I see a fair amount of confusion from Security Professionals to Auditors and beyond. I’ll try to simplify it here.
SOC – Service Organization Controls
And I see people confidently speaking about it and they’re wrong.
Let’s fix that! All the things I see are in Auditor-ese, lets simplify it!
There’s 3 SOC reports. Click here for even bigger image.
There’s two types: .e.g., SOC 1 Type 1, SOC 1 Type 2, SOC 2 Type 1, SOC 2 Type 2. SOC 3 doesn’t have two types.
Type 1 : Seen less ‘in the wild’. This is used when it’s a new company typically, to establish a time period. It’s a point in time report.
Type 2: You’ll see this the most. It’s controls assessed (An independent auditor goes in there and verifies that the company does what they say they do.) over a time period. Minimum 6 months, typically a year.
As you might guess, this is quite the task. It’s not cheap either. A SOC report and an organization that’s taken the time to do it, is nothing to sneeze at.
There’s more to come on SOC reports, hope that helped you! Here’s a great resource for further learning.