There are three types of SOC reports - SOC 1, SOC 2, and SOC 3. SOC 1 focuses on controls related to financial reporting, SOC 2 provides a more general assessment of controls for security, availability, processing integrity, confidentiality and privacy. SOC 3 provides a high-level executive summary without details. A SOC 2 audit evaluates both control design and operating effectiveness over a period of time (e.g. 6-12 months), providing more assurance than a point-in-time ISO audit. The detailed SOC 2 report can only be shared under non-disclosure due to the sensitive information it contains.
There are three types of SOC reports - SOC 1, SOC 2, and SOC 3. SOC 1 focuses on controls related to financial reporting, SOC 2 provides a more general assessment of controls for security, availability, processing integrity, confidentiality and privacy. SOC 3 provides a high-level executive summary without details. A SOC 2 audit evaluates both control design and operating effectiveness over a period of time (e.g. 6-12 months), providing more assurance than a point-in-time ISO audit. The detailed SOC 2 report can only be shared under non-disclosure due to the sensitive information it contains.
There are three types of SOC reports - SOC 1, SOC 2, and SOC 3. SOC 1 focuses on controls related to financial reporting, SOC 2 provides a more general assessment of controls for security, availability, processing integrity, confidentiality and privacy. SOC 3 provides a high-level executive summary without details. A SOC 2 audit evaluates both control design and operating effectiveness over a period of time (e.g. 6-12 months), providing more assurance than a point-in-time ISO audit. The detailed SOC 2 report can only be shared under non-disclosure due to the sensitive information it contains.
SOC 2 and SOC 3 controls, describe the benefits of SOC Reports. SOC reports. So we'll spend some time here looking at top report. So SOC report, some industries will acquire it, just like we've mentioned earlier for ISO, some jurisdictions or industries will require it and if you don't have it, you have to perform some local compliance audit. So many organizations who know compliance actually prefer SOC 2 over ISO. ISO is a point in time testing whereas SOC 2 is continuously monitored testing over a period of time. Again, some organizations, or some clients, or some industries will accept SOC 2 in lieu of the right to audit. So if I compare with ISO and I look at the different types of things that they focus on just to compare and contrast is you'll find SOC 2 is focused on fiscal, logical security and in specific, you know, do you do what you say you'll do, whereas the ISO 1 is a little bit more focused on risk. ISO is internationally recognized. SOC 2 is traditionally been more North American but it is becoming more known internationally. The purpose in the task for SOC 2 is that you achieve the standards associated with the control but also that you implement your own policies and perform them, and the ISO 1 is a little more focused on best practices. The ISO is managed by the ISO, and ISO accredited agency would use the consulting and certifying. SOC 2 is almost always performed by CPA because it's governed, inspected by the AICPA. In the difference about design and the nature or scope, as I said earlier is ISO is focusing on the design effectiveness at a point in time whereas the SOC 2 also look at operating effectiveness over a period of time. So Type 2 would be 6-12 months and would look at the how effective you are performing those functions over that entire period of time. You get a single page from an ISO certification, there's a detailed report that's considered confidential internal. But otherwise, it's a single-page and doesn't provide a lot of detail to the reader or to your customer about what you're doing. In the case of SOC 2, you get a fairly detailed report. It can be many pages long. It describes the controls, it describes how they tested them, it describes the results or the testing. So it's very detailed and can provide a lot of insight for your customers and confidence your customers that of how you operate. Again, personal opinion, I consider the SOC 2 a higher degree of difficulty over the ISO because of that operating effectiveness compounded to it. There's actually three SOC reports. SOC 1, 2 and 3. The SOC 1, they're all based on the same core set of controls but they subset it out and report it differently. So Soc 1 uses a subset of the controls, and it specifically is looking at situations where your system is being used for financial reporting. So if you are using your system to hold your sales ledger data and you then are going to turn around and use that data to generate reports for your financial reporting, for your SEC filings, things like that. So it's going to focus on a very specific subset of reports and they're going to be slanting it towards that purpose of financial reporting, not surprising when it comes from the AICPA. SOC 2 is a little more general, and it's going to look at more controls, superset of the ones that are looked at for SOC 1. They're looking at it for general purpose use. The report they produced is restricted because of the detail that is in there around the system, the security, processes, and methodologies. If you achieve this for your environment, you would get to a keep a copy of it yourself. You would only send it to clients or prospective clients under a non-disclosure agreement, because of the level of detail in there. If it fell into the wrong hands, somebody could use that to try to mount a malicious attack. For people who do want to have something short and sweet and something you can put on your web page, like the ISO certification, there is a SOC 3 report. It is considered an executive summary of your SOC 2. It provides the opinion and the description of the system but it does not get into the details of the security practices or the testing methodology results. It's just a high level one. So typically what you would do is, you would commission at least a SOC 2. If you have the financial needs, you also commission the SOC 1, and the SOC 3 would come as well when you get into the Type 2 situation. So you can do one audit and achieve all three certifications, you just need to plan that out with your auditor in advance. Soc 1, SOC 2, I mean, the Type 1 and type 2. You need to keep a little chart. I'm going to have to make a little handy chart to keep track of these. A Type 1 report, consider that as your starting line. That is the closest equivalent to an ISO as well. So basically, it tests the design effectiveness of your controls and has tested that you have performed those controls at least once. So think of that as the start Type 1. You would use that when your product is new, or when you are first acquiring your certification for SOC. It's not something that you would ever repeat, you'd just do one Type 1 report. After that you move into a Type 2 scenarios. The Type 2 is now looking at operational effectiveness over a period of time. Typically, that is six months or 12 months. The auditor will come in and they will test over the interval of that period of time. So if you're doing a six month test, and they've come in after three months and run tests on the first three months, and then come in at the end of the six months and then do some more tests. Basically, they're looking that the controller is operating effectively on Day 1, day 30, day 180 etc. The expectation there is that you're able to pry proof that you're maintaining your effectiveness of these controls over time. Typically, you will renew them either every six months or use them yearly. We do rolling 12 months reports typically in our business. So we would have every six months, so we would have poured out on the previous 12 months. This is very helpful for our customers who are looking at using this for their businesses because they have continuity for the entire period that they may be using our products. On top of the complexity of Type 1s and Type 2s and SOC 1s and SOC 2s, there are different principals or chapters within SOC 2 and they each come with a set of controls or requirements. The most typical and sort of the foundational one that everybody would get would be security and they're looking specifically at how you're protecting your physical and logical access and systems. So they have controls related to user provisioning, change management, inventory management, things like that. Then we have other additional principles or chapters. You can determine which ones are most relevant for your business, and of course increase the scope, the number of controls and the scope of your audits in the report. Availability and confidentiality, processing integrity and privacy. We're definitely seeing availability and confidentiality and we're starting to see more interest in processing integrity and privacy as well. So you can see the industry shifting from having entry-level, securities, baseline, we're going to get that towards having these more complex and additional controls added on. Confidentiality and privacy are really useful as you also help to try to prove out your GDPR stands for European customers