<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

The Differences Between SOC 1 vs SOC 2

Get 14 days of full access to StrongDM today. No credit card required.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Confusing a SOC 1 vs SOC 2 audit is easy. While both compliance frameworks attest to the controls used within your organization, the frameworks differ in focus. This blog post will focus on exploring the differences between SOC 1 vs SOC 2.

What is SOC 1

A SOC 1 (Service Organization Control 1) report gives your company’s user entities some assurance that their financial information is being handled safely and securely. The SOC 1 report was previously called the SAS 70 (Statement on Auditing Standards 70) and was eventually replaced by the Statement on Standards for Attestation Engagements no. 16 (SSAE 16). SOC 1 offers both Type 1 and Type 2 (also written as “Type ii”) reports. A Type 1 report demonstrates that your company’s internal financial controls are properly designed, while a Type 2 report further demonstrates that your controls operate effectively over a period.

What is SOC 2

SOC 2 is a framework to help service organizations demonstrate their cloud and data center security controls. After organizations started using the SAS 70 as a way to measure the effectiveness of an organization’s security controls, the SOC 2 was developed as a report focused only on security. The SOC 2 is rooted in criteria called the Trust Services Principles (renamed to Trust Services Criteria in 2018), which the AICPA (American Institute of CPAs) defines as:

  • Security - systems and data need to be protected against unauthorized access and anything that could compromise their confidentiality, integrity, availability and privacy.
  • Availability - systems need to be available for use and operation.
  • Processing integrity - system processing must be timely, accurate and authorized.
  • Confidentiality - information delegated as confidential needs to have appropriate protections.
  • Privacy - any personal information collected must be used, retained, disclosed and disposed of appropriately.

Similar to SOC 1, the SOC 2 offers a Type 1 and Type 2 report. The Type 1 report is a point-in-time snapshot of your organization’s controls, validated by tests to determine if the controls are designed appropriately. The Type 2 report looks at the effectiveness of those same controls over a more extended period - usually 12 months.

🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Course.

When to Get SOC 2 Certification

Getting started with SOC 2? We've got you. Sign up for our free course.

Your organization should pursue SOC 1 if your services impact your clients’ financial reporting. For example, if your organization creates software that processes your clients’ billing and collections data, you are affecting your client’s financial reporting, and thus a SOC 1 is appropriate. Another reason organizations pursue SOC 1 vs SOC 2 is if their clients ask for a “right to audit.” Without SOC 1, this could be a costly and time-intensive process for both parties, especially if several of your clients ask to submit a similar request. You may also need to comply with SOC 1 as part of a compliance requirement. If your company is publicly traded, for example, you will need to pursue SOC 1 as part of the Sarbanes-Oxley Act (SOX).

SOC 2, on the other hand, is not required by any compliance framework, such as HIPAA or PCI-DSS. But if your organization doesn’t process financial data but processes or hosts other types of data, SOC 2 makes sense. With today’s business climate being extraordinarily aware and sensitive to data breaches, your clients may want proof that you are taking reasonable precautions to protect their data and stop any leaks. We built an open source template for SOC 2 teams.

The choice to pursue SOC 1 vs SOC 2 depends on your organization’s situation. One critical determining factor when choosing between SOC 1 or 2 is whether your organization’s controls would affect your client’s internal control over financial reporting. You may want to engage with an audit firm to determine which SOC type (or both) is the right fit for your organization.

To learn more on how StrongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

ISO 27001 vs SOC 2
ISO 27001 vs. SOC 2: Understanding the Difference
SOC 2 and ISO 27001 both provide companies with strategic frameworks and standards to measure their security controls and systems against. But what’s the difference between SOC 2 vs. ISO 27001? In this article, we’ll provide an ISO 27001 and SOC 2 comparison, including what they are, what they have in common, which one is right for you, and how you can use these certifications to improve your overall cybersecurity posture.
Answering auditor questions in a SOC 2 review
Answering Auditors’ Questions in a SOC 2 Review
We recently completed our own SOC 2 audit, so we thought we’d review how we dogfooded our own product. We’ll share tips and tricks to make the audit process a little easier, whether you’re wrapping up your own or about to dive into the coming year’s audit. Here are the questions auditors asked us during our own SOC 2 audit and the commands and strongDM tooling we used to gather the evidence they requested.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.