For starters, SOC is a system of service organization controls. SOC stands for “system and organization controls,” and the controls are a series of standards designed to help measure how well a given service organization conducts and regulates its information. The purpose of SOC standards is to provide confidence and peace of mind for organizations when they engage third-party vendors. A SOC-certified organization has been audited by an independent certified public accountant who determined the firm has the appropriate SOC safeguards and procedures in place.
SOC 1 vs. SOC 2 vs. SOC 3
SOC concerns the internal controls in place at the third-party service organization. For a company to receive SOC certification, it must have sufficient policies and strategies that satisfactorily protect clients’ data.
SOC 1, SOC 2, and SOC 3 certifications all require a service organization to display controls regulating their interaction with clients and client data. Note that SOC levels indicate differences both in the purview of the certification and in the intended audience for the reports.
- SOC 1 reports on the service organization’s controls related to its clients’ financial reporting.
- SOC 2 reports build on the financial reporting basis of SOC 1 and also require standard operating procedures for organizational oversight, vendor management, risk management, and regulatory oversight. A SOC 2-certified service organization is appropriate for businesses whose regulators, auditors, compliance officers, business partners, and executives require documented standards.
- SOC 3 reports are a simplified version of SOC 2 reports, requiring less formalized documentation. SOC 3 reporting is appropriate for businesses with less regulatory oversight concerns.
The SOC 2 protocol is designed for more advanced I.T. service providers. These can include managed I.T. service providers (MSPs), cloud computing vendors, data centers, and SaaS (software-as-a-service) companies.
The SOC 2 framework includes five key sections, forming a set of criteria called the Trust Services Principles. These include:
1. The security of the service provider’s system
2. The processing integrity of this system
3. The availability of this system
4. The privacy of personal information that the service provider collects, retains, uses, discloses and disposes of for user entities
5. The confidentiality of the information that the service provider’s system processes or maintains for user entities
SOC Type I vs. Type II
SOC 1 and SOC 2 reports come in two forms.
- Type I reports concern policies and procedures that were placed in operation at a specific moment in time.
- Type II reports concern policies and procedures over a specified time period; for this more rigorous designation, systems must be evaluated for a minimum of six months.
The ultimate certification: SOC 2 Type II
SOC 2 Type II reports are the most comprehensive certification within the Systems and Organization Controls protocol. Businesses seeking a vendor such as an I.T. services provider will find SOC 2 Type II is the most useful certification when considering a possible service provider’s credentials.
A company that has achieved SOC 2 Type II certification has proven its system is designed to keep its clients’ sensitive data secure. When it comes to working with the cloud and related I.T. services, such performance and reliability is absolutely essential and increasingly required by regulators, examiners, and auditors.