[06] SOC 1 and SOC 2 Reports
By:
Prasanna
|
π Topic: SOC 1 and SOC 2 Reports
Domain: D1 β Security and Risk Management
Tags: #cissp
π§Ύ Definition
SOC 1 and SOC 2 reports are independent assurance reports that help organizations evaluate controls and service provider trustworthiness. SOC 1 focuses on financial reporting controls, while SOC 2 focuses on security, availability, processing integrity, confidentiality, and privacy.
π Key Points
- SOC 1 is commonly used for service organizations that affect financial reporting.
- SOC 2 is commonly used for cloud and technology providers and is based on Trust Services Criteria.
- The report is prepared by an independent CPA firm and reflects managementβs description of controls.
- A SOC report supports vendor risk assessments and due diligence.
β οΈ CISSP Insight
- These reports are useful evidence during third-party risk management, but they are not a substitute for internal controls or a full compliance program.
- CISSP candidates should understand the purpose and audience of each report.
βοΈ Key Difference / Trap
- SOC 1 vs SOC 2
- SOC 1 = financial reporting controls
- SOC 2 = security and trust services criteria
- SOC 2 is not the same as ISO 27001 certification
- It is an attestation report, not a full management system certification
ποΈ Example
A SaaS provider shares a SOC 2 report with customers to demonstrate that its security controls are operating effectively over a period of time.
π References
- AICPA SOC 1 and SOC 2 guidance
- ISO/IEC 27001:2022
- NIST Cybersecurity Framework
π Quick Recall
- SOC 1 = Finance
- SOC 2 = Security and Trust Services