SOC 1 Vs SOC 2 Report

Published on : 07 Jun 2019

soc1 vs soc2 certification


Listen Audio Version


Which SOC Report Do I Need?

As a service organization, you are familiar with audit requests from clients who are required to meet specific compliance and audit requirements. You have most likely been asked whether your organization is SOC 1 Compliant or SOC 2 Compliant.

Clients frequently ask questions as to what is the differences between a SOC 1 and SOC 2? Which SOC report should they get? Do they need both? In this article today we have discussed the differences between SOC1 and SOC2, and which one’s do organizations need to be compliant with.

Question is: What are the differences between a SOC 1 and SOC 2? Which SOC report should I get? Do I need both? These are questions we, as auditors, are frequently asked. Let’s take a look at the differences between the two, and why you could be asked for either, or both, as you continue to grow your business.

Do I need a SOC1?

A Service Organization Control 1, or SOC 1 engagement, is an audit of the internal controls at a service organization which has been implemented to protect client data. SOC 1 engagements are performed in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). A SOC 1 assessment is comprised of control objectives, which are used to accurately represent internal control over financial reporting (ICFR). In other words, if you are hosting / processing financial information that could affect your client’s financial reporting, then a SOC 1 audit report makes the most sense for your organization to pursue, and will likely be requested of you. OR, if your client wants to confirm your financial reporting standards or financial stability. In our experience, SOC1 report requests are very few compared to SOC2 report requests.

free consulting

Do I need a SOC 2?

If you are hosting or processing other types of information for your clients that does not impact their financial reporting, then you may be asked for a SOC 2 audit report. In this instance, your clients are likely concerned whether you are securely handling their data, and if it is available to them in the way you have contracted it to be. A SOC 2 report, similar to a SOC 1 report, evaluates internal controls, policies, and procedures. However, the difference is that SOC 2 reports are based on controls that directly relate to the Security, Availability, Processing Integrity, Confidentiality, and Privacy of a service organization. These criteria are known as the Trust Services Principles and are the foundation of any SOC 2 audit engagement.


Do I need a SOC 1 and a SOC 2 report?

If you have clients that fall under both categories (Financial reporting as well as the efficacy of Security controls), then there is a chance you may be asked for both. In some circumstances, you may determine that you need a SOC 1 and a SOC 2 report in order to effectively ensure that your controls meet the demands of a variety of clients and stakeholders.

So which report makes the most sense for your organization? Should you pursue a SOC 1 or a SOC 2? Do you need both? Determining what your business objectives (current and future) and also importantly, your client commitments and expectations are is a vital first step in deciding which SOC audit you should pursue. VISTA InfoSec can provide the help you determine which SOC report makes the most sense for your organization and assist in determining the scope of your engagement.

Contact us today to learn more about how we can help


You can also watch the video

Related Posts:

4.6/5 - (9 votes)
Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.