I see a fair amount of confusion from Security Professionals to Auditors and beyond. I’ll try to simplify it here.

SOC – Service Organization Controls

And I see people confidently speaking about it and they’re wrong.

Let’s fix that! All the things I see are in Auditor-ese, lets simplify it!

There’s 3 SOC reports. Click here for even bigger image.

There’s two types: .e.g., SOC 1 Type 1, SOC 1 Type 2, SOC 2 Type 1, SOC 2 Type 2. SOC 3 doesn’t have two types.

Type 1 : Seen less ‘in the wild’. This is used when it’s a new company typically, to establish a time period. It’s a point in time report.

Type 2: You’ll see this the most. It’s controls assessed (An independent auditor goes in there and verifies that the company does what they say they do.) over a time period. Minimum 6 months, typically a year.

As you might guess, this is quite the task. It’s not cheap either. A SOC report and an organization that’s taken the time to do it, is nothing to sneeze at.

There’s more to come on SOC reports, hope that helped you! Here’s a great resource for further learning.