What is SOC2 and do we need it?

SOC 2 Trust Categories

SOC II five trust categories (Formerly known as principals in SSAE-16) are:

  • Security
  • Confidentiality
  • Processing Integrity
  • Availability
  • Privacy
  • Security: Control Environment (CC1.x), Communication and Information (CC2.x), Risk Assessment (CC3.x), Monitoring Activities(CC4.x), Control Activities (CC5.x), Logical and Physical Access Controls (CC6.x), System Operations (CC7.x), Change Management (CC8.x), Risk Mitigation (CC9.x)
  • Additional criteria for Availability (A1.x)
  • Additional criteria for Confidentiality (C1.x)
  • Additional criteria for Processing Integrity (PI1.x)
  • Additional criteria for Privacy (P1.x)

Difference between SOC 1 and SOC 2

  • Per aicpa.org, SOC 2 reports “are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy.” while SOC 1 reports are on just financial controls. They handle the financial transactions that a company makes.
  • SOC 1 report is a report generated by auditors for other auditors but a SOC 2 report usually has more confidential internal information which is not supposed to be shared with anyone outside the company (Actually this statement is not always true as most of the time customers ask for the reports and if you do not share the report, they may consider another provider)

Who needs a SOC 2 report?

If you are a service provider or a service organization which stores, processes or transmits any kind of information you may need to have one if you want to be competitive in the market exactly like the decision to have an ISO 27001 certifications.
Tremendous amount of of technology and cloud computing entities are now have these reports handy and will provide it to their customers upon request.

Type 1 or Type 2?!

SOC 2 has 2 different types like SOC1. Type 1 reports cover the description of systems and suitability of design of controls (Known as criteria in SOC terminology) whereas type 2 reports have everything in type 1 reports
and the effectiveness of the controls over a period of time. Type 2 SOC 2 reports are considered more useful since the auditor verifies that the controls work in an appropriate manner over a period of time.

Why not SOC 3?

SOC 3 report is designed to be shared publicly. This report does not have the details of SOC 2 in order to make you comfortable to share it on your website to be seen by public. SOC 3 reports cover just a high level overview of information in SOC 2 reports.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Pournader

Ben Pournader


Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB