Cloud Security: What Is SOC Report? What Is The Difference Between SOC1, SOC2, And SOC3 Reports?

Rajesh Laskary
6 min readAug 13, 2021

Know the basics of SOC reports w.r.t. cloud computing and the difference between SOC1, SOC2 (SOC2 Type I or SOC2 Type 2 report), SOC3 reports from a cybersecurity perspective.

This article is for you if you are a cyber or cloud security professional, consultant, auditor, or information security manager. And, this is definitely for you if you are preparing for various cybersecurity certifications such as CISSP, CISM, CCSP, CRISC, CISA, CCSK, CCAK, etc.

Cloud Security (Image Source: Pixabay)

Organizations rely heavily on third-party vendors and cloud service providers (CSPs) such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, etc. Any mismanagement or mishandling of information or a data breach can compromise the confidentiality, integrity, or availability of information, and leave the organization vulnerable to cyber-attacks. This may result in regulatory fines, legal actions or lawsuits, or financial losses. SOC reports are helpful in assessing the internal control environment of various service organizations (such as CSPs).

Understanding SOC1, SOC2, SOC3 In Detail

An organization willing to migrate to the cloud, may not have direct access to validate and verify internal security controls of a CSP’s information infrastructure because CSPs might not allow them to do so, citing security reasons. Hence, organizations need some means to evaluate a CSP’s control environment, resiliency capabilities, and financial stability, etc., that is where SOC reports come in handy.

So, What Does SOC Stand For?

Service Organization Control (SOC) reports

Who Issues SOC reports?

SOC reports have been established by SSAE 18 (Statement on Standards for Attestation Engagements). SSAE 18 is an auditing standard by AICPA (American Institute of Certified Public Accountants)

SOC (System and Organization Controls) report, is the report that CPAs (Certified Public Accountants) produce after conducting an attestation engagement by following standards and processes laid out by the SSAE 18 standards.

Rajesh Laskary

Author, Cybersecurity, Cloud, Blockchain Professional(CISSP, CRISC, CISM, CCAK, CIAM, CIST, CEH, COBIT, CBSP, CBE, ISO27001 LA, ISO27005 RM, PMP, PMI-ACP)