SOC (Service Organization Controls) is the reporting standard on “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy”
The SOC standard is divided in three categories:
- SOC1: a pure replacement of the SAS70 standard providing assurance for companies where the audited services are an essential part of financial activities (ICFR: internal control over Financial Reporting)
- SOC2: Assurance on compliance with controls of underlying standards which are relevant to the organisation’s activities
- SOC3: Assurance on compliance based on GAPP (Generally Accepted Privacy Principles)
SOC2 has no direct relation to relevant information security standards ISO27001 and/or PCI-DSS-2.0.