus on ‘internal control over financial reporting’, or ICFR – this covers both financial risk as well as the reliability of a company’s financial reporting. If a company has any impact or purview over their customers’ finances, they might want to maintain SOC 1 compliance.
In a SOC 1 report, the company first conveys their control objectives – what they’re trying to protect, and how – and the auditor checks to see whether their security controls are effective at meeting those objectives. Once they’ve finished their audit, the CPA writes a report in which they lay out whether a company passed, including any qualifications they might have.
SOC 1 reports come in two forms. A SOC 1 Type I report pertains to a specific date in time. A Type II report, on the other hand, covers a longer period, typically spanning six to twelve months.
Most companies opt for Type II reporting to maintain ongoing compliance. But Type I has a significant upside: because it pertains to a single date, it can be accomplished much more quickly than a Type II report. For this reason, many companies get a Type I report on their way to attaining ongoing Type II reporting. As an added bonus, the Type I report will often highlight any concerns that might need to be addressed on the way to long-term, Type II compliance.
SOC 2
The SOC 2 compliance standard covers service businesses, especially those that handle sensitive customer data over the cloud. In a SOC 2 audit, a CPA audits the company in question based on five trust services criteria:
- Security describes a company’s ability to protect data and systems from unauthorized access. It is the most commonly evaluated of all the trust services criteria.
- Availability entails how much of the time the service performs as intended. This means that the service is not only usable, but meets the expectations a company sets in contracts with clientele. If it takes ten minutes to load the service, for instance, that may be considered an unacceptable level of availability, even if it is still technically usable.
- Processing integrity refers to the company’s ability to keep data from being manipulated or tampered with, and the service’s ability to function without errors or other mishaps.
- Confidentiality refers to the company’s ability to restrict access to and protect sensitive data.
- Privacy describes a company’s ability to protect personally identifiable information pertaining to their customers.
A SOC 2 audit doesn’t have to cover all five trust services criteria, and many businesses will ask their auditor to focus the SOC 2 report entirely on security.
Just as in a SOC 1 report, there are two types of SOC 2 reports. These even break down along the same lines: where a SOC 2 Type I report describes a company’s security systems as of a specific date, a Type II report covers a longer period, usually spanning six to twelve months.
For more information, see our full guide to SOC 2 compliance.
SOC 1 vs SOC 2: A Comparison
As you can see, SOC 1 and SOC 2 share some major similarities. Both standards are overseen by the AICPA, must be performed by a licensed CPA, and come in two types. Neither compliance standard is strictly required by law, though many clients, investors, and other stakeholders will require the companies they work with to maintain compliance to one of these two standards.
The biggest difference in these to reports is what they cover. SOC 1 largely addresses financial reporting, whereas SOC 2 pertains primarily to service businesses that handle customer data over the cloud. A company might benefit from one or the other – or, in some cases, a company may need to maintain compliance with both standards on an ongoing basis.