In this video, you will learn to

describe the differences between SOC 1,

SOC 2 and SOC 3 controls,
describe the benefits of SOC Reports.
SOC reports. So we'll spend
some time here looking at top report.
So SOC report, some industries will acquire it,
just like we've mentioned earlier for ISO,
some jurisdictions or industries
will require it and if you don't have it,
you have to perform some local compliance audit.
So many organizations who know
compliance actually prefer SOC 2 over ISO.
ISO is a point in time testing whereas SOC 2 is
continuously monitored testing over a period of time.
Again, some organizations, or some clients,
or some industries will accept
SOC 2 in lieu of the right to audit.
So if I compare with ISO
and I look at the different types
of things that they focus
on just to compare and contrast is you'll find
SOC 2 is focused on fiscal,
logical security and in specific, you know,
do you do what you say you'll do,
whereas the ISO 1 is a little bit more focused on risk.
ISO is internationally recognized.
SOC 2 is traditionally been more
North American but it is
becoming more known internationally.
The purpose in the task for SOC 2 is that you achieve
the standards associated with
the control but also that you
implement your own policies and perform them,
and the ISO 1 is a little more focused on best practices.
The ISO is managed by the ISO,
and ISO accredited agency would use
the consulting and certifying.
SOC 2 is almost always performed by
CPA because it's governed,
inspected by the AICPA.
In the difference about design and the nature or scope,
as I said earlier is ISO is focusing
on the design effectiveness at a point in time
whereas the SOC 2
also look at operating
effectiveness over a period of time.
So Type 2 would be 6-12 months and would look at
the how effective you are
performing those functions over
that entire period of time.
You get a single page from an ISO certification,
there's a detailed report
that's considered confidential internal.
But otherwise, it's a single-page and doesn't
provide a lot of detail to
the reader or to your customer about what you're doing.
In the case of SOC 2, you get a fairly detailed report.
It can be many pages long.
It describes the controls,
it describes how they tested them,
it describes the results or the testing.
So it's very detailed
and can provide a lot of insight for
your customers and confidence
your customers that of how you operate.
Again, personal opinion, I
consider the SOC 2 a higher degree of
difficulty over the ISO
because of that operating effectiveness compounded to it.
There's actually three SOC reports.
SOC 1, 2 and 3.
The SOC 1, they're all based on
the same core set of
controls but they subset
it out and report it differently.
So Soc 1 uses a subset of the controls,
and it specifically is looking at
situations where your system is
being used for financial reporting.
So if you are using your system to hold
your sales ledger data and you then are going to turn
around and use that data to
generate reports for your financial reporting,
for your SEC filings, things like that.
So it's going to focus on
a very specific subset of reports and they're going to be
slanting it towards that purpose of financial reporting,
not surprising when it comes from the AICPA.
SOC 2 is a little more general,
and it's going to look at more controls,
superset of the ones that are looked at for SOC 1.
They're looking at it for general purpose use.
The report they produced is restricted
because of the detail that is in there around the system,
the security, processes, and methodologies.
If you achieve this for your environment,
you would get to a keep a copy of it yourself.
You would only send it to clients or
prospective clients under a non-disclosure agreement,
because of the level of detail in there.
If it fell into the wrong hands,
somebody could use that to
try to mount a malicious attack.
For people who do want to have something
short and sweet and
something you can put on your web page,
like the ISO certification,
there is a SOC 3 report.
It is considered an executive summary of your SOC 2.
It provides the opinion and
the description of the system but it does not get
into the details of
the security practices or
the testing methodology results.
It's just a high level one.
So typically what you would do is,
you would commission at least a SOC 2.
If you have the financial needs,
you also commission the SOC 1,
and the SOC 3 would come as
well when you get into the Type 2 situation.
So you can do
one audit and achieve all three certifications,
you just need to plan that out
with your auditor in advance.
Soc 1, SOC 2, I mean,
the Type 1 and type 2.
You need to keep a little chart.
I'm going to have to make a little handy
chart to keep track of these.
A Type 1 report,
consider that as your starting line.
That is the closest equivalent to an ISO as well.
So basically, it tests the design effectiveness of
your controls and has tested that you have
performed those controls at least once.
So think of that as the start Type 1.
You would use that when your product is new,
or when you are first
acquiring your certification for SOC.
It's not something that you would ever repeat,
you'd just do one Type 1 report.
After that you move into a Type 2 scenarios.
The Type 2 is now looking at
operational effectiveness over a period of time.
Typically, that is six months or 12 months.
The auditor will come in and they will test
over the interval of that period of time.
So if you're doing a six month test,
and they've come in after
three months and run tests on the first three months,
and then come in at the end of the six months
and then do some more tests.
Basically, they're looking that
the controller is operating effectively on Day 1,
day 30, day 180 etc.
The expectation there is that you're
able to pry proof that you're maintaining
your effectiveness of these controls over time.
Typically, you will renew them
either every six months or use them yearly.
We do rolling 12 months reports
typically in our business.
So we would have every six months,
so we would have poured out on the previous 12 months.
This is very helpful for our customers who are
looking at using this for
their businesses because they have continuity for
the entire period that they may be using our products.
On top of the complexity of Type 1s
and Type 2s and SOC 1s and SOC 2s,
there are different principals or chapters within
SOC 2 and they each come with
a set of controls or requirements.
The most typical and sort of
the foundational one that everybody would get would be
security and they're looking
specifically at how you're protecting
your physical and logical access and systems.
So they have controls related to user provisioning,
change management, inventory management,
things like that.
Then we have other additional principles or chapters.
You can determine which ones
are most relevant for your business,
and of course increase the scope,
the number of controls and the scope of
your audits in the report.
Availability and confidentiality,
processing integrity and privacy.
We're definitely seeing availability and confidentiality
and we're starting to see more interest in
processing integrity and privacy as well.
So you can see
the industry shifting from having entry-level,
securities, baseline, we're going to get that towards
having these more complex
and additional controls added on.
Confidentiality and privacy are
really useful as you also help to
try to prove out your GDPR stands for European customers