SOC (System and Organization Controls) reports are produced from an audit conducted in accordance with frameworks established by the AICPA (American Institute of Certified Public Accountants) for reporting on the internal controls implemented within an organization.
SOC reports are prepared by an independent third party auditor and provide customers with a detailed level of controls-based assurance across various aspects of a service's security and compliance posture.
A SOC 2 report, the most common type of SOC report for IT vendors, focuses on the controls of a services organization with respect to security and, optionally, several other dimensions known as Trust Services Criteria. A SOC 2 report with a “Type 2” designation reflects that controls have been tested over a period of time, rather than a single point in time.
Updated 2 months ago