What are SOC 1, SOC 2 and SOC 3?

Australian service providers are often asked to provide their clients with third party assurance of their information security. These requests may mention ISO 27001 certification or, usually if the client is US-based, SAS 70 or SOC reports. ISO 27001 is well recognised as the international standard for managing information security, but what are SAS 70 and SOC?

SAS 70 no longer exists as a current standard. It was replaced by SOC 1 in 2011. So if an organisation is asking for a SAS 70 report, what they should really be referring to is a SOC 1 report.

SOC 1, 2 and 3 are audit reports awarded to service providers demonstrating a defined level of security controls. SOC 1, 2 and 3 do not provide certification to any international standard. They are audits developed by the American Institute of Certified Public Accountants (AICPA) primarily to meet the needs of American companies. They have not been through the rigorous international review process common to international standards, and as such may disregard regional issues that tend not to exist in America. SOC 1, 2 and 3 audits can only be conducted by a Certified Public Accountant (CPA) registered with the American Institute of Certified Public Accountants.

There is an international equivalent to SOC 1 that may be more appropriate for Australian organisations. It is called ISAE 3402 and was developed by the International Federation of Accountants (IFAC). The SOC 1 assessment was actually developed from this standard, but differs from it slightly. However, the ISAE 3402 standard is not well known in the security industry, so many international organisations choose ISO 27001 certification instead.

SOC Categories

SOC 1 is an audit report on controls related to the protection of financial statements. This report is only likely to be relevant to those service providers that offer financial reporting services. SOC 1 audits are performed against an American standard called SSAE 16.

SOC 2 is an audit report on controls related to one or more of the following areas: security, availability, processing integrity, confidentiality and privacy. The scope of the report varies depending on which of these attributes the service provider decides to include. SOC 2 audits are performed against American standards known as the Trust Services and AT 101.

SOC 1 and SOC 2 reports can be either Type 1 or Type 2. A Type 1 report is restricted to an assessment of how the security controls are designed.  It does not include an assessment of how effectively the controls are operating. A Type 2 report includes an assessment of the design and operating effectiveness of the security controls.

SOC 2 reports are generally not provided to service providers’ clients because they may contain sensitive information about security controls. Instead, a service provider can obtain a higher level compliance report called SOC 3, which does not contain sensitive information. The assessment for SOC 2 and SOC 3 is the same, but the report is different. The SOC 3 report can be provided to clients to demonstrate compliance without disclosing any sensitive information. SOC 3 reports must be performed as a Type 2 assessment.

More information on SOC 1, 2 and 3 reports can be found here:

To find out more, call an expert consultant in Melbourne today on 1300 977 774.