What is SOC Compliance?
A business that provides services to other businesses — say, data storage or payroll management — typically needs to provide assurance to those customers that the business won’t expose them to any undue security or compliance risks. The two most common ways to provide that assurance are to pass a SOC 1 or SOC 2 audit.
A SOC 1 audit (the acronym stands for “Service Organization Control”) pertains to businesses that handle financial data for their customers; the audit seeks to assure that the business can properly manage and protect the financial information in its custody. A SOC 2 audit, in contrast, focuses on cybersecurity controls and vendor risk management. Both SOC audits were developed by the Auditing Standards Board of the American Institute of CPAs (AICPA).
SOC 2 reports are formally known as “Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.” Those five issues are also called the five trust services criteria or trust services principles.
SOC 2 audits also come in two types. Type I assesses whether the relevant controls are designed properly at a certain point in time. Type II then assesses whether those controls also work effectively over a defined period of time.