Skip to main content


SOC 2 vs. SOC for Cybersecurity Reports

SOC 2 vs. SOC for Cybersecurity Reports

If you’ve been involved in any sort of vendor review process at your organization, you’ve surely heard of or had the pleasure to review a SOC (System and Organization Controls) Report. There are actually a variety of different types of SOC reports, including SOC 1, SOC 2, and SOC 3, as well as the newest member of the team – the SOC for Cybersecurity. While each report has its own purpose, we’re going to dive into the difference between the SOC 2 and SOC for Cybersecurity reports. Specifically, we’ll look at the purpose of and differences between these two SOC reports, and which SOC your organization should be requesting during your next vendor review.


SOC 2 vs. SOC for Cybersecurity Purpose and Use

SOC 2 reports were created to address the needs and concerns related to information security. Hackers are evolving and perfecting ways to compromise networks, access financial resources, and steal personal information on large scale operations on a seemingly daily basis. A SOC 2 report is meant to illustrate how an organization’s internal controls are designed and implemented, as well as how the organization prioritizes important policies and procedures not directly linked to financial reporting.

Customers who are looking to gain assurance that the product or service they’ve purchased is sufficiently protecting their customer information are the typical recipients of a SOC 2 report. It should also be noted that SOC 2 reports are typically shared only with customers of the service organization.

SOC for Cybersecurity reports are intended to help your organization better understand the service organization’s efforts specifically relating to cybersecurity risk management during decision-making processes, such as risk assessments and vendor management. SOC for Cybersecurity reports provide an objective assurance that appropriate processes and controls exist at the service organization level to manage a cyber-attack.

Users, analysts, members of the Board of Directors, or others at your organization will get an inside perspective and gain confidence in an organization’s ability to manage cybersecurity risk from a SOC for Cybersecurity report. A SOC for Cybersecurity report is designed to be shared publicly or to anyone at the discretion of the service organization.


SOC 2 vs. SOC for Cybersecurity Subject Matter

SOC 2 and SOC for Cybersecurity Reports have similar structures, including management’s description of criteria, management’s assertations, and the practitioner’s opinion, but consist of different subject matter.

The main components of a SOC 2 report relate to the organization’s system and the effectiveness of controls based on the Trust Services Criteria. While management can choose the scope of the SOC 2 relating to the products and services assessed, the Trust Services Criteria remains the core of a SOC 2 report.

The five Trust Services Criteria, the specific set of control criteria upon which a SOC 2 is based, includes controls around:

  1. Security: The system is protected against both physical and network-based attacks.
  2. Availability: The system is always available for operation.
  3. Processing Integrity: Processing is complete, accurate, and authorized.
  4. Confidentiality: Confidential information is protected.
  5. Privacy: Personal information is collected, retained, and destroyed in conformity with the commitments in the entity's privacy notice.

A SOC 2 report contains a complete list of the Trust Services Criteria and the service organization controls mapped to the Trust Services Criteria, as well as the results of control testing and noted exceptions.

In contrast, the main components in a SOC for Cybersecurity report relate to an entity’s cybersecurity risk management program and the effectiveness of controls to meet cybersecurity objectives. SOC for Cybersecurity objectives are defined by management and include:

  1. Nature of Business and Operations: Disclosures about the nature of the entity’s business and operations.
  2. Nature of Information at Risk: Disclosures about the principal types of sensitive information the entity creates, collects, transmits, uses, and stores that are susceptible to cybersecurity risk.
  3. Cybersecurity Risk Management Program Objectives (Cybersecurity Objectives): Disclosures about the entity’s principal cybersecurity objectives related to availability, confidentiality, integrity of data, and integrity of processing and the process for establishing, maintaining, and approving them.
  4. Factors That Have a Significant Effect on Inherent Cybersecurity Risks: Disclosures about factors that have a significant effect on the entity’s inherent cybersecurity risks.
  5. Cybersecurity Risk Governance Structure: Disclosures about the entity’s cybersecurity risk governance structure, including the processes for establishing, maintaining, and communicating integrity and ethical values, providing board oversight, establishing accountability, and hiring and developing qualified personnel.
  6. Cybersecurity Risk Assessment Process: Disclosures related to the entity’s process for:
    1. identifying cybersecurity risks and environmental, technological, organizational and other changes that could have a significant effect on the entity’s cybersecurity risk management program
    2. assessing the related risks to the achievement of the entity’s cybersecurity objectives
    3. identifying, assessing, and managing the risks associated with vendors and business partners
  7. Cybersecurity Communications and the Quality of Cybersecurity Information: Disclosures about the entity’s process for communicating cybersecurity objectives, expectations, responsibilities, and related matters to both internal and external users, including the thresholds for communicating identified security events that are monitored, investigated, and determined to be security incidents requiring a response, remediation, or both.
  8. Monitoring of the Cybersecurity Risk Management Program: Disclosures related to the process the entity uses to assess the effectiveness of controls included in its cybersecurity risk management program, including information about the corrective actions taken when security events, threats, vulnerabilities, and control deficiencies are identified.
  9. Cybersecurity Control Processes: Disclosures about:
    1. the entity’s process for developing a response to assessed risks, including the design and implementation of control processes
    2. the entity’s IT infrastructure and its network architectural characteristics
    3. the key security policies and processes implemented and operated to address the entity’s cybersecurity risks

The Cybersecurity Control Processes for SOC for Cybersecurity can integrate the aforementioned Trust Services Criteria or pull from another industry standard, such as the NIST Cybersecurity Framework or ISO 27001/27001.


SOC 2 vs. SOC for Cybersecurity Report Types

A SOC 2 will include one of two different report types: Type I or Type II. A Type I is a report of evidence of an organization controls at a specific point of time. The Type II report consists of evidence of an organization’s controls over a period of time.

In a SOC 2 Type I report, controls are not tested; only the “design” of controls is assessed. However, in a SOC 2 Type II report, the “operating effectiveness of controls” is tested, and any exceptions or non-compliance of control implementation is noted in the report.

SOC for Cybersecurity reports include three major components:

  • Management’s Description: a description of the service organization’s cybersecurity risk management program prepared by the service organization’s management. The Management’s Description includes how the organization identifies assets, manages cybersecurity risks, and the key cybersecurity policies and procedures in place to manage risk.
  • Management’s Assertion: a statement from the service organization’s management asserting the description above and the effectiveness of the controls in place is true and accurate.
  • Practitioner’s Opinion: an opinion from the assessing firm regarding whether Management’s Description and the control effectiveness of the service organization’s cybersecurity risk management program are accurate and effective based on the control criteria from the engagement.

It should be noted, however, that a SOC for Cybersecurity report does NOT contain a listing of controls from the standard used to assess the service organization, a listing of service organization controls mapped to the standard, or any results of control testing or noted exceptions.

While it may seem inappropriate to exclude control testing and exceptions from a SOC for Cybersecurity report, including such information in a publicly available report could provide attackers with extremely useful information that could be utilized to deploy a much stronger, targeted attack on the service organization.


Should You Ask For a SOC for Cybersecurity Report?

While the adoption of the SOC for Cybersecurity has not gained significant traction as of yet, a SOC for Cybersecurity report should provide your organization with some very useful information regarding your vendor’s cybersecurity risk management practices. If your organization relies on a certain vendor or vendors to maintain business operations, you would certainly benefit from asking for a SOC for Cybersecurity Report. Whether or not you receive one is a different story, but organizations that prioritize cybersecurity will likely be investing in this type of assessment in the future.


Written by: Daniel Sebit and Jon Waldman
SBS CyberSecurity, LLC


SBS Resources:

If you are looking for assistance with Vendor Management, SBS can help in a few different ways.

  • {Solution} TRAC: One of the core modules of our TRAC software is our Vendor Management module, which can help you easily and more efficiently perform vendor risk assessment, vendor selection, and ongoing vendor management. It provides you with a consistent, pre-defined vendor management process, including vendor types, question sets, the ability to categorize different levels of vendor, and customizable, one-click reporting.
  • {Service} Vendor Management: SBS can perform vendor management around your critical vendors, saving you the time and effort to gather information from these vendors, review and analyze the vendor’s documentation, and create reports around your findings. We can streamline your process by doing all that work for you, then providing you the results in an easy-to-understand format.
  • {Education} Certified Banking Vendor Manager: This certification program offers a deep dive into all things vendor management for those of you tasked with performing this role at your institution. The CBVM certification offers 7 modules and 9 real-world exercises to help you build your vendor management program into a consistent, efficient, and repeatable framework that can help you to make better vendor management decisions.
  • {Hacker Hour} Develop a Better Understanding of SOC 2 Reporting: Join us as we discuss the struggles that organizations have when dealing with SOC 2 reporting. We will review what a SOC 2 report entails, why they are important, tips on going through the review process, and how to read and document responses. Registrants will also receive a SOC 2 questionnaire.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Business Security Manager

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, March 27, 2019
Categories: Blog