Soc is designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report.
Types of soc compliance
soc 1 (soc for service organizations icfr): report on controls of a service organization relevant to user entities’ internal control over financial reporting (icfr).
Soc 2 (soc for service organizations, trust services criteria): report on controls of a service organization relevant to security, availability, processing integrity, confidentiality and privacy.
Soc 3 (soc for service organizations trust services criteria for general use report): these reports are designed to meet the needs of users who need assurance about the controls of a service organization.
Soc for cyber security (new): a reporting framework for communicating information about the effectiveness of cybersecurity risk management program to a broad range of stakeholders.
Soc for vendor supply chain (under development): an internal controls report on a vendor’s manufacturing process for customers of manufacturers and distributors to better understand the security risks in their supply chains.
Soc assurance reporting
type 1 (point in time) reports cover the suitability of the design of controls as of a point in time. The type I report is a snapshot in time.
Type 2 (period of time) cover the suitability of design and operating effectiveness of controls over a period of time, typically 6 or 12 months.

Soc is designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report.
Types of soc compliance
soc 1 (soc for service organizations icfr): report on controls of a service organization relevant to user entities’ internal control over financial reporting (icfr).
Soc 2 (soc for service organizations, trust services criteria): report on controls of a service organization relevant to security, availability, processing integrity, confidentiality and privacy.
Soc 3 (soc for service organizations trust services criteria for general use report): these reports are designed to meet the needs of users who need assurance about the controls of a service organization.
Soc for cyber security (new): a reporting framework for communicating information about the effectiveness of cybersecurity risk management program to a broad range of stakeholders.
Soc for vendor supply chain (under development): an internal controls report on a vendor’s manufacturing process for customers of manufacturers and distributors to better understand the security risks in their supply chains.
Soc assurance reporting
type 1 (point in time) reports cover the suitability of the design of controls as of a point in time. The type I report is a snapshot in time.
Type 2 (period of time) cover the suitability of design and operating effectiveness of controls over a period of time, typically 6 or 12 months.