SOC 2 vs. SOC 1 type 2
An ISAE type 2 report
An ISAE 3402 | SOC 1 report is an assurance statement that is issued to an organization. An ISAE 3402 | SOC 1 type 2 report discusses how the service provider manages risks related to outsourced processes. The assessment framework is formed by the outsourcing itself and the financial processes (is there a relationship with the annual accounts?). It is customary in the financial world in particular to be able to demonstrate an ISAE 3042 | SOC 1 assurance statement. For example, a financial institution will always require an ISAE 3402 | SOC 1 report from suppliers before the supplier is allowed to provide the services.
ISAE 3402 | SOC 1 is based on the requirement that the objectives must relate to the needs of the account of the organization that purchases the service. In other words: the control framework (control objectives and measures) can be put together at ISAE itself. The idea behind this is that the risks of outsourcing activities depend on the situation. The management objectives and measures that are based on this are therefore a piece of custom work.
An ISAE 3000 | SOC 2 report
In an ISAE 3000| SOC 2 report, the assessment framework is not formed by the outsourcing itself, but rather by information security. ISAE 3000 | SOC 2 reports therefore do not focus on financial processes, but on Trust Services Criteria such as security, availability, confidentiality, processing integrity and privacy in a service organization. In an ISAE 3000 | SOC 2 report, the scope is therefore determined by these predefined management objectives (Trust Service Criteria).
ISAE 3000| SOC 2 is mainly about ensuring that the data that is processed or hosted has no effect on the financial statements of clients. These clients are particularly interested in whether information security and privacy are handled correctly. For example, in an ISAE 3000| SOC 2 report, one can think of obtaining certainty about external Cloud services.
