The Schellman Blog

As you likely know, there are different System and Organization Controls (SOC) report options, such as SOC 1 and SOC 2/SOC 3. What may be lesser known is that within those SOC report options, there are also different types, referred to as Type 1 and Type 2. In other words, the specific use of “Type” as a distinguisher are different specified options for both the SOC 1 and SOC 2 reports.

You may be wondering why a financial services company would need a SOC 1 report. Well, in today’s financial services landscape, trust is currency—and transparency is the key to earning it.

HITRUST Certification is a globally recognized program that validates an organization’s compliance with the HITRUST Common Security Framework (CSF). An alternative to obtaining a HITRUST CSF Certification is the SOC 2 + HITRUST report, which serves as a collaboration between HITRUST and the AICPA.

What is the SOC 2? At a high level a SOC 2 examination is a report on internal controls of a service organization related to the Trust Service Principles and Criteria (TSPs), which include: security, availability, processing integrity, confidentiality and/or privacy. Reporting on these TSPs can provide assurance around the adequacy of your services’ security control environment.

NOTE: Schellman has since updated and expanded this information in an article found here.

Cloud computing has become an essential aspect of modern business operations, offering scalability, flexibility, and cost-efficiency. However, with the increased reliance on cloud services comes the growing need for security and compliance assurances. As such, Cloud Service Providers (CSPs) now face the challenge of proving they can securely handle customer data while maintaining reliable operations.

As organizations face pressure to obtain third-party validation demonstrating their effective cybersecurity and risk management practices, they may wonder which compliance approach is best to pursue. HITRUST Certification is a globally recognized program that validates an organization’s compliance with the HITRUST Common Security Framework (CSF). An alternative to obtaining a HITRUST CSF Certification is the SOC 2 + HITRUST report, which serves as a collaboration between HITRUST and the AICPA.

The American Institute of Certified Public Accountants (AICPA) has designed three distinguished SOC reports to accommodate the varying needs of service organizations, each with their own purpose and intended use. As such, when service organizations begin researching System and Organization Controls (SOC) reports, their first consideration often centers around determining which SOC report(s) is best for their needs.