Compliance Certifications: Differences between SOC 1, SOC 2 and SOC

By April 5, 2022 No Comments

*By Eduardo Camolez

With the growing wave of cyberattacks and information theft, there has been an increase in demand for the implementation and continuous improvement of the Risk Management and Compliance process, both in companies and by regulatory bodies.

São Paulo/SP 4/1/2022 – Deciding which SOC report makes the most sense for a company will depend exclusively on the type of information it is processing for its customers

BACEN (Central Bank of Brazil), for example, requires banks to have a cybersecurity policy and periodically assess their critical service providers, and they are also required to report the results of such assessments to the regulator. This extends to SUSEP (Superintendence of Private Insurance) and other regulatory bodies.

An important effect of this level of demand in relation to risk management and implementation of information security processes and controls is that the topic ends up extending to the entire value chain of companies, including service providers. The General Personal Data Protection Law, Law No. 13.709/2018, establishes that a company that has its data leaked, even if it is from a service provider, will be jointly and severally liable for the incident.

All these aforementioned aspects, in addition to reputational and financial risk, have generated a demand, not only for the implementation of internal controls, but also for the verification of their effectiveness.

One of the ways to prove that there is a structure of internal controls implemented and with controlled risks is through certifications provided by independent entities. It can be highlighted how some of the main certifications for this purpose SOC (Service Organization Control) 1, 2 or 3.

Historically, the roots of SOC 2 go back to the early 1970s when the AICPA (American Institute of Certified Public Accountants), which created SOC 2, released Statement on Auditing Standards (SAS) 1.

The SAS 1 document officially outlined the role and responsibilities of an independent auditor.

Decades passed and new SAS were created, until the SAS 70 in 1992.

Throughout the early 1990s, CPAs used SAS 70 to determine the effectiveness of a company's internal financial controls. Over time, SAS 70 became a way of reporting on how companies handled information security in general.

Over the next 20 years, companies began to outsource services like payroll processing and cloud computing. And these services can affect financial reporting or data security.

As a result, a need has arisen for companies to validate their level of security, ideally through a trusted third party.

When did SOC 2 start?

In April 2010, the AICPA announced a new auditing standard: the Statement on Standards for Attestation Engagement (SSAE 16).

Under SSAE 16, the AICPA released three new reports. This resulted in Service Organization Controls (SOC) and the popular SOC 2, although there are also SOC 1 and SOC 3.

In May 2017, the AICPA replaced SSAE 16 with SSAE 18 to update and simplify some confusing aspects of SSAE 16.

SSAE 18 is now used for all SOC 1, SOC 2 and SOC 3 reports. But what's the difference between them?


The purpose of SOC 1 is to evaluate the structure of the company's controls focused on financial auditing, that is, that somehow imply the financial balance of the clients for whom the services are provided. This report is usually requested for companies that offer services such as payroll, payment processing, employee time tracking, etc.


The purpose of SOC 2 is to evaluate the company's internal control structure in a more comprehensive way, focused on information security as a whole. Five aspects, called Trust Services Criteria can be evaluated, namely:

  • Security: Protection of information against unauthorized access;
  • Availability: Ensuring that employees and customers can trust your systems to do their jobs;
  • Process integrity: Verification of the company's systems that they work as intended;
  • Confidentiality: Protection of confidential information by limiting its access, storage and use;
  • Privacy: Protection of confidential personal information from unauthorized users.

Only the first criterion (Safety) is mandatory in the certification process, the others being the choice of the audited company.


The purpose of SOC 3 is to provide a summary of the SOC 2 report. Both the SOC 1 and SOC 2 reports contain detailed information about the audited company's technological and control infrastructure, as well as the auditor's view of them. Thus, both are confidential and must have their access very well controlled. The SOC 3 report offers a summary of the SOC 2 report, with only public information, describing the tests performed and the auditor's view. This report can be made available to any person or company.

It is important to be clear that the reports do not represent an increase in maturity and it is not necessary to have SOC 1 to have SOC 2. It is only necessary to have the SOC 2 report to obtain SOC 3, as this is a summary from the other.

Which SOC report to choose?

Deciding which SOC report makes the most sense for a company will depend solely on the type of information it is processing for its customers.

For example, if the company is providing payroll processing services, it will likely need a SOC 1. If it is hosting or processing customer data, it will need a SOC 2 report. SOC 3 reports are less formal and are better used as marketing material.

Finally, some organizations need a SOC 1 and SOC 2 report. This will depend on the services they provide and their customers. It may have clients requesting a SOC 1 and other clients requesting a SOC 2, but there will be overlap in both, which can speed up testing.

— Eduardo Camolez is Partner, GRC Leader at [SAFEWAY] 

How can we help?

SAFEWAY is a consulting firm in Information security recognized by its customers for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.

today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.