Which is better: SOC 1 or SOC 2?

I have been asked this question by several current and prospective clients.  My latest response was this- "Which are better: skates or skis?"

Ice skates are just as useless on snow as snow skis are on ice.  In the same way SOC 1 is useless for providing assurance regarding security and availability because it is designed for supporting financial statement assertions.  SOC 2 is equally useless for providing assurance relevant to internal controls over financial reporting (ICFR) because it is designed to provide assurance regarding security, availability, processing integrity, confidentiality, and privacy.  Neither is better than the other, they are just designed for different purposes.

Why then, do we continue to see press releases that tout SOC 1 (SSAE 16) as providing assurance regarding security and availability?  The Risk Assurance Guy and French Caldwell at the Gartner Group seem to be the only ones pointing out that this abuse continues in the market.


Watch people trying to ski with ice skates here:

1 comment:

  1. I am very thankful to you that you spend some time and post the difference between Soc1 and Soc2. And thanks for sharing the links as well. they were useful. Good day!

    ReplyDelete