Kenneth G. Hartman bio photo

Kenneth G. Hartman

Security Consultant,  
Forensic Analyst & 
Certified SANS Instructor

Email Twitter GitHub

I am frequently asked about the difference between a SOC 1 report and a SOC 2 report and why an organization would have both. The SOC 1 replaced the SAS 70 report and was intended to be used for service providers to give to their publicly traded customers to assert that there were not any security issues at the service provider that could have a material impact on the publicly traded companies financial reporting. However, over time, the service providers were using the SAS 70 as a blanket statement about their security posture. The AICPA felt that this was a misuse of the report and saw a business opportunity, so they created a SOC 2 report and renamed the SAS 70 to a SOC 1.

A key difference between the reports is that the service provider can select individual controls for the SOC 1 and write the verbiage, whereas with a SOC 2 the service provider just gets to select which of the 5 trust principles that they will adopt and must follow all of the controls in that Trust Principle. These Trust Principles are security, availability, processing integrity confidentiality, or privacy.

A SOC 3 report is just a publicly available high-level summary of the SOC 2 report, in essence (with a separate charge from the auditor).

A Type I report can be issued for either a SOC 1 or a SOC 2 and it is a snapshot in time, as of the date the report is issued. A Type II report is over a period of time, typically since the last report was issued, but not always. Typical reporting periods are 6 months or 1 year. Often the first report is a Type 1 and then follow on reports are Type II for the period following the last report. One factoid is that the type of report is traditionally indicated in roman numerals while the Service Organization Controls report is specified with an Arabic numeral to try to reduce confusion.

Customers will typically will want a service provider to have an independent third party audit so that they do not simply have to take the service provider’s word regarding their security posture. There are lots of heated discussions on the internet regarding the fact that compliance does not equal security. Without opening that can of worms, I will just point out that if an organization is not compliant, it is almost certainly not secure.

For more information, check out the following resources: