SOC stands for “Service Organization Controls” and it is an information security compliance standard created by the American Institute of Certified Public Accountants (AICPA) for helping an Organization meet an auditor’s expectations for the benefits of its customers, in order to protect their information and data that are stored on cloud-based servers. There are several SOC reports to choose for a Service Organization that provides services and systems to customers such as Cloud Computing, Data Hosting, Software as a Service, Platform as a Service etc.:
- SOC 1 is focused on the effectiveness of internal controls related to financial controls in order to protect customer data.
- SOC 2 is focused on Information and IT Security identified by any of the five Trust Services Criteria in TSP section 100 outlined by the AICPA related to security, availability, processing integrity, confidentiality and privacy.
- SOC 3 covers the same procedures as a SOC 2 report, but it is intended for general public distribution without the detailed test results of SOC 2.
SOC reports come in two types and focus on different stages of risk management.
- Type I is for undergoing the first SOC audit and validates the design of internal controls
- Type II is for reviewing a Service Organization’s internal controls over a specific period of time (6 to 12 months) and ensures that security practices and controls are properly designed and operating effectively.
A SOC 1 and a SOC 2 report can be either Type I or Type II, whereas a SOC 3 report can be only Type II.
SOC 2 requires Service Organizations to design and implement security policies and procedures specifically for the protection of information stored in the cloud, implements assessments to guarantee the compliance with these policies and procedures, and constantly updates the compliance and security standards.
There are two types of criteria applicable in a SOC 2 examination. The Description Criteria in DC section 200 2018, includes the criteria used to describe the Service Organization’s system. In addition, the controls that are in place must be relevant to the Trust Services Criteria in TSP section 100 of the AICPA in order to protect its information, by evaluating the proper design and the operating effectiveness of the controls related to security, availability, processing integrity, confidentiality and privacy.
The Trust Service Criteria are defined as principles and they are aligned with the 17 principles of the COSO Framework and their additional points of focus related to each criterion. Each organization should select specific categories required in order to mitigate the risks on their services or systems they provide.
Depending on which categories are included within the scope of the examination, the applicable Trust Services Criteria consist of criteria common to all five of the trust service categories (common criteria) and additional specific criteria for the security, availability, processing integrity, confidentiality, and privacy categories. From all five Trust Services Criteria only Security is mandatory for a SOC 2 report. The other four of the Trust Services Criteria can be included in a SOC 2 report based on the risks identified in an organization without being required.
Trust Services Categories:
- Security – Information and systems are protected against unauthorized or malicious access, unauthorized disclosure of information and damage to systems that could compromise the availability, integrity, confidentiality and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability – Information and systems are available for operation and use to meet the entity’s objectives.
- Processing Integrity – System processing is complete, valid, accurate, timely and authorized to meet the entity’s objectives.
- Confidentiality – Information designated as confidential is protected to meet the entity’s objectives.
- Privacy – Personal information is collected, used, retained, disclosed and disposed of to meet the entity’s objectives.
ISO 27001 with SOC 2 comparison
Comparing SOC 2 with ISO 27001, there are several similarities and differences between them, where an Organization needs to consider in order to decide which standard to undergo.
SOC 2 and ISO 27001 are both designed for securing information and gaining trust with clients for protecting their data but focus on different areas. It is very important for an organization to understand their customers needs and regulatory requirements that they need to demonstrate compliance to.
SOC 2 examination and ISO 27001 certification provide assurance on the security controls that an organization has in place in order to meet the Trust Service Criteria and the ISO Standard requirements.
The main difference is that SOC examination services are performed under the AICPA attestation standards and the reports provide an opinion by an auditor (Certified Public Accountant – CPA) who examines certain elements about the security controls of a Service Organization and ensures that the system is protected against physical and logical unauthorized access. On the other hand, ISO 27001 determines an Organization’s compliance of their Information Security Management System (ISMS) according to the Standard and helps organization management in establishment and certification of an ISMS that meets specified requirements and can be certified as best practice.
Another difference is the content and form of the deliverables for each engagement. For a SOC 2, the final deliverable will be an attestation report, whereas the deliverable for an ISO 27001 engagement is a 1-2 page certificate. In addition, ISO 27001 certifications are applicable for three years and the audit reports are usually for internal use only while SOC 2 reports are point-in-time or period-of-time reports and intend to be external deliverables.
A SOC 2 Audit Report includes:
- An opinion letter from the auditor
- Management assertion letter
- A detailed description of the system or services
- Details of the selected Trust Service Categories and the appropriate technical and organisational controls
- A detailed description of the service auditor’s tests of controls and results thereof (Type II report)
An ISO 27001 Certificate includes:
- Certified organization’s ISMS Scope
- In-scope locations
- Effective dates of the certificate