Prodigy 13 - logo

SOC 1 vs SOC 2 vs SOC 3

SOC (Service Organization Control) audit reports are used to assess the security and control of a service provider’s system and the services they provide to their customers.

SOC 1:

  • The SOC 1 report focuses on the internal controls related to financial reporting.
  • It assesses the controls of a service provider that impact the financial statements of their clients.
  • It is meant for clients and auditors who need to understand the controls in place to support financial reporting.
  • The SOC 1 report is typically prepared in accordance with the SSAE 18 (Statement on Standards for Attestation Engagements No. 18) or ISAE 3402 (International Standard on Assurance Engagements No. 3402) standards.

SOC 2:

  • The SOC 2 report focuses on the controls related to security, availability, processing integrity, confidentiality, and privacy.
  • It assesses the controls of a service provider that protect the sensitive data and information of their clients.
  • It is meant for clients and auditors who need to understand the controls in place to protect sensitive information.
  • The SOC 2 report is typically prepared in accordance with the Trust Service Principles and Criteria set by the AICPA (American Institute of Certified Public Accountants).

In addition there are two types of SOC 2 reports: SOC 2 Type 1 and SOC 2 Type 2 reports are two types of security audits used to assess the security of a company’s information technology systems and processes.

SOC 2 Type 1 report provides a description of the company’s security controls and the design of its system at a specific point in time. The focus is on the controls in place and whether they are suitably designed to meet the security and privacy requirements set forth in the SOC 2 standard.

SOC 2 Type 2 report, on the other hand, provides evidence of the effective operation of the security controls over a specified period of time. This type of report provides a more comprehensive assessment of the security of a company’s systems and processes, and demonstrates that the controls are operating effectively to protect sensitive data.

Generally a SOC 2 Type 1 report focuses on the design of security controls, while a SOC 2 Type 2 report focuses on the effectiveness of those controls over a specified period of time. The SOC 2 Type 2 report is what most companies should focus on in order to achieve maximum security and satisfy their client requirements for compliance. At Prodigy 13 we can assist you in obtaining a Type 1 or Type 2 report (with 100% success guarantee).

SOC 3:

  • The SOC 3 report is a simplified and publicly available version of the SOC 2 report.
  • It provides a general description of the service provider’s system and the controls in place to support security, availability, processing integrity, confidentiality, and privacy.
  • Unlike SOC 1 and SOC 2 reports, SOC 3 reports can be made publicly available on a service provider’s website.
  • The SOC 3 report is typically prepared in accordance with the Trust Service Principles and Criteria set by the AICPA.

To recap, SOC 1 reports are focused on financial reporting, SOC 2 reports are focused on information security, and SOC 3 reports provide a simplified and publicly available version of the SOC 2 report.

Need help obtaining a SOC 2 security report? We can help with that! Just use the quick quote form or our live chat service and one of our security experts will get back to you shortly!

Zero Trust Blog

Get email alerts when we publish new blog articles!

more blog posts:

Cloud Security

CIS Top 18 Controls (2022)

Formerly the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Security Controls (CIS Controls).

Read More
Prodigy 13 - Zero Trust Cybersecurity
Cybersecurity

What is SAML ?

SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its primary role in online security is that it enables you to access multiple web applications using one set of login credential.

Read More